From 5903c439b454eecf1f54a45c496fa53955d2b983 Mon Sep 17 00:00:00 2001 From: SkalaNetworks Date: Fri, 25 Apr 2025 19:03:09 +0200 Subject: [PATCH 1/4] feat(helm): new chart design Signed-off-by: SkalaNetworks --- .gitignore | 1 + charts/kube-ovn-v2/Chart.yaml | 7 + charts/kube-ovn-v2/README.md | 147 + charts/kube-ovn-v2/crds/kube-ovn-crd.yaml | 3049 +++++++++++++++++ charts/kube-ovn-v2/templates/_helpers.tpl | 141 + .../templates/agent/agent-clusterrole.yaml | 91 + .../agent/agent-clusterrolebinding.yaml | 21 + .../templates/agent/agent-daemonset.yaml | 289 ++ .../templates/agent/agent-rolebinding.yaml | 22 + .../templates/agent/agent-service.yaml | 23 + .../templates/agent/agent-serviceaccount.yaml | 22 + .../kube-ovn-v2/templates/api-nad/apiNad.yaml | 14 + .../templates/api-nad/apiSubnet.yaml | 11 + .../templates/central/central-deployment.yaml | 183 + .../templates/central/northbound-service.yaml | 28 + .../templates/central/northd-service.yaml | 28 + .../templates/central/southbound-service.yaml | 28 + .../controller/controller-deployment.yaml | 246 ++ .../controller/controller-service.yaml | 23 + .../templates/hooks/pre-delete-hook.yaml | 123 + .../templates/hooks/upgrade-ovs-ovn.yaml | 171 + .../templates/ic/ic-controller-deploy.yaml | 130 + .../templates/misc/extra-objects.yaml | 8 + .../templates/monitor/monitor-deployment.yaml | 181 + .../templates/monitor/monitor-service.yaml | 25 + charts/kube-ovn-v2/templates/nat-gw/rbac.yaml | 47 + .../templates/nat-gw/vpc-nat-config.yaml | 25 + .../kube-ovn-v2/templates/ovn-tls-secret.yaml | 23 + .../templates/ovs-ovn/ovs-ovn-daemonset.yaml | 257 ++ .../ovs-ovn/ovs-ovn-dpdk-daemonset.yaml | 175 + .../templates/pinger/pinger-daemonset.yaml | 184 + .../templates/pinger/pinger-service.yaml | 23 + charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml | 299 ++ .../kube-ovn-v2/templates/rbac/ovn-CRB.yaml | 67 + charts/kube-ovn-v2/templates/rbac/ovn-sa.yaml | 43 + .../templates/speaker/speaker.yaml | 70 + .../templates/webhook/certificate.yaml | 41 + .../templates/webhook/service.yaml | 26 + .../templates/webhook/webhook-deployment.yaml | 98 + .../templates/webhook/webhook.yaml | 72 + charts/kube-ovn-v2/values.yaml | 488 +++ 41 files changed, 6950 insertions(+) create mode 100644 charts/kube-ovn-v2/Chart.yaml create mode 100644 charts/kube-ovn-v2/README.md create mode 100644 charts/kube-ovn-v2/crds/kube-ovn-crd.yaml create mode 100644 charts/kube-ovn-v2/templates/_helpers.tpl create mode 100644 charts/kube-ovn-v2/templates/agent/agent-clusterrole.yaml create mode 100644 charts/kube-ovn-v2/templates/agent/agent-clusterrolebinding.yaml create mode 100644 charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml create mode 100644 charts/kube-ovn-v2/templates/agent/agent-rolebinding.yaml create mode 100644 charts/kube-ovn-v2/templates/agent/agent-service.yaml create mode 100644 charts/kube-ovn-v2/templates/agent/agent-serviceaccount.yaml create mode 100644 charts/kube-ovn-v2/templates/api-nad/apiNad.yaml create mode 100644 charts/kube-ovn-v2/templates/api-nad/apiSubnet.yaml create mode 100644 charts/kube-ovn-v2/templates/central/central-deployment.yaml create mode 100644 charts/kube-ovn-v2/templates/central/northbound-service.yaml create mode 100644 charts/kube-ovn-v2/templates/central/northd-service.yaml create mode 100644 charts/kube-ovn-v2/templates/central/southbound-service.yaml create mode 100644 charts/kube-ovn-v2/templates/controller/controller-deployment.yaml create mode 100644 charts/kube-ovn-v2/templates/controller/controller-service.yaml create mode 100644 charts/kube-ovn-v2/templates/hooks/pre-delete-hook.yaml create mode 100644 charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml create mode 100644 charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml create mode 100644 charts/kube-ovn-v2/templates/misc/extra-objects.yaml create mode 100644 charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml create mode 100644 charts/kube-ovn-v2/templates/monitor/monitor-service.yaml create mode 100644 charts/kube-ovn-v2/templates/nat-gw/rbac.yaml create mode 100755 charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml create mode 100644 charts/kube-ovn-v2/templates/ovn-tls-secret.yaml create mode 100644 charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml create mode 100644 charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml create mode 100644 charts/kube-ovn-v2/templates/pinger/pinger-daemonset.yaml create mode 100644 charts/kube-ovn-v2/templates/pinger/pinger-service.yaml create mode 100644 charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml create mode 100644 charts/kube-ovn-v2/templates/rbac/ovn-CRB.yaml create mode 100644 charts/kube-ovn-v2/templates/rbac/ovn-sa.yaml create mode 100644 charts/kube-ovn-v2/templates/speaker/speaker.yaml create mode 100644 charts/kube-ovn-v2/templates/webhook/certificate.yaml create mode 100644 charts/kube-ovn-v2/templates/webhook/service.yaml create mode 100644 charts/kube-ovn-v2/templates/webhook/webhook-deployment.yaml create mode 100644 charts/kube-ovn-v2/templates/webhook/webhook.yaml create mode 100644 charts/kube-ovn-v2/values.yaml diff --git a/.gitignore b/.gitignore index 844b2ac57bb..74e0774472a 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,7 @@ kubectl-ko-log.tar.gz kube-apiserver-audit.log kube-apiserver-audit.json kube-ovn.yaml +!/charts/kube-ovn-v2/crds/kube-ovn-crd.yaml !/charts/kube-ovn/templates/kube-ovn-crd.yaml kube-ovn-crd.yaml ovn.yaml diff --git a/charts/kube-ovn-v2/Chart.yaml b/charts/kube-ovn-v2/Chart.yaml new file mode 100644 index 00000000000..79af54915b6 --- /dev/null +++ b/charts/kube-ovn-v2/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: kube-ovn +description: Helm chart for Kube-OVN +type: application +version: 2.0.0 +appVersion: "1.14.0" +kubeVersion: ">= 1.29.0-0" diff --git a/charts/kube-ovn-v2/README.md b/charts/kube-ovn-v2/README.md new file mode 100644 index 00000000000..9fdcc94912f --- /dev/null +++ b/charts/kube-ovn-v2/README.md @@ -0,0 +1,147 @@ +# kube-ovn + +![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.14.0](https://img.shields.io/badge/AppVersion-1.14.0-informational?style=flat-square) + +Helm chart for Kube-OVN + +## Requirements + +Kubernetes: `>= 1.29.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| agent | object | `{"annotations":{},"dpdkTunnelInterface":"br-phy","interface":"","labels":{},"metrics":{"port":10665},"mirroring":{"enabled":false,"interface":"mirror0"},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"100Mi"}}}` | Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI | +| agent.annotations | object | `{}` | Annotations to be added to all top-level agent objects (resources under templates/agent) | +| agent.labels | object | `{}` | Labels to be added to all top-level agent objects (resources under templates/agent) | +| agent.metrics | object | `{"port":10665}` | Agent metrics configuration | +| agent.metrics.port | int | `10665` | Configure the port on which the agent service will serve metrics | +| agent.mirroring | object | `{"enabled":false,"interface":"mirror0"}` | Mirroring of the traffic for debug or analysis https://kubeovn.github.io/docs/stable/en/guide/mirror/ | +| agent.mirroring.enabled | bool | `false` | Enable mirroring of the traffic | +| agent.mirroring.interface | string | `"mirror0"` | Interface on which to send the mirrored traffic | +| agent.podAnnotations | object | `{}` | Annotations to be added to the agent pods (kube-ovn-cni) | +| agent.podLabels | object | `{}` | Labels to be added to the agent pods (kube-ovn-cni) | +| agent.resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Agent daemon resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| apiNad | object | `{"enabled":false,"name":"ovn-kubernetes-api","provider":"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn","subnet":{"cidrBlock":"100.100.0.0/16,fd00:100:100::/112","name":"ovn-kubernetes-api","protocol":"Dual"}}` | API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API This requires Multus to be installed | +| apiNad.enabled | bool | `false` | Enable the creation of the API NAD | +| apiNad.name | string | `"ovn-kubernetes-api"` | Name of the NAD | +| apiNad.provider | string | `"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn"` | Name of the provider, must be in the form "nadName.nadNamespace.ovn" | +| apiNad.subnet | object | `{"cidrBlock":"100.100.0.0/16,fd00:100:100::/112","name":"ovn-kubernetes-api","protocol":"Dual"}` | Subnet associated with the NAD, it will have full access to the API server | +| apiNad.subnet.cidrBlock | string | `"100.100.0.0/16,fd00:100:100::/112"` | CIDR block used by the API subnet | +| apiNad.subnet.name | string | `"ovn-kubernetes-api"` | Name of the subnet | +| apiNad.subnet.protocol | string | `"Dual"` | Protocol for the API subnet | +| central | object | `{"annotations":{},"labels":{},"ovnLeaderProbeInterval":5,"ovnNorthdNThreads":1,"ovnNorthdProbeInterval":5000,"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"3","memory":"4Gi"},"requests":{"cpu":"300m","memory":"200Mi"}}}` | Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd | +| central.annotations | object | `{}` | Annotations to be added to all top-level ovn-central objects (resources under templates/central) | +| central.labels | object | `{}` | Labels to be added to all top-level ovn-central objects (resources under templates/central) | +| central.podAnnotations | object | `{}` | Annotations to be added to ovn-central pods | +| central.podLabels | object | `{}` | Labels to be added to ovn-central pods | +| central.resources | object | `{"limits":{"cpu":"3","memory":"4Gi"},"requests":{"cpu":"300m","memory":"200Mi"}}` | ovn-central resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| cni | object | `{"binaryDirectory":"/opt/cni/bin","configDirectory":"/etc/cni/net.d","configPriority":"01","localConfigFile":"/kube-ovn/01-kube-ovn.conflist","mountToolingDirectory":false,"toolingDirectory":"/usr/local/bin"}` | CNI binary/configuration injected on the nodes | +| cni.binaryDirectory | string | `"/opt/cni/bin"` | Location on the node where the agent will inject the Kube-OVN binary | +| cni.configDirectory | string | `"/etc/cni/net.d"` | Location of the CNI configuration on the node | +| cni.configPriority | string | `"01"` | Priority of Kube-OVN within the CNI configuration directory on the node Should be a string representing a double-digit integer | +| cni.localConfigFile | string | `"/kube-ovn/01-kube-ovn.conflist"` | Location of the CNI configuration inside the agent's pod | +| cni.mountToolingDirectory | bool | `false` | Whether to mount the node's tooling directory into the pod | +| cni.toolingDirectory | string | `"/usr/local/bin"` | Location on the node where the CNI will install Kube-OVN's tooling | +| controller | object | `{"annotations":{},"labels":{},"metrics":{"port":10660},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN | +| controller.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller) | +| controller.labels | object | `{}` | Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller) | +| controller.metrics | object | `{"port":10660}` | Controller metrics configuration | +| controller.metrics.port | int | `10660` | Configure the port on which the controller service will serve metrics | +| controller.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-controller pods | +| controller.podLabels | object | `{}` | Labels to be added to kube-ovn-controller pods | +| controller.resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | kube-ovn-controller resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| extraObjects | list | `[]` | Array of extra K8s manifests to deploy # Note: Supports use of custom Helm templates (Go templating) | +| features | object | `{"CHECK_GATEWAY":true,"ENABLE_ANP":false,"ENABLE_BIND_LOCAL_IP":true,"ENABLE_EXTERNAL_VPC":true,"ENABLE_IC":false,"ENABLE_KEEP_VM_IP":true,"ENABLE_LB":true,"ENABLE_LB_SVC":false,"ENABLE_LIVE_MIGRATION_OPTIMIZE":true,"ENABLE_NAT_GW":true,"ENABLE_NP":true,"ENABLE_OVN_IPSEC":false,"ENABLE_OVN_LB_PREFER_LOCAL":false,"ENABLE_TPROXY":false,"HW_OFFLOAD":false,"LOGICAL_GATEWAY":false,"LS_CT_SKIP_DST_LPORT_IPS":true,"LS_DNAT_MOD_DL_DST":true,"OVSDB_CON_TIMEOUT":3,"OVSDB_INACTIVITY_TIMEOUT":10,"SECURE_SERVING":false,"SET_VXLAN_TX_OFF":false,"U2O_INTERCONNECTION":false}` | Features of Kube-OVN we wish to enable/disable | +| fullnameOverride | string | `""` | | +| global.images.kubeovn.dpdkRepository | string | `"kube-ovn-dpdk"` | | +| global.images.kubeovn.repository | string | `"kube-ovn"` | | +| global.images.kubeovn.support_arm | bool | `true` | | +| global.images.kubeovn.tag | string | `"v1.14.0"` | | +| global.images.kubeovn.thirdparty | bool | `true` | | +| global.images.kubeovn.vpcRepository | string | `"vpc-nat-gateway"` | | +| global.registry.address | string | `"docker.io/kubeovn"` | | +| global.registry.imagePullSecrets | list | `[]` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| kubelet | object | `{"directory":"/var/lib/kubelet"}` | Kubelet configuration | +| kubelet.directory | string | `"/var/lib/kubelet"` | Directory in which the kubelet operates | +| logging | object | `{"directory":"/var/log"}` | Logging configuration for all the daemons | +| logging.directory | string | `"/var/log"` | Directory in which to write the logs | +| masterNodes | string | `""` | Comma-separated list of IPs for each master node | +| masterNodesLabel | string | `"kube-ovn/role=master"` | Label used to auto-identify masters | +| monitor | object | `{"annotations":{},"labels":{},"metrics":{"port":10661},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd | +| monitor.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) | +| monitor.labels | object | `{}` | Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) | +| monitor.metrics | object | `{"port":10661}` | kube-ovn-monitor metrics configuration | +| monitor.metrics.port | int | `10661` | Configure the port on which the kube-ovn-monitor service will serve metrics | +| monitor.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-monitor pods | +| monitor.podLabels | object | `{}` | Labels to be added to kube-ovn-monitor pods | +| monitor.resources | object | `{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | kube-ovn-monitor resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| nameOverride | string | `""` | | +| namespace | string | `"kube-system"` | Namespace in which the CNI is deployed | +| natGw | object | `{"bgpSpeaker":{"apiNadProvider":"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/kubeovn/kube-ovn","tag":"v1.14.0"}},"namePrefix":"vpc-nat-gw"}` | Configuration for the NAT gateways | +| natGw.bgpSpeaker | object | `{"apiNadProvider":"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/kubeovn/kube-ovn","tag":"v1.14.0"}}` | Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode | +| natGw.bgpSpeaker.apiNadProvider | string | `"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn"` | Network attachment definition used to reach the API server when running on BGP mode By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/ | +| natGw.bgpSpeaker.image | object | `{"pullPolicy":"IfNotPresent","repository":"docker.io/kubeovn/kube-ovn","tag":"v1.14.0"}` | Image used by the NAT gateway sidecar | +| natGw.namePrefix | string | `"vpc-nat-gw"` | Prefix appended to the name of the NAT gateways when generating the Pods If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be manually destroyed and recreated | +| networking | object | `{"defaultVpcName":"ovn-cluster","enableCompact":false,"enableEcmp":false,"enableEipSnat":true,"enableMetrics":true,"enableSsl":false,"exchangeLinkName":false,"excludeIps":"","join":{"cidr":{"v4":"100.64.0.0/16","v6":"fd00:100:64::/112"},"subnetName":"join"},"networkType":"geneve","nodeLocalDnsIp":"","podNicType":"veth-pair","pods":{"cidr":{"v4":"10.16.0.0/16","v6":"fd00:10:16::/112"},"gateways":{"v4":"10.16.0.1","v6":"fd00:10:16::1"},"subnetName":"ovn-default"},"services":{"cidr":{"v4":"10.96.0.0/12","v6":"fd00:10:96::/112"}},"stack":"IPv4","tunnelType":"geneve","vlan":{"id":"100","interfaceName":"","name":"ovn-vlan","providerName":"provider"}}` | General configuration of the network created by Kube-OVN | +| networking.defaultVpcName | string | `"ovn-cluster"` | Name of the default VPC once it is generated in the cluster Pods in the default subnet live in this VPC | +| networking.enableEipSnat | bool | `true` | Enable EIP and SNAT | +| networking.enableMetrics | bool | `true` | Enable listening on the metrics endpoint for the CNI daemons | +| networking.enableSsl | bool | `false` | Deploy the CNI with SSL encryption in between components | +| networking.excludeIps | string | `""` | IPs to exclude from IPAM in the default subnet | +| networking.join | object | `{"cidr":{"v4":"100.64.0.0/16","v6":"fd00:100:64::/112"},"subnetName":"join"}` | Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet If .networking.stack is set to IPv4, only the .v4 key is used If .networking.stack is set to IPv6, only the .v6 key is used If .networking.stack is set to Dual, both keys are used | +| networking.join.subnetName | string | `"join"` | Name of the join subnet once it gets generated in the cluster | +| networking.networkType | string | `"geneve"` | Network type can be geneve or vlan | +| networking.nodeLocalDnsIp | string | `""` | Comma-separated string of NodeLocal DNS IP addresses | +| networking.podNicType | string | `"veth-pair"` | NIC type used on pods to connect them to the CNI | +| networking.pods | object | `{"cidr":{"v4":"10.16.0.0/16","v6":"fd00:10:16::/112"},"gateways":{"v4":"10.16.0.1","v6":"fd00:10:16::1"},"subnetName":"ovn-default"}` | Configuration for the default pod subnet If .networking.stack is set to IPv4, only the .v4 key is used If .networking.stack is set to IPv6, only the .v6 key is used If .networking.stack is set to Dual, both keys are used | +| networking.pods.subnetName | string | `"ovn-default"` | Name of the pod subnet once it gets generated in the cluster | +| networking.services | object | `{"cidr":{"v4":"10.96.0.0/12","v6":"fd00:10:96::/112"}}` | Configuration for the service subnet If .networking.stack is set to IPv4, only the .v4 key is used If .networking.stack is set to IPv6, only the .v6 key is used If .networking.stack is set to Dual, both keys are used | +| networking.stack | string | `"IPv4"` | Protocol(s) used by Kube-OVN to allocate IPs to pods and services Can be either IPv4, IPv6 or Dual | +| networking.tunnelType | string | `"geneve"` | Tunnel type can be geneve, vxlan or stt | +| networking.vlan | object | `{"id":"100","interfaceName":"","name":"ovn-vlan","providerName":"provider"}` | Configuration if we're running on top of a VLAN | +| ovsOvn | object | `{"annotations":{},"disableModulesManagement":false,"dpdk":{"enabled":false,"resources":{"limits":{"cpu":"1000m","hugepages-1Gi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"200Mi"}},"version":"19.11"},"dpdkHybrid":{"enabled":false,"resources":{"limits":{"cpu":"2","hugepages-2Mi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}},"labels":{},"ovnDirectory":"/etc/origin/ovn","ovnRemoteOpenflowInterval":180,"ovnRemoteProbeInterval":10000,"ovsDirectory":"/etc/origin/openvswitch","podAnnotations":{},"podLabels":{},"probeInterval":180000,"resources":{"limits":{"cpu":"2","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons | +| ovsOvn.annotations | object | `{}` | Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) | +| ovsOvn.disableModulesManagement | bool | `false` | Disable auto-loading of kernel modules by OVS If this is disabled, you will have to enable the Open vSwitch kernel module yourself | +| ovsOvn.dpdk | object | `{"enabled":false,"resources":{"limits":{"cpu":"1000m","hugepages-1Gi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"200Mi"}},"version":"19.11"}` | DPDK support for OVS ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ | +| ovsOvn.dpdk.enabled | bool | `false` | Enables DPDK support on OVS | +| ovsOvn.dpdk.resources | object | `{"limits":{"cpu":"1000m","hugepages-1Gi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"200Mi"}}` | ovs-ovn resource limits & requests when DPDK is enabled ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| ovsOvn.dpdk.version | string | `"19.11"` | Version of the DPDK image | +| ovsOvn.dpdkHybrid | object | `{"enabled":false,"resources":{"limits":{"cpu":"2","hugepages-2Mi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | DPDK-hybrid support for OVS ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ | +| ovsOvn.dpdkHybrid.enabled | bool | `false` | Enables DPDK-hybrid support on OVS | +| ovsOvn.dpdkHybrid.resources | object | `{"limits":{"cpu":"2","hugepages-2Mi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | ovs-ovn resource limits & requests when DPDK-hybrid is enabled ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| ovsOvn.labels | object | `{}` | Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) | +| ovsOvn.ovnDirectory | string | `"/etc/origin/ovn"` | Directory on the node where Open Virtual Network (OVN) lives | +| ovsOvn.ovsDirectory | string | `"/etc/origin/openvswitch"` | Directory on the node where Open vSwitch (OVS) lives | +| ovsOvn.podAnnotations | object | `{}` | Annotations to be added to ovs-ovn pods | +| ovsOvn.podLabels | object | `{}` | Labels to be added to ovs-ovn pods | +| ovsOvn.resources | object | `{"limits":{"cpu":"2","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | ovs-ovn resource limits & requests, overridden if DPDK is enabled ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| performance | object | `{"gcInterval":360,"inspectInterval":20,"ovsVsctlConcurrency":100}` | Performance tuning parameters | +| pinger | object | `{"annotations":{},"labels":{},"metrics":{"port":8080},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"200m","memory":"400Mi"},"requests":{"cpu":"100m","memory":"100Mi"}},"targets":{"externalAddresses":{"v4":"1.1.1.1","v6":"2606:4700:4700::1111"},"externalDomain":{"v4":"kube-ovn.io.","v6":"google.com."}}}` | Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity | +| pinger.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) | +| pinger.labels | object | `{}` | Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) | +| pinger.metrics | object | `{"port":8080}` | kube-ovn-pinger metrics configuration | +| pinger.metrics.port | int | `8080` | Configure the port on which the kube-ovn-monitor service will serve metrics | +| pinger.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-pinger pods | +| pinger.podLabels | object | `{}` | Labels to be added to kube-ovn-pinger pods | +| pinger.resources | object | `{"limits":{"cpu":"200m","memory":"400Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | kube-ovn-pinger resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| pinger.targets | object | `{"externalAddresses":{"v4":"1.1.1.1","v6":"2606:4700:4700::1111"},"externalDomain":{"v4":"kube-ovn.io.","v6":"google.com."}}` | Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity | +| pinger.targets.externalAddresses | object | `{"v4":"1.1.1.1","v6":"2606:4700:4700::1111"}` | Raw IPv4/6 on which to issue pings | +| pinger.targets.externalDomain | object | `{"v4":"kube-ovn.io.","v6":"google.com."}` | Domains to resolve and to ping Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records | +| speaker | object | `{"annotations":{},"args":[],"enabled":false,"labels":{},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{},"requests":{"cpu":"500m","memory":"300Mi"}}}` | Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world | +| speaker.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) | +| speaker.enabled | bool | `false` | Enable the kube-ovn-speaker | +| speaker.labels | object | `{}` | Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) | +| speaker.nodeSelector | object | `{}` | Node selector to restrict the deployment of the speaker to specific nodes | +| speaker.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-speaker pods | +| speaker.podLabels | object | `{}` | Labels to be added to kube-ovn-speaker pods | +| speaker.resources | object | `{"limits":{},"requests":{"cpu":"500m","memory":"300Mi"}}` | kube-ovn-speaker resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| validatingWebhook | object | `{"annotations":{},"enabled":false,"labels":{},"podAnnotations":{},"podLabels":{}}` | Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. Make sure cert-manager is installed for the generation of certificates for the webhook See https://kubeovn.github.io/docs/stable/en/guide/webhook/ | +| validatingWebhook.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) | +| validatingWebhook.enabled | bool | `false` | Enable the deployment of the validating webhook | +| validatingWebhook.labels | object | `{}` | Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) | +| validatingWebhook.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-webhook pods | +| validatingWebhook.podLabels | object | `{}` | Labels to be added to kube-ovn-webhook pods | + diff --git a/charts/kube-ovn-v2/crds/kube-ovn-crd.yaml b/charts/kube-ovn-v2/crds/kube-ovn-crd.yaml new file mode 100644 index 00000000000..76a5fba6d22 --- /dev/null +++ b/charts/kube-ovn-v2/crds/kube-ovn-crd.yaml @@ -0,0 +1,3049 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vpc-dnses.kubeovn.io +spec: + group: kubeovn.io + names: + plural: vpc-dnses + singular: vpc-dns + shortNames: + - vpc-dns + kind: VpcDns + listKind: VpcDnsList + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.active + name: Active + type: boolean + - jsonPath: .spec.vpc + name: Vpc + type: string + - jsonPath: .spec.subnet + name: Subnet + type: string + name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + vpc: + type: string + subnet: + type: string + replicas: + type: integer + minimum: 1 + maximum: 3 + status: + type: object + properties: + active: + type: boolean + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: switch-lb-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: switch-lb-rules + singular: switch-lb-rule + shortNames: + - slr + kind: SwitchLBRule + listKind: SwitchLBRuleList + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.vip + name: vip + type: string + - jsonPath: .status.ports + name: port(s) + type: string + - jsonPath: .status.service + name: service + type: string + - jsonPath: .metadata.creationTimestamp + name: age + type: date + name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + namespace: + type: string + vip: + type: string + sessionAffinity: + type: string + ports: + items: + properties: + name: + type: string + port: + type: integer + minimum: 1 + maximum: 65535 + protocol: + type: string + targetPort: + type: integer + minimum: 1 + maximum: 65535 + type: object + type: array + selector: + items: + type: string + type: array + endpoints: + items: + type: string + type: array + status: + type: object + properties: + ports: + type: string + service: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vpc-nat-gateways.kubeovn.io +spec: + group: kubeovn.io + names: + plural: vpc-nat-gateways + singular: vpc-nat-gateway + shortNames: + - vpc-nat-gw + kind: VpcNatGateway + listKind: VpcNatGatewayList + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.vpc + name: Vpc + type: string + - jsonPath: .spec.subnet + name: Subnet + type: string + - jsonPath: .spec.lanIp + name: LanIP + type: string + name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + externalSubnets: + items: + type: string + type: array + selector: + type: array + items: + type: string + qosPolicy: + type: string + tolerations: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - Equal + - Exists + value: + type: string + effect: + type: string + enum: + - NoExecute + - NoSchedule + - PreferNoSchedule + tolerationSeconds: + type: integer + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + spec: + type: object + properties: + lanIp: + type: string + subnet: + type: string + externalSubnets: + items: + type: string + type: array + vpc: + type: string + selector: + type: array + items: + type: string + qosPolicy: + type: string + bgpSpeaker: + type: object + properties: + enabled: + type: boolean + asn: + type: integer + remoteAsn: + type: integer + neighbors: + type: array + items: + type: string + holdTime: + type: string + routerId: + type: string + password: + type: string + enableGracefulRestart: + type: boolean + extraArgs: + type: array + items: + type: string + tolerations: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - Equal + - Exists + value: + type: string + effect: + type: string + enum: + - NoExecute + - NoSchedule + - PreferNoSchedule + tolerationSeconds: + type: integer + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-strategy: merge + x-kubernetes-patch-merge-key: key + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vpc-egress-gateways.kubeovn.io +spec: + group: kubeovn.io + names: + plural: vpc-egress-gateways + singular: vpc-egress-gateway + shortNames: + - vpc-egress-gw + - veg + kind: VpcEgressGateway + listKind: VpcEgressGatewayList + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.vpc + name: VPC + type: string + - jsonPath: .spec.replicas + name: REPLICAS + type: integer + - jsonPath: .spec.bfd.enabled + name: BFD ENABLED + type: boolean + - jsonPath: .spec.externalSubnet + name: EXTERNAL SUBNET + type: string + - jsonPath: .status.phase + name: PHASE + type: string + - jsonPath: .status.ready + name: READY + type: boolean + - jsonPath: .status.internalIPs + name: INTERNAL IPS + priority: 1 + type: string + - jsonPath: .status.externalIPs + name: EXTERNAL IPS + priority: 1 + type: string + - jsonPath: .status.workload.nodes + name: WORKING NODES + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + lastUpdateTime: + format: date-time + type: string + message: + maxLength: 32768 + type: string + observedGeneration: + format: int64 + minimum: 0 + type: integer + reason: + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - lastUpdateTime + - observedGeneration + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + internalIPs: + items: + type: string + type: array + externalIPs: + items: + type: string + type: array + phase: + type: string + default: Pending + enum: + - Pending + - Processing + - Completed + ready: + type: boolean + default: false + workload: + type: object + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + nodes: + type: array + items: + type: string + required: + - conditions + - phase + type: object + spec: + type: object + required: + - externalSubnet + - policies + x-kubernetes-validations: + - rule: "!has(self.prefix) || self.prefix == '' || self.prefix == oldSelf.prefix" + message: 'Size of Internal IPs MUST be equal to or greater than Replicas' + fieldPath: ".prefix" + - rule: "!has(self.internalIPs) || size(self.internalIPs) == 0 || size(self.internalIPs) >= self.replicas" + message: 'Size of Internal IPs MUST be equal to or greater than Replicas' + fieldPath: ".internalIPs" + - rule: "!has(self.externalIPs) || size(self.externalIPs) == 0 || size(self.externalIPs) >= self.replicas" + message: 'Size of External IPs MUST be equal to or greater than Replicas' + fieldPath: ".externalIPs" + properties: + replicas: + type: integer + default: 1 + minimum: 1 + maximum: 10 + prefix: + type: string + anyOf: + - pattern: ^$ + - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*[-\.]?$ + x-kubernetes-validations: + - rule: "self == oldSelf" + message: "This field is immutable." + vpc: + type: string + internalSubnet: + type: string + externalSubnet: + type: string + internalIPs: + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5]),((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:))),(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + type: array + x-kubernetes-list-type: set + externalIPs: + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5]),((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:))),(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + type: array + x-kubernetes-list-type: set + image: + type: string + bfd: + type: object + properties: + enabled: + type: boolean + default: false + minRX: + type: integer + default: 1000 + minTX: + type: integer + default: 1000 + multiplier: + type: integer + default: 3 + policies: + type: array + minItems: 1 + items: + type: object + properties: + snat: + type: boolean + default: false + ipBlocks: + type: array + x-kubernetes-list-type: set + items: + type: string + anyOf: + - format: ipv4 + - format: ipv6 + - format: cidr + subnets: + type: array + x-kubernetes-list-type: set + items: + type: string + minLength: 1 + x-kubernetes-validations: + - rule: "size(self.ipBlocks) != 0 || size(self.subnets) != 0" + message: 'Each policy MUST have at least one ipBlock or subnet' + nodeSelector: + type: array + items: + type: object + properties: + matchLabels: + additionalProperties: + type: string + type: object + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + values: + type: array + x-kubernetes-list-type: set + items: + type: string + required: + - key + - operator + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + - Gt + - Lt + values: + type: array + x-kubernetes-list-type: set + items: + type: string + required: + - key + - operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: iptables-eips.kubeovn.io +spec: + group: kubeovn.io + names: + plural: iptables-eips + singular: iptables-eip + shortNames: + - eip + kind: IptablesEIP + listKind: IptablesEIPList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.ip + name: IP + type: string + - jsonPath: .spec.macAddress + name: Mac + type: string + - jsonPath: .status.nat + name: Nat + type: string + - jsonPath: .spec.natGwDp + name: NatGwDp + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + ip: + type: string + nat: + type: string + redo: + type: string + qosPolicy: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + v4ip: + type: string + v6ip: + type: string + macAddress: + type: string + natGwDp: + type: string + qosPolicy: + type: string + externalSubnet: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: iptables-fip-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: iptables-fip-rules + singular: iptables-fip-rule + shortNames: + - fip + kind: IptablesFIPRule + listKind: IptablesFIPRuleList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .spec.eip + name: Eip + type: string + - jsonPath: .status.v4ip + name: V4ip + type: string + - jsonPath: .spec.internalIp + name: InternalIp + type: string + - jsonPath: .status.v6ip + name: V6ip + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .status.natGwDp + name: NatGwDp + type: string + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4ip: + type: string + v6ip: + type: string + natGwDp: + type: string + redo: + type: string + internalIp: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + eip: + type: string + internalIp: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: iptables-dnat-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: iptables-dnat-rules + singular: iptables-dnat-rule + shortNames: + - dnat + kind: IptablesDnatRule + listKind: IptablesDnatRuleList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .spec.eip + name: Eip + type: string + - jsonPath: .spec.protocol + name: Protocol + type: string + - jsonPath: .status.v4ip + name: V4ip + type: string + - jsonPath: .status.v6ip + name: V6ip + type: string + - jsonPath: .spec.internalIp + name: InternalIp + type: string + - jsonPath: .spec.externalPort + name: ExternalPort + type: string + - jsonPath: .spec.internalPort + name: InternalPort + type: string + - jsonPath: .status.natGwDp + name: NatGwDp + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4ip: + type: string + v6ip: + type: string + natGwDp: + type: string + redo: + type: string + protocol: + type: string + internalIp: + type: string + internalPort: + type: string + externalPort: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + eip: + type: string + externalPort: + type: string + protocol: + type: string + internalIp: + type: string + internalPort: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: iptables-snat-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: iptables-snat-rules + singular: iptables-snat-rule + shortNames: + - snat + kind: IptablesSnatRule + listKind: IptablesSnatRuleList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .spec.eip + name: EIP + type: string + - jsonPath: .status.v4ip + name: V4ip + type: string + - jsonPath: .status.v6ip + name: V6ip + type: string + - jsonPath: .spec.internalCIDR + name: InternalCIDR + type: string + - jsonPath: .status.natGwDp + name: NatGwDp + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4ip: + type: string + v6ip: + type: string + natGwDp: + type: string + redo: + type: string + internalCIDR: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + eip: + type: string + internalCIDR: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ovn-eips.kubeovn.io +spec: + group: kubeovn.io + names: + plural: ovn-eips + singular: ovn-eip + shortNames: + - oeip + kind: OvnEip + listKind: OvnEipList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.v4Ip + name: V4IP + type: string + - jsonPath: .status.v6Ip + name: V6IP + type: string + - jsonPath: .status.macAddress + name: Mac + type: string + - jsonPath: .status.type + name: Type + type: string + - jsonPath: .status.nat + name: Nat + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .spec.externalSubnet + name: ExternalSubnet + type: string + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + type: + type: string + nat: + type: string + ready: + type: boolean + v4Ip: + type: string + v6Ip: + type: string + macAddress: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + externalSubnet: + type: string + type: + type: string + v4Ip: + type: string + v6Ip: + type: string + macAddress: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ovn-fips.kubeovn.io +spec: + group: kubeovn.io + names: + plural: ovn-fips + singular: ovn-fip + shortNames: + - ofip + kind: OvnFip + listKind: OvnFipList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.vpc + name: Vpc + type: string + - jsonPath: .status.v4Eip + name: V4Eip + type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string + - jsonPath: .status.v4Ip + name: V4Ip + type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .spec.ipType + name: IpType + type: string + - jsonPath: .spec.ipName + name: IpName + type: string + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4Eip: + type: string + v6Eip: + type: string + v4Ip: + type: string + v6Ip: + type: string + vpc: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + ovnEip: + type: string + ipType: + type: string + ipName: + type: string + vpc: + type: string + v4Ip: + type: string + v6Ip: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ovn-snat-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: ovn-snat-rules + singular: ovn-snat-rule + shortNames: + - osnat + kind: OvnSnatRule + listKind: OvnSnatRuleList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.vpc + name: Vpc + type: string + - jsonPath: .status.v4Eip + name: V4Eip + type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string + - jsonPath: .status.v4IpCidr + name: V4IpCidr + type: string + - jsonPath: .status.v6IpCidr + name: V6IpCidr + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4Eip: + type: string + v6Eip: + type: string + v4IpCidr: + type: string + v6IpCidr: + type: string + vpc: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + ovnEip: + type: string + vpcSubnet: + type: string + ipName: + type: string + vpc: + type: string + v4IpCidr: + type: string + v6IpCidr: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ovn-dnat-rules.kubeovn.io +spec: + group: kubeovn.io + names: + plural: ovn-dnat-rules + singular: ovn-dnat-rule + shortNames: + - odnat + kind: OvnDnatRule + listKind: OvnDnatRuleList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.vpc + name: Vpc + type: string + - jsonPath: .spec.ovnEip + name: Eip + type: string + - jsonPath: .status.protocol + name: Protocol + type: string + - jsonPath: .status.v4Eip + name: V4Eip + type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string + - jsonPath: .status.v4Ip + name: V4Ip + type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string + - jsonPath: .status.internalPort + name: InternalPort + type: string + - jsonPath: .status.externalPort + name: ExternalPort + type: string + - jsonPath: .spec.ipName + name: IpName + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4Eip: + type: string + v6Eip: + type: string + v4Ip: + type: string + v6Ip: + type: string + vpc: + type: string + externalPort: + type: string + internalPort: + type: string + protocol: + type: string + ipName: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + ovnEip: + type: string + ipType: + type: string + ipName: + type: string + externalPort: + type: string + internalPort: + type: string + protocol: + type: string + vpc: + type: string + v4Ip: + type: string + v6Ip: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vpcs.kubeovn.io +spec: + group: kubeovn.io + versions: + - additionalPrinterColumns: + - jsonPath: .status.enableExternal + name: EnableExternal + type: boolean + - jsonPath: .status.enableBfd + name: EnableBfd + type: boolean + - jsonPath: .status.standby + name: Standby + type: boolean + - jsonPath: .status.subnets + name: Subnets + type: string + - jsonPath: .status.extraExternalSubnets + name: ExtraExternalSubnets + type: string + - jsonPath: .spec.namespaces + name: Namespaces + type: string + - jsonPath: .status.defaultLogicalSwitch + name: DefaultSubnet + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + defaultSubnet: + type: string + enableExternal: + type: boolean + enableBfd: + type: boolean + namespaces: + items: + type: string + type: array + extraExternalSubnets: + items: + type: string + type: array + staticRoutes: + items: + properties: + policy: + type: string + cidr: + type: string + nextHopIP: + type: string + ecmpMode: + type: string + bfdId: + type: string + routeTable: + type: string + type: object + type: array + policyRoutes: + items: + properties: + priority: + type: integer + action: + type: string + match: + type: string + nextHopIP: + type: string + type: object + type: array + vpcPeerings: + items: + properties: + remoteVpc: + type: string + localConnectIP: + type: string + type: object + type: array + bfdPort: + properties: + enabled: + type: boolean + default: false + ip: + type: string + anyOf: + - pattern: ^$ + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5]),((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:))),(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + nodeSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + enum: + - In + - NotIn + - Exists + - DoesNotExist + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - rule: "self.enabled == false || self.ip != ''" + message: 'Port IP must be set when BFD Port is enabled' + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + type: string + lastUpdateTime: + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + type: object + type: array + default: + type: boolean + defaultLogicalSwitch: + type: string + router: + type: string + standby: + type: boolean + enableExternal: + type: boolean + enableBfd: + type: boolean + subnets: + items: + type: string + type: array + extraExternalSubnets: + items: + type: string + type: array + vpcPeerings: + items: + type: string + type: array + tcpLoadBalancer: + type: string + tcpSessionLoadBalancer: + type: string + udpLoadBalancer: + type: string + udpSessionLoadBalancer: + type: string + sctpLoadBalancer: + type: string + sctpSessionLoadBalancer: + type: string + bfdPort: + type: object + properties: + ip: + type: string + name: + type: string + nodes: + type: array + items: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + names: + kind: Vpc + listKind: VpcList + plural: vpcs + shortNames: + - vpc + singular: vpc + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ips.kubeovn.io +spec: + group: kubeovn.io + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - name: V4IP + type: string + jsonPath: .spec.v4IpAddress + - name: V6IP + type: string + jsonPath: .spec.v6IpAddress + - name: Mac + type: string + jsonPath: .spec.macAddress + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Subnet + type: string + jsonPath: .spec.subnet + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + podName: + type: string + namespace: + type: string + subnet: + type: string + attachSubnets: + type: array + items: + type: string + nodeName: + type: string + ipAddress: + type: string + v4IpAddress: + type: string + v6IpAddress: + type: string + attachIps: + type: array + items: + type: string + macAddress: + type: string + attachMacs: + type: array + items: + type: string + containerID: + type: string + podType: + type: string + scope: Cluster + names: + plural: ips + singular: ip + kind: IP + shortNames: + - ip +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vips.kubeovn.io +spec: + group: kubeovn.io + names: + plural: vips + singular: vip + shortNames: + - vip + kind: Vip + listKind: VipList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - name: V4IP + type: string + jsonPath: .status.v4ip + - name: V6IP + type: string + jsonPath: .status.v6ip + - name: Mac + type: string + jsonPath: .status.mac + - name: PMac + type: string + jsonPath: .spec.parentMac + - name: Subnet + type: string + jsonPath: .spec.subnet + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .status.type + name: Type + type: string + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + type: + type: string + ready: + type: boolean + v4ip: + type: string + v6ip: + type: string + mac: + type: string + pv4ip: + type: string + pv6ip: + type: string + pmac: + type: string + selector: + type: array + items: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + namespace: + type: string + subnet: + type: string + type: + type: string + attachSubnets: + type: array + items: + type: string + v4ip: + type: string + macAddress: + type: string + v6ip: + type: string + parentV4ip: + type: string + parentMac: + type: string + parentV6ip: + type: string + selector: + type: array + items: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: subnets.kubeovn.io +spec: + group: kubeovn.io + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Provider + type: string + jsonPath: .spec.provider + - name: Vpc + type: string + jsonPath: .spec.vpc + - name: Vlan + type: string + jsonPath: .spec.vlan + - name: Protocol + type: string + jsonPath: .spec.protocol + - name: CIDR + type: string + jsonPath: .spec.cidrBlock + - name: Private + type: boolean + jsonPath: .spec.private + - name: NAT + type: boolean + jsonPath: .spec.natOutgoing + - name: Default + type: boolean + jsonPath: .spec.default + - name: GatewayType + type: string + jsonPath: .spec.gatewayType + - name: V4Used + type: number + jsonPath: .status.v4usingIPs + - name: V4Available + type: number + jsonPath: .status.v4availableIPs + - name: V6Used + type: number + jsonPath: .status.v6usingIPs + - name: V6Available + type: number + jsonPath: .status.v6availableIPs + - name: ExcludeIPs + type: string + jsonPath: .spec.excludeIps + - name: U2OInterconnectionIP + type: string + jsonPath: .status.u2oInterconnectionIP + schema: + openAPIV3Schema: + type: object + properties: + metadata: + type: object + properties: + name: + type: string + pattern: ^[^0-9] + status: + type: object + properties: + v4availableIPs: + type: number + v4usingIPs: + type: number + v6availableIPs: + type: number + v6usingIPs: + type: number + activateGateway: + type: string + dhcpV4OptionsUUID: + type: string + dhcpV6OptionsUUID: + type: string + u2oInterconnectionIP: + type: string + u2oInterconnectionMAC: + type: string + u2oInterconnectionVPC: + type: string + mcastQuerierIP: + type: string + mcastQuerierMAC: + type: string + v4usingIPrange: + type: string + v4availableIPrange: + type: string + v6usingIPrange: + type: string + v6availableIPrange: + type: string + natOutgoingPolicyRules: + type: array + items: + type: object + properties: + ruleID: + type: string + action: + type: string + enum: + - nat + - forward + match: + type: object + properties: + srcIPs: + type: string + dstIPs: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + vpc: + type: string + default: + type: boolean + protocol: + type: string + enum: + - IPv4 + - IPv6 + - Dual + cidrBlock: + type: string + namespaces: + type: array + items: + type: string + gateway: + type: string + provider: + type: string + excludeIps: + type: array + items: + type: string + vips: + type: array + items: + type: string + gatewayType: + type: string + allowSubnets: + type: array + items: + type: string + gatewayNode: + type: string + natOutgoing: + type: boolean + externalEgressGateway: + type: string + policyRoutingPriority: + type: integer + minimum: 1 + maximum: 32765 + policyRoutingTableID: + type: integer + minimum: 1 + maximum: 2147483647 + not: + enum: + - 252 # compat + - 253 # default + - 254 # main + - 255 # local + mtu: + type: integer + minimum: 68 + maximum: 65535 + private: + type: boolean + vlan: + type: string + logicalGateway: + type: boolean + disableGatewayCheck: + type: boolean + disableInterConnection: + type: boolean + enableDHCP: + type: boolean + dhcpV4Options: + type: string + dhcpV6Options: + type: string + enableIPv6RA: + type: boolean + ipv6RAConfigs: + type: string + allowEWTraffic: + type: boolean + acls: + type: array + items: + type: object + properties: + direction: + type: string + enum: + - from-lport + - to-lport + priority: + type: integer + minimum: 0 + maximum: 32767 + match: + type: string + action: + type: string + enum: + - allow-related + - allow-stateless + - allow + - drop + - reject + natOutgoingPolicyRules: + type: array + items: + type: object + properties: + action: + type: string + enum: + - nat + - forward + match: + type: object + properties: + srcIPs: + type: string + dstIPs: + type: string + u2oInterconnection: + type: boolean + u2oInterconnectionIP: + type: string + enableLb: + type: boolean + enableEcmp: + type: boolean + enableMulticastSnoop: + type: boolean + routeTable: + type: string + namespaceSelectors: + type: array + items: + type: object + properties: + matchLabels: + type: object + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + scope: Cluster + names: + plural: subnets + singular: subnet + kind: Subnet + shortNames: + - subnet +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.kubeovn.io +spec: + group: kubeovn.io + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Subnet + type: string + jsonPath: .spec.subnet + - name: IPs + type: string + jsonPath: .spec.ips + - name: V4Used + type: number + jsonPath: .status.v4UsingIPs + - name: V4Available + type: number + jsonPath: .status.v4AvailableIPs + - name: V6Used + type: number + jsonPath: .status.v6UsingIPs + - name: V6Available + type: number + jsonPath: .status.v6AvailableIPs + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + subnet: + type: string + x-kubernetes-validations: + - rule: "self == oldSelf" + message: "This field is immutable." + namespaces: + type: array + x-kubernetes-list-type: set + items: + type: string + ips: + type: array + minItems: 1 + x-kubernetes-list-type: set + items: + type: string + anyOf: + - format: ipv4 + - format: ipv6 + - format: cidr + - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.\.(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ + - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))\.\.((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ + required: + - subnet + - ips + status: + type: object + properties: + v4AvailableIPs: + type: number + v4UsingIPs: + type: number + v6AvailableIPs: + type: number + v6UsingIPs: + type: number + v4AvailableIPRange: + type: string + v4UsingIPRange: + type: string + v6AvailableIPRange: + type: string + v6UsingIPRange: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ippool +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vlans.kubeovn.io +spec: + group: kubeovn.io + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + id: + type: integer + minimum: 0 + maximum: 4095 + provider: + type: string + vlanId: + type: integer + description: Deprecated in favor of id + providerInterfaceName: + type: string + description: Deprecated in favor of provider + required: + - provider + status: + type: object + properties: + subnets: + type: array + items: + type: string + additionalPrinterColumns: + - name: ID + type: string + jsonPath: .spec.id + - name: Provider + type: string + jsonPath: .spec.provider + scope: Cluster + names: + plural: vlans + singular: vlan + kind: Vlan + shortNames: + - vlan +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: provider-networks.kubeovn.io +spec: + group: kubeovn.io + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + metadata: + type: object + properties: + name: + type: string + maxLength: 12 + not: + enum: + - int + spec: + type: object + properties: + defaultInterface: + type: string + maxLength: 15 + pattern: '^[^/\s]+$' + customInterfaces: + type: array + items: + type: object + properties: + interface: + type: string + maxLength: 15 + pattern: '^[^/\s]+$' + nodes: + type: array + items: + type: string + exchangeLinkName: + type: boolean + excludeNodes: + type: array + items: + type: string + required: + - defaultInterface + status: + type: object + properties: + ready: + type: boolean + readyNodes: + type: array + items: + type: string + notReadyNodes: + type: array + items: + type: string + vlans: + type: array + items: + type: string + conditions: + type: array + items: + type: object + properties: + node: + type: string + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + additionalPrinterColumns: + - name: DefaultInterface + type: string + jsonPath: .spec.defaultInterface + - name: Ready + type: boolean + jsonPath: .status.ready + scope: Cluster + names: + plural: provider-networks + singular: provider-network + kind: ProviderNetwork + listKind: ProviderNetworkList +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: security-groups.kubeovn.io +spec: + group: kubeovn.io + names: + plural: security-groups + singular: security-group + shortNames: + - sg + kind: SecurityGroup + listKind: SecurityGroupList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + ingressRules: + type: array + items: + type: object + properties: + ipVersion: + type: string + protocol: + type: string + priority: + type: integer + remoteType: + type: string + remoteAddress: + type: string + remoteSecurityGroup: + type: string + portRangeMin: + type: integer + portRangeMax: + type: integer + policy: + type: string + egressRules: + type: array + items: + type: object + properties: + ipVersion: + type: string + protocol: + type: string + priority: + type: integer + remoteType: + type: string + remoteAddress: + type: string + remoteSecurityGroup: + type: string + portRangeMin: + type: integer + portRangeMax: + type: integer + policy: + type: string + allowSameGroupTraffic: + type: boolean + status: + type: object + properties: + portGroup: + type: string + allowSameGroupTraffic: + type: boolean + ingressMd5: + type: string + egressMd5: + type: string + ingressLastSyncSuccess: + type: boolean + egressLastSyncSuccess: + type: boolean + subresources: + status: {} + conversion: + strategy: None +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: qos-policies.kubeovn.io +spec: + group: kubeovn.io + names: + plural: qos-policies + singular: qos-policy + shortNames: + - qos + kind: QoSPolicy + listKind: QoSPolicyList + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .spec.shared + name: Shared + type: string + - jsonPath: .spec.bindingType + name: BindingType + type: string + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + shared: + type: boolean + bindingType: + type: string + bandwidthLimitRules: + type: array + items: + type: object + properties: + name: + type: string + interface: + type: string + rateMax: + type: string + burstMax: + type: string + priority: + type: integer + direction: + type: string + matchType: + type: string + matchValue: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + shared: + type: boolean + bindingType: + type: string + bandwidthLimitRules: + type: array + items: + type: object + properties: + name: + type: string + interface: + type: string + rateMax: + type: string + burstMax: + type: string + priority: + type: integer + direction: + type: string + matchType: + type: string + matchValue: + type: string + required: + - name + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map diff --git a/charts/kube-ovn-v2/templates/_helpers.tpl b/charts/kube-ovn-v2/templates/_helpers.tpl new file mode 100644 index 00000000000..39c7dd8cf5d --- /dev/null +++ b/charts/kube-ovn-v2/templates/_helpers.tpl @@ -0,0 +1,141 @@ +{/* +Expand the name of the chart. +*/}} +{{- define "kubeovn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubeovn.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubeovn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kubeovn.labels" -}} +helm.sh/chart: {{ include "kubeovn.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "kubeovn.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kubeovn.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + + +{{/* +Get IP-addresses of master nodes +*/}} +{{- define "kubeovn.nodeIPs" -}} +{{- $nodes := lookup "v1" "Node" "" "" -}} +{{- $ips := list -}} +{{- range $node := $nodes.items -}} + {{- $label := splitList "=" $.Values.masterNodesLabel}} + {{- $key := index $label 0 }} + {{- $val := "" }} + {{- if eq (len $label) 2 }} + {{- $val = index $label 1 }} + {{- end }} + {{- if eq (index $node.metadata.labels $key) $val -}} + {{- range $address := $node.status.addresses -}} + {{- if eq $address.type "InternalIP" -}} + {{- $ips = append $ips $address.address -}} + {{- break -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{ join "," $ips }} +{{- end -}} + +{{/* +Number of master nodes +*/}} +{{- define "kubeovn.nodeCount" -}} + {{- len (split "," (.Values.masterNodes| default (include "kubeovn.nodeIPs" .))) }} +{{- end -}} + +{{- define "kubeovn.ovs-ovn.updateStrategy" -}} + {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} + {{- if $ds -}} + {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}} + RollingUpdate + {{- else -}} + {{- $chartVersion := index $ds.metadata.annotations "chart-version" }} + {{- $newChartVersion := printf "%s-%s" .Chart.Name .Chart.Version }} + {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}} + {{- $versionRegex := `^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)` -}} + {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}} + {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}} + RollingUpdate + {{- else -}} + OnDelete + {{- end -}} + {{- else -}} + OnDelete + {{- end -}} + {{- end -}} + {{- else -}} + RollingUpdate + {{- end -}} +{{- end -}} + +{{- define "kubeovn.ovn.versionCompatibility" -}} + {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} + {{- if $ds -}} + {{- $chartVersion := index $ds.metadata.annotations "chart-version" }} + {{- $newChartVersion := printf "%s-%s" .Chart.Name .Chart.Version }} + {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}} + {{- $versionRegex := `^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)` -}} + {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}} + {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.13.0" -}} + 24.03 + {{- else if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}} + 22.12 + {{- else if regexFind $versionRegex $imageVersion | semverCompare ">= 1.11.0" -}} + 22.03 + {{- else -}} + 21.06 + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "kubeovn.runAsUser" -}} + {{- if $.Values.features.ENABLE_OVN_IPSEC -}} + 0 + {{- else -}} + 65534 + {{- end -}} +{{- end -}} diff --git a/charts/kube-ovn-v2/templates/agent/agent-clusterrole.yaml b/charts/kube-ovn-v2/templates/agent/agent-clusterrole.yaml new file mode 100644 index 00000000000..d639b730cb0 --- /dev/null +++ b/charts/kube-ovn-v2/templates/agent/agent-clusterrole.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + {{- with .Values.agent.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: system:kube-ovn-cni +rules: + - apiGroups: + - "kubeovn.io" + resources: + - subnets + - vlans + - provider-networks + verbs: + - get + - list + - watch + - apiGroups: + - "" + - "kubeovn.io" + resources: + - ovn-eips + - ovn-eips/status + - nodes + - nodes/status + - pods + - services + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "kubeovn.io" + resources: + - ips + verbs: + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "certificates.k8s.io" + resources: + - "certificatesigningrequests" + verbs: + - "create" + - "get" + - "list" + - "watch" + - "delete" + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/agent/agent-clusterrolebinding.yaml b/charts/kube-ovn-v2/templates/agent/agent-clusterrolebinding.yaml new file mode 100644 index 00000000000..319327cfc0c --- /dev/null +++ b/charts/kube-ovn-v2/templates/agent/agent-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-cni + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + name: system:kube-ovn-cni + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml b/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml new file mode 100644 index 00000000000..0003f238fb1 --- /dev/null +++ b/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml @@ -0,0 +1,289 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-cni + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.agent.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-cni + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.agent.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: kube-ovn-cni + component: network + type: infra + spec: + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: kube-ovn-cni + hostNetwork: true + hostPID: true + initContainers: + - name: hostpath-init + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -xec + - iptables -V + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: usr-local-sbin + mountPath: /usr/local/sbin + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/netns + name: host-ns + readOnly: false + - name: kube-ovn-log + mountPath: /var/log/kube-ovn + - name: install-cni + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /kube-ovn/install-cni.sh + - --cni-conf-dir={{ .Values.cni.configDirectory }} + - --cni-conf-file={{ .Values.cni.localConfigFile }} + - --cni-conf-name={{- .Values.cni.configPriority -}}-kube-ovn.conflist + securityContext: + runAsUser: 0 + privileged: true + volumeMounts: + - mountPath: /opt/cni/bin + name: cni-bin + - mountPath: /etc/cni/net.d + name: cni-conf + {{- if .Values.cni.mountToolingDirectory }} + - mountPath: /usr/local/bin + name: local-bin + {{- end }} + containers: + - name: cni-server + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bash + - /kube-ovn/start-cniserver.sh + args: + - --enable-mirror={{- .Values.agent.mirroring.enabled }} + - --mirror-iface={{- .Values.agent.mirroring.interface }} + - --node-switch={{ .Values.networking.join.subnetName }} + - --encap-checksum=true + {{- if eq .Values.networking.networkType "vlan" }} + - --iface= + {{- else}} + - --iface={{- .Values.agent.interface }} + {{- end }} + - --service-cluster-ip-range= + {{- if eq .Values.networking.stack "Dual" -}} + {{ .Values.networking.services.cidr.v4 }},{{ .Values.networking.services.cidr.v6 }} + {{- else if eq .Values.networking.stack "IPv4" -}} + {{ .Values.networking.services.cidr.v4 }} + {{- else if eq .Values.networking.stack "IPv6" -}} + {{ .Values.networking.services.cidr.v6 }} + {{- end }} + - --dpdk-tunnel-iface={{- .Values.agent.dpdkTunnelInterface }} + - --network-type={{- .Values.networking.tunnelType }} + - --default-interface-name={{- .Values.networking.vlan.interfaceName }} + - --logtostderr=false + - --alsologtostderr=true + - --log_file=/var/log/kube-ovn/kube-ovn-cni.log + - --log_file_max_size=200 + - --enable-metrics={{- .Values.networking.enableMetrics }} + - --kubelet-dir={{ .Values.kubelet.directory }} + - --enable-tproxy={{ .Values.features.ENABLE_TPROXY }} + - --ovs-vsctl-concurrency={{ .Values.performance.ovsVsctlConcurrency }} + - --secure-serving={{- .Values.features.SECURE_SERVING }} + - --enable-ovn-ipsec={{- .Values.features.ENABLE_OVN_IPSEC }} + securityContext: + runAsGroup: 0 + runAsUser: 0 + privileged: false + capabilities: + add: + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SYS_ADMIN + - CAP_SYS_PTRACE + - SYS_NICE + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: ENABLE_BIND_LOCAL_IP + value: "{{- .Values.features.ENABLE_BIND_LOCAL_IP }}" + - name: DBUS_SYSTEM_BUS_ADDRESS + value: "unix:path=/host/var/run/dbus/system_bus_socket" + volumeMounts: + - name: usr-local-sbin + mountPath: /usr/local/sbin + - name: host-modules + mountPath: /lib/modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - name: shared-dir + mountPath: {{ .Values.kubelet.directory }}/pods + - mountPath: /etc/openvswitch + name: systemid + readOnly: true + - mountPath: /run/openvswitch + name: host-run-ovs + mountPropagation: HostToContainer + - mountPath: /run/ovn + name: host-run-ovn + - mountPath: /host/var/run/dbus + name: host-dbus + mountPropagation: HostToContainer + - mountPath: /var/run/netns + name: host-ns + mountPropagation: HostToContainer + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + - mountPath: /var/log/openvswitch + name: host-log-ovs + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /etc/localtime + name: localtime + readOnly: true + {{- if .Values.func.ENABLE_OVN_IPSEC }} + - mountPath: /etc/ovs_ipsec_keys + name: ovs-ipsec-keys + {{- end }} + readinessProbe: + failureThreshold: 3 + periodSeconds: 7 + successThreshold: 1 + httpGet: + port: 10665 + path: /readyz + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 7 + successThreshold: 1 + httpGet: + port: 10665 + path: /readyz + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + timeoutSeconds: 5 + {{- with .Values.agent.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + nodeSelector: + kubernetes.io/os: "linux" + volumes: + - name: usr-local-sbin + emptyDir: {} + - name: host-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + - name: shared-dir + hostPath: + path: {{ .Values.kubelet.directory }}/pods + - name: systemid + hostPath: + path: {{ .Values.ovsOvn.ovsDirectory }} + - name: host-run-ovs + hostPath: + path: /run/openvswitch + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: cni-conf + hostPath: + path: {{ .Values.cni.configDirectory }} + - name: cni-bin + hostPath: + path: {{ .Values.cni.binaryDirectory }} + - name: host-ns + hostPath: + path: /var/run/netns + - name: host-dbus + hostPath: + path: /var/run/dbus + - name: kube-ovn-log + hostPath: + path: {{ .Values.logging.directory }}/kube-ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: host-log-ovs + hostPath: + path: {{ .Values.logging.directory }}/openvswitch + - name: host-log-ovn + hostPath: + path: {{ .Values.logging.directory }}/ovn + {{- if .Values.cni.mountToolingDirectory }} + - name: local-bin + hostPath: + path: {{ .Values.cni.toolingDirectory }} + {{- end }} + {{- if .Values.features.ENABLE_OVN_IPSEC }} + - name: ovs-ipsec-keys + hostPath: + path: {{ .Values.ovsOvn.ovsDirectory }} + {{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/agent/agent-rolebinding.yaml b/charts/kube-ovn-v2/templates/agent/agent-rolebinding.yaml new file mode 100644 index 00000000000..0e91181e159 --- /dev/null +++ b/charts/kube-ovn-v2/templates/agent/agent-rolebinding.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/agent/agent-service.yaml b/charts/kube-ovn-v2/templates/agent/agent-service.yaml new file mode 100644 index 00000000000..556f8608ab1 --- /dev/null +++ b/charts/kube-ovn-v2/templates/agent/agent-service.yaml @@ -0,0 +1,23 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/name: kube-ovn-cni + app.kubernetes.io/part-of: kube-ovn + ports: + - port: {{ .Values.agent.metrics.port }} + name: metrics + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn-v2/templates/agent/agent-serviceaccount.yaml b/charts/kube-ovn-v2/templates/agent/agent-serviceaccount.yaml new file mode 100644 index 00000000000..1caecb5159a --- /dev/null +++ b/charts/kube-ovn-v2/templates/agent/agent-serviceaccount.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-cni + namespace: {{ .Values.namespace }} + {{- with .Values.agent.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.agent.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} + - name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/api-nad/apiNad.yaml b/charts/kube-ovn-v2/templates/api-nad/apiNad.yaml new file mode 100644 index 00000000000..f2e9cf26af9 --- /dev/null +++ b/charts/kube-ovn-v2/templates/api-nad/apiNad.yaml @@ -0,0 +1,14 @@ +{{- if .Values.apiNad.enabled }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ .Values.apiNad.name }} + namespace: {{ .Values.namespace }} +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "kube-ovn", + "server_socket": "/run/openvswitch/kube-ovn-daemon.sock", + "provider": "{{ tpl .Values.apiNad.provider . }}" + }' +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/api-nad/apiSubnet.yaml b/charts/kube-ovn-v2/templates/api-nad/apiSubnet.yaml new file mode 100644 index 00000000000..872f13482e5 --- /dev/null +++ b/charts/kube-ovn-v2/templates/api-nad/apiSubnet.yaml @@ -0,0 +1,11 @@ +{{- if .Values.apiNad.enabled }} +apiVersion: kubeovn.io/v1 +kind: Subnet +metadata: + name: {{ .Values.apiNad.subnet.name }} + namespace: {{ .Values.namespace }} +spec: + protocol: {{ .Values.apiNad.subnet.protocol }} + cidrBlock: {{ .Values.apiNad.subnet.cidrBlock }} + provider: {{ tpl .Values.apiNad.provider . }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/central/central-deployment.yaml b/charts/kube-ovn-v2/templates/central/central-deployment.yaml new file mode 100644 index 00000000000..91aa2390c04 --- /dev/null +++ b/charts/kube-ovn-v2/templates/central/central-deployment.yaml @@ -0,0 +1,183 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: ovn-central + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ include "kubeovn.nodeCount" . }} + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.central.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.central.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: ovn-central + component: network + type: infra + spec: + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ovn-central + topologyKey: kubernetes.io/hostname + priorityClassName: system-cluster-critical + serviceAccountName: ovn-ovs + hostNetwork: true + initContainers: + - name: hostpath-init + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - "chown -R nobody: /var/run/ovn /etc/ovn /var/log/ovn" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + volumeMounts: + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /etc/ovn + name: host-config-ovn + - mountPath: /var/log/ovn + name: host-log-ovn + containers: + - name: ovn-central + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bash + - /kube-ovn/start-db.sh + securityContext: + runAsUser: {{ include "kubeovn.runAsUser" . }} + privileged: false + capabilities: + add: + - NET_BIND_SERVICE + - SYS_NICE + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: NODE_IPS + value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: ENABLE_BIND_LOCAL_IP + value: "{{- .Values.features.ENABLE_BIND_LOCAL_IP }}" + - name: PROBE_INTERVAL + value: "{{ .Values.ovsOvn.probeInterval }}" + - name: OVN_NORTHD_PROBE_INTERVAL + value: "{{ .Values.central.ovnNorthdProbeInterval}}" + - name: OVN_LEADER_PROBE_INTERVAL + value: "{{ .Values.central.ovnLeaderProbeInterval }}" + - name: OVN_NORTHD_N_THREADS + value: "{{ .Values.central.ovnNorthdNThreads }}" + - name: ENABLE_COMPACT + value: "{{ .Values.networking.enableCompact }}" + - name: OVN_VERSION_COMPATIBILITY + value: '{{ include "kubeovn.ovn.versionCompatibility" . }}' + {{- with .Values.central.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /etc/ovn + name: host-config-ovn + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /var/run/tls + name: kube-ovn-tls + readinessProbe: + exec: + command: + - bash + - /kube-ovn/ovn-healthcheck.sh + periodSeconds: 15 + timeoutSeconds: 45 + livenessProbe: + exec: + command: + - bash + - /kube-ovn/ovn-healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 15 + failureThreshold: 5 + timeoutSeconds: 45 + nodeSelector: + kubernetes.io/os: "linux" + {{- with splitList "=" .Values.masterNodesLabel}} + {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" + {{- end }} + volumes: + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-config-ovn + hostPath: + path: {{ .Values.ovsOvn.ovnDirectory }} + - name: host-log-ovn + hostPath: + path: {{ .Values.logging.directory }}/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls + diff --git a/charts/kube-ovn-v2/templates/central/northbound-service.yaml b/charts/kube-ovn-v2/templates/central/northbound-service.yaml new file mode 100644 index 00000000000..cce0cfcb441 --- /dev/null +++ b/charts/kube-ovn-v2/templates/central/northbound-service.yaml @@ -0,0 +1,28 @@ +kind: Service +apiVersion: v1 +metadata: + name: ovn-nb + namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: ovn-nb + protocol: TCP + port: 6641 + targetPort: 6641 + type: ClusterIP + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} + selector: + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn + ovn-nb-leader: "true" + sessionAffinity: None diff --git a/charts/kube-ovn-v2/templates/central/northd-service.yaml b/charts/kube-ovn-v2/templates/central/northd-service.yaml new file mode 100644 index 00000000000..68bbd01aa53 --- /dev/null +++ b/charts/kube-ovn-v2/templates/central/northd-service.yaml @@ -0,0 +1,28 @@ +kind: Service +apiVersion: v1 +metadata: + name: ovn-northd + namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: ovn-northd + protocol: TCP + port: 6643 + targetPort: 6643 + type: ClusterIP + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} + selector: + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn + ovn-northd-leader: "true" + sessionAffinity: None diff --git a/charts/kube-ovn-v2/templates/central/southbound-service.yaml b/charts/kube-ovn-v2/templates/central/southbound-service.yaml new file mode 100644 index 00000000000..f30c55fac30 --- /dev/null +++ b/charts/kube-ovn-v2/templates/central/southbound-service.yaml @@ -0,0 +1,28 @@ +kind: Service +apiVersion: v1 +metadata: + name: ovn-sb + namespace: {{ .Values.namespace }} + {{- with .Values.central.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.central.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: ovn-sb + protocol: TCP + port: 6642 + targetPort: 6642 + type: ClusterIP + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} + selector: + app.kubernetes.io/name: ovn-central + app.kubernetes.io/part-of: kube-ovn + ovn-sb-leader: "true" + sessionAffinity: None diff --git a/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml b/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml new file mode 100644 index 00000000000..97b4b39bc3d --- /dev/null +++ b/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml @@ -0,0 +1,246 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-ovn-controller + namespace: {{ .Values.namespace }} + {{- with .Values.controller.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ include "kubeovn.nodeCount" . }} + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-controller + app.kubernetes.io/part-of: kube-ovn + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + {{- with .Values.controller.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-controller + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: kube-ovn-controller + component: network + type: infra + spec: + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: "ovn.kubernetes.io/ic-gw" + operator: NotIn + values: + - "true" + weight: 100 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kube-ovn-controller + topologyKey: kubernetes.io/hostname + priorityClassName: system-cluster-critical + serviceAccountName: ovn + hostNetwork: true + initContainers: + - name: hostpath-init + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - "chown -R nobody: /var/log/kube-ovn" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + volumeMounts: + - name: kube-ovn-log + mountPath: /var/log/kube-ovn + containers: + - name: kube-ovn-controller + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - /kube-ovn/start-controller.sh + - --default-ls={{ .Values.networking.pods.subnetName }} + - --default-cidr= + {{- if eq .Values.networking.stack "Dual" -}} + {{ .Values.networking.pods.cidr.v4 }},{{ .Values.networking.pods.cidr.v6 }} + {{- else if eq .Values.networking.stack "IPv4" -}} + { .Values.networking.pods.cidr.v4 }} + {{- else if eq .Values.networking.stack "IPv6" -}} + { .Values.networking.pods.cidr.v6 }} + {{- end }} + - --default-gateway= + {{- if eq .Values.networking.stack "Dual" -}} + {{ .Values.networking.pods.gateways.v4 }},{{ .Values.networking.pods.gateways.v6 }} + {{- else if eq .Values.networking.stack "IPv4" -}} + {{ .Values.networking.pods.gateways.v4 }} + {{- else if eq .Values.networking.stack "IPv6" -}} + {{ .Values.networking.pods.gateways.v6 }} + {{- end }} + - --default-gateway-check={{- .Values.features.CHECK_GATEWAY }} + - --default-logical-gateway={{- .Values.features.LOGICAL_GATEWAY }} + - --default-u2o-interconnection={{- .Values.features.U2O_INTERCONNECTION }} + - --default-exclude-ips={{- .Values.networking.excludeIps }} + - --cluster-router={{ .Values.networking.defaultVpcName }} + - --node-switch={{ .Values.networking.join.subnetName }} + - --node-switch-cidr= + {{- if eq .Values.networking.stack "Dual" -}} + {{ .Values.networking.join.cidr.v4 }},{{ .Values.networking.join.cidr.v6 }} + {{- else if eq .Values.networking.stack "IPv4" -}} + {{ .Values.networking.join.cidr.v4 }} + {{- else if eq .Values.networking.stack "IPv6" -}} + {{ .Values.networking.join.cidr.v6 }} + {{- end }} + - --service-cluster-ip-range= + {{- if eq .Values.networking.stack "Dual" -}} + {{ .Values.networking.services.cidr.v4 }},{{ .Values.networking.services.cidr.v6 }} + {{- else if eq .Values.networking.stack "IPv4" -}} + {{ .Values.networking.services.cidr.v4 }} + {{- else if eq .Values.networking.stack "IPv6" -}} + {{ .Values.networking.services.cidr.v6 }} + {{- end }} + - --network-type={{- .Values.networking.networkType }} + - --default-provider-name={{ .Values.networking.vlan.providerName }} + - --default-interface-name={{- .Values.networking.vlan.interfaceName }} + - --default-exchange-link-name={{- .Values.networking.exchangeLinkName }} + - --default-vlan-name={{- .Values.networking.vlan.name }} + - --default-vlan-id={{- .Values.networking.vlan.id }} + - --ls-dnat-mod-dl-dst={{- .Values.features.LS_DNAT_MOD_DL_DST }} + - --ls-ct-skip-dst-lport-ips={{- .Values.features.LS_CT_SKIP_DST_LPORT_IPS }} + - --pod-nic-type={{- .Values.networking.podNicType }} + - --enable-lb={{- .Values.features.ENABLE_LB }} + - --enable-np={{- .Values.features.ENABLE_NP }} + - --enable-eip-snat={{- .Values.networking.enableEipSnat }} + - --enable-external-vpc={{- .Values.features.ENABLE_EXTERNAL_VPC }} + - --enable-ecmp={{- .Values.networking.enableEcmp }} + - --logtostderr=false + - --alsologtostderr=true + - --gc-interval={{- .Values.performance.gcInterval }} + - --inspect-interval={{- .Values.performance.inspectInterval }} + - --log_file=/var/log/kube-ovn/kube-ovn-controller.log + - --log_file_max_size=200 + - --enable-lb-svc={{- .Values.features.ENABLE_LB_SVC }} + - --keep-vm-ip={{- .Values.features.ENABLE_KEEP_VM_IP }} + - --enable-metrics={{- .Values.networking.enableMetrics }} + - --node-local-dns-ip={{- .Values.networking.nodeLocalDnsIp }} + - --secure-serving={{- .Values.features.SECURE_SERVING }} + - --enable-ovn-ipsec={{- .Values.features.ENABLE_OVN_IPSEC }} + - --enable-anp={{- .Values.features.ENABLE_ANP }} + - --ovsdb-con-timeout={{- .Values.features.OVSDB_CON_TIMEOUT }} + - --ovsdb-inactivity-timeout={{- .Values.features.OVSDB_INACTIVITY_TIMEOUT }} + - --enable-live-migration-optimize={{- .Values.features.ENABLE_LIVE_MIGRATION_OPTIMIZE }} + - --enable-ovn-lb-prefer-local={{- .Values.features.ENABLE_OVN_LB_PREFER_LOCAL }} + - --image={{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + securityContext: + runAsUser: {{ include "kubeovn.runAsUser" . }} + privileged: false + capabilities: + add: + - NET_BIND_SERVICE + - NET_RAW + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: OVN_DB_IPS + value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: ENABLE_BIND_LOCAL_IP + value: "{{- .Values.features.ENABLE_BIND_LOCAL_IP }}" + volumeMounts: + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + # ovn-ic log directory + - mountPath: /var/log/ovn + name: ovn-log + - mountPath: /var/run/tls + name: kube-ovn-tls + readinessProbe: + httpGet: + port: 10660 + path: /readyz + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + periodSeconds: 3 + timeoutSeconds: 5 + livenessProbe: + httpGet: + port: 10660 + path: /readyz + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + initialDelaySeconds: 300 + periodSeconds: 7 + failureThreshold: 5 + timeoutSeconds: 5 + {{- with .Values.controller.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + nodeSelector: + kubernetes.io/os: "linux" + volumes: + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-log + hostPath: + path: {{ .Values.logging.directory }}/kube-ovn + - name: ovn-log + hostPath: + path: {{ .Values.logging.directory }}/ovn + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls + diff --git a/charts/kube-ovn-v2/templates/controller/controller-service.yaml b/charts/kube-ovn-v2/templates/controller/controller-service.yaml new file mode 100644 index 00000000000..6f800808ad0 --- /dev/null +++ b/charts/kube-ovn-v2/templates/controller/controller-service.yaml @@ -0,0 +1,23 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-controller + namespace: {{ .Values.namespace }} + {{- with .Values.controller.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/name: kube-ovn-controller + app.kubernetes.io/part-of: kube-ovn + ports: + - port: {{ .Values.controller.metrics.port }} + name: metrics + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn-v2/templates/hooks/pre-delete-hook.yaml b/charts/kube-ovn-v2/templates/hooks/pre-delete-hook.yaml new file mode 100644 index 00000000000..f975c9ac606 --- /dev/null +++ b/charts/kube-ovn-v2/templates/hooks/pre-delete-hook.yaml @@ -0,0 +1,123 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-pre-delete-hook + namespace: {{ .Values.namespace }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded + name: system:kube-ovn-pre-delete-hook +rules: + - apiGroups: + - kubeovn.io + resources: + - subnets + verbs: + - get + - list + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-pre-delete-hook + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + name: system:kube-ovn-pre-delete-hook + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-pre-delete-hook + namespace: {{ .Values.namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Chart.Name }}-pre-delete-hook" + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "4" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + completions: 1 + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: kube-ovn-pre-delete-hook + component: job + spec: + tolerations: + - key: "" + operator: "Exists" + effect: "NoSchedule" + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - kube-ovn-pre-delete-hook + - key: component + operator: In + values: + - job + restartPolicy: Never + hostNetwork: true + nodeSelector: + kubernetes.io/os: "linux" + serviceAccount: kube-ovn-pre-delete-hook + serviceAccountName: kube-ovn-pre-delete-hook + containers: + - name: remove-subnet-finalizer + image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - sh + - -c + - /kube-ovn/remove-subnet-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-subnet-finalizer.log + volumeMounts: + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + volumes: + - name: kube-ovn-log + hostPath: + path: {{ .Values.logging.directory }}/kube-ovn diff --git a/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml b/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml new file mode 100644 index 00000000000..37fc598c861 --- /dev/null +++ b/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml @@ -0,0 +1,171 @@ +{{- if include "kubeovn.ovn.versionCompatibility" . -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovs-ovn-upgrade + namespace: {{ .Values.namespace }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded + name: system:ovs-ovn-upgrade +rules: + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - list + - apiGroups: + - apps + resources: + - daemonsets + resourceNames: + - ovs-ovn + verbs: + - get + - apiGroups: + - apps + resources: + - deployments + resourceNames: + - ovn-central + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - get + - watch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovs-ovn-upgrade + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + name: system:ovs-ovn-upgrade + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovs-ovn-upgrade + namespace: {{ .Values.namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Chart.Name }}-post-upgrade-hook" + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "4" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + completions: 1 + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: post-upgrade + component: job + spec: + tolerations: + - key: "" + operator: "Exists" + effect: "NoSchedule" + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - post-upgrade + - key: component + operator: In + values: + - job + restartPolicy: Never + hostNetwork: true + nodeSelector: + kubernetes.io/os: "linux" + serviceAccount: ovs-ovn-upgrade + serviceAccountName: ovs-ovn-upgrade + containers: + - name: ovs-ovn-upgrade + image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: OVN_DB_IPS + value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + - name: OVN_VERSION_COMPATIBILITY + value: '{{ include "kubeovn.ovn.versionCompatibility" . }}' + command: + - bash + - -eo + - pipefail + - -c + - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log + volumeMounts: + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + - mountPath: /var/run/tls + name: kube-ovn-tls + volumes: + - name: kube-ovn-log + hostPath: + path: {{ .Values.logging.directory }}/kube-ovn + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls +{{- end -}} diff --git a/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml b/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml new file mode 100644 index 00000000000..6d2bd91bff1 --- /dev/null +++ b/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml @@ -0,0 +1,130 @@ +{{- if .Values.features.ENABLE_IC }} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: ovn-ic-controller + namespace: kube-system + annotations: + kubernetes.io/description: | + OVN IC Client +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: ovn-ic-controller + template: + metadata: + labels: + app: ovn-ic-controller + component: network + type: infra + spec: + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: ovn-ic-controller + topologyKey: kubernetes.io/hostname + priorityClassName: system-cluster-critical + serviceAccountName: ovn + hostNetwork: true + initContainers: + - name: hostpath-init + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - "chown -R nobody: /var/run/ovn /var/log/ovn /var/log/kube-ovn" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + volumeMounts: + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /var/log/ovn + name: host-log-ovn + - name: kube-ovn-log + mountPath: /var/log/kube-ovn + containers: + - name: ovn-ic-controller + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/kube-ovn/start-ic-controller.sh"] + args: + - --log_file=/var/log/kube-ovn/kube-ovn-ic-controller.log + - --log_file_max_size=200 + - --logtostderr=false + - --alsologtostderr=true + securityContext: + runAsUser: {{ include "kubeovn.runAsUser" . }} + privileged: false + capabilities: + add: + - NET_BIND_SERVICE + - SYS_NICE + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OVN_DB_IPS + value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + resources: + requests: + cpu: 300m + memory: 200Mi + limits: + cpu: 3 + memory: 1Gi + volumeMounts: + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /etc/localtime + name: localtime + - mountPath: /var/run/tls + name: kube-ovn-tls + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + nodeSelector: + kubernetes.io/os: "linux" + kube-ovn/role: "master" + volumes: + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-log-ovn + hostPath: + path: /var/log/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-log + hostPath: + path: /var/log/kube-ovn + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls +{{- end }} diff --git a/charts/kube-ovn-v2/templates/misc/extra-objects.yaml b/charts/kube-ovn-v2/templates/misc/extra-objects.yaml new file mode 100644 index 00000000000..955c306e893 --- /dev/null +++ b/charts/kube-ovn-v2/templates/misc/extra-objects.yaml @@ -0,0 +1,8 @@ +{{ range .Values.extraObjects }} +--- +{{ if typeIs "string" . }} + {{- tpl . $ }} +{{- else }} + {{- tpl (toYaml .) $ }} +{{- end }} +{{ end }} diff --git a/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml b/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml new file mode 100644 index 00000000000..807d603bcc1 --- /dev/null +++ b/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml @@ -0,0 +1,181 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: kube-ovn-monitor + namespace: {{ .Values.namespace }} + {{- with .Values.monitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.monitor.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-monitor + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.monitor.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-monitor + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.monitor.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: kube-ovn-monitor + component: network + type: infra + spec: + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kube-ovn-monitor + topologyKey: kubernetes.io/hostname + priorityClassName: system-cluster-critical + serviceAccountName: kube-ovn-app + hostNetwork: true + initContainers: + - name: hostpath-init + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - "chown -R nobody: /var/log/kube-ovn" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + volumeMounts: + - name: kube-ovn-log + mountPath: /var/log/kube-ovn + containers: + - name: kube-ovn-monitor + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/kube-ovn/start-ovn-monitor.sh"] + args: + - --secure-serving={{- .Values.features.SECURE_SERVING }} + - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log + - --logtostderr=false + - --alsologtostderr=true + - --log_file_max_size=200 + - --enable-metrics={{- .Values.networking.enableMetrics }} + securityContext: + runAsUser: {{ include "kubeovn.runAsUser" . }} + privileged: false + capabilities: + add: + - NET_BIND_SERVICE + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: ENABLE_BIND_LOCAL_IP + value: "{{- .Values.features.ENABLE_BIND_LOCAL_IP }}" + {{- with .Values.monitor.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /etc/ovn + name: host-config-ovn + - mountPath: /var/log/ovn + name: host-log-ovn + readOnly: true + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /var/run/tls + name: kube-ovn-tls + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 7 + successThreshold: 1 + httpGet: + port: 10661 + path: /livez + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 7 + successThreshold: 1 + httpGet: + port: 10661 + path: /livez + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + timeoutSeconds: 5 + nodeSelector: + kubernetes.io/os: "linux" + {{- with splitList "=" .Values.masterNodesLabel}} + {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" + {{- end }} + volumes: + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-config-ovn + hostPath: + path: {{ .Values.ovsOvn.ovnDirectory }} + - name: host-log-ovn + hostPath: + path: {{ .Values.logging.directory }}/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls + - name: kube-ovn-log + hostPath: + path: {{ .Values.logging.directory }}/kube-ovn diff --git a/charts/kube-ovn-v2/templates/monitor/monitor-service.yaml b/charts/kube-ovn-v2/templates/monitor/monitor-service.yaml new file mode 100644 index 00000000000..4827aca217e --- /dev/null +++ b/charts/kube-ovn-v2/templates/monitor/monitor-service.yaml @@ -0,0 +1,25 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-monitor + namespace: {{ .Values.namespace }} + {{- with .Values.monitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.monitor.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: metrics + port: {{ .Values.monitor.metrics.port }} + type: ClusterIP + selector: + app.kubernetes.io/name: kube-ovn-monitor + app.kubernetes.io/part-of: kube-ovn + sessionAffinity: None + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn-v2/templates/nat-gw/rbac.yaml b/charts/kube-ovn-v2/templates/nat-gw/rbac.yaml new file mode 100644 index 00000000000..14d8ec6421d --- /dev/null +++ b/charts/kube-ovn-v2/templates/nat-gw/rbac.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:vpc-nat-gw +rules: + - apiGroups: + - "" + resources: + - services + - pods + verbs: + - list + - watch + - apiGroups: + - kubeovn.io + resources: + - iptables-eips + - subnets + - vpc-nat-gateways + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: vpc-nat-gw +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpc-nat-gw +subjects: + - kind: ServiceAccount + name: vpc-nat-gw + namespace: {{ .Values.namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vpc-nat-gw + namespace: {{ .Values.namespace }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml b/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml new file mode 100755 index 00000000000..8b30d17a49a --- /dev/null +++ b/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml @@ -0,0 +1,25 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: ovn-vpc-nat-config + namespace: {{ .Values.namespace }} +data: + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }} + {{- with .Values.natGw.bgpSpeaker.image }} + bgpSpeakerImage: {{ .repository }}:{{ .tag }} + {{- end }} + {{- with .Values.natGw.bgpSpeaker.apiNadProvider }} + apiNadProvider: {{ tpl . $ }} + {{- end }} + {{- with .Values.natGw.namePrefix }} + natGwNamePrefix: {{ . | quote }} + {{- end }} + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: ovn-vpc-nat-gw-config + namespace: {{ .Values.namespace }} +data: + enable-vpc-nat-gw: "{{ .Values.features.ENABLE_NAT_GW }}" \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/ovn-tls-secret.yaml b/charts/kube-ovn-v2/templates/ovn-tls-secret.yaml new file mode 100644 index 00000000000..b2c232ee472 --- /dev/null +++ b/charts/kube-ovn-v2/templates/ovn-tls-secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.networking.enableSsl }} +{{- $cn := "ovn" -}} +{{- $ca := genCA "ovn-ca" 3650 -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: kube-ovn-tls + namespace: {{ .Values.namespace }} +data: +{{- $existingSecret := lookup "v1" "Secret" .Values.namespace "kube-ovn-tls" }} + {{- if $existingSecret }} + cacert: {{ index $existingSecret.data "cacert" }} + cert: {{ index $existingSecret.data "cert" }} + key: {{ index $existingSecret.data "key" }} + {{- else }} + {{- with genSignedCert $cn nil nil 3650 $ca }} + cacert: {{ b64enc $ca.Cert }} + cert: {{ b64enc .Cert }} + key: {{ b64enc .Key }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml new file mode 100644 index 00000000000..0dd378e6766 --- /dev/null +++ b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml @@ -0,0 +1,257 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: ovs-ovn + namespace: {{ .Values.namespace }} + {{- with .Values.ovsOvn.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ovsOvn.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-ovs + app.kubernetes.io/part-of: kube-ovn + updateStrategy: + type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }} + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + {{- with .Values.ovsOvn.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-ovs + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.ovsOvn.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: ovs + component: network + type: infra + spec: + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: ovn-ovs + hostNetwork: true + hostPID: true + initContainers: + - name: hostpath-init + {{- if .Values.ovsOvn.dpdk.enabled }} + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.ovsOvn.dpdk.version }}-{{ .Values.global.images.kubeovn.tag }} + {{- else }} + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -xec + - | + chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch + iptables -V + {{- if not .Values.ovsOvn.disableModulesManagement }} + /usr/share/openvswitch/scripts/ovs-ctl load-kmod + {{- else }} + ln -sf /bin/true /usr/local/sbin/modprobe + ln -sf /bin/true /usr/local/sbin/modinfo + ln -sf /bin/true /usr/local/sbin/rmmod + {{- end }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + volumeMounts: + - mountPath: /lib/modules + name: host-modules + readOnly: true + - mountPath: /usr/local/sbin + name: usr-local-sbin + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /etc/openvswitch + name: host-config-openvswitch + - mountPath: /var/run/openvswitch + name: host-run-ovs + - mountPath: /var/log/openvswitch + name: host-log-ovs + containers: + - name: openvswitch + {{- if .Values.ovsOvn.dpdk.enabled }} + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.ovsOvn.dpdk.version }}-{{ .Values.global.images.kubeovn.tag }} + {{- else }} + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.ovsOvn.dpdk.enabled }} + command: ["/kube-ovn/start-ovs-dpdk.sh"] + {{- else }} + command: ["/kube-ovn/start-ovs.sh"] + {{- end }} + securityContext: + runAsUser: {{ include "kubeovn.runAsUser" . }} + privileged: false + capabilities: + add: + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SYS_NICE + - SYS_ADMIN + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HW_OFFLOAD + value: "{{- .Values.features.HW_OFFLOAD }}" + - name: TUNNEL_TYPE + value: "{{- .Values.networking.tunnelType }}" + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: OVN_DB_IPS + value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + - name: OVN_REMOTE_PROBE_INTERVAL + value: "{{ .Values.ovsOvn.ovnRemoteProbeInterval }}" + - name: OVN_REMOTE_OPENFLOW_INTERVAL + value: "{{ .Values.ovsOvn.ovnRemoteOpenflowInterval }}" + volumeMounts: + - mountPath: /usr/local/sbin + name: usr-local-sbin + - mountPath: /lib/modules + name: host-modules + readOnly: true + - mountPath: /var/run/openvswitch + name: host-run-ovs + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /etc/openvswitch + name: host-config-openvswitch + - mountPath: /var/log/openvswitch + name: host-log-ovs + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /var/run/tls + name: kube-ovn-tls + - mountPath: /var/run/containerd + name: cruntime + readOnly: true + {{- if .Values.ovsOvn.dpdk.enabled }} + - mountPath: /opt/ovs-config + name: host-config-ovs + - mountPath: /dev/hugepages + name: hugepage + {{- end }} + readinessProbe: + exec: + {{- if .Values.ovsOvn.dpdk.enabled }} + command: + - bash + - /kube-ovn/ovs-dpdk-healthcheck.sh + {{- else }} + command: + - bash + - /kube-ovn/ovs-healthcheck.sh + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 45 + livenessProbe: + exec: + {{- if .Values.ovsOvn.dpdk.enabled }} + command: + - bash + - /kube-ovn/ovs-dpdk-healthcheck.sh + {{- else }} + command: + - bash + - /kube-ovn/ovs-healthcheck.sh + {{- end }} + initialDelaySeconds: 60 + periodSeconds: 5 + failureThreshold: 5 + timeoutSeconds: 45 + {{- if and .Values.ovsOvn.dpdk.enabled .Values.ovsOvn.resources }} + resources: + {{- toYaml .Values.ovsOvn.dpdk.resources | trim | nindent 12 }} + {{- else }} + {{- with .Values.ovsOvn.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- end }} + nodeSelector: + kubernetes.io/os: "linux" + volumes: + - name: usr-local-sbin + emptyDir: {} + - name: host-modules + hostPath: + path: /lib/modules + - name: host-run-ovs + hostPath: + path: /run/openvswitch + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-config-openvswitch + hostPath: + path: {{ .Values.ovsOvn.ovsDirectory }} + - name: host-log-ovs + hostPath: + path: {{ .Values.logging.directory }}/openvswitch + - name: host-log-ovn + hostPath: + path: {{ .Values.logging.directory }}/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls + - hostPath: + path: /var/run/containerd + name: cruntime + {{- if .Values.ovsOvn.dpdk.enabled }} + - name: host-config-ovs + hostPath: + path: /opt/ovs-config + type: DirectoryOrCreate + - name: hugepage + emptyDir: + medium: HugePages + {{- end }} diff --git a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml new file mode 100644 index 00000000000..79db382fb66 --- /dev/null +++ b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml @@ -0,0 +1,175 @@ +{{- if .Values.ovsOvn.dpdkHybrid.enabled }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: ovs-ovn-dpdk + namespace: {{ .Values.namespace }} + {{- with .Values.ovsOvn.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ovsOvn.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-ovnOvs-dpdk + app.kubernetes.io/part-of: kube-ovn + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + {{- with .Values.ovsOvn.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-ovs + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.ovsOvn.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: ovs-dpdk + component: network + type: infra + spec: + tolerations: + - operator: Exists + priorityClassName: system-node-critical + serviceAccountName: ovn-ovs + hostNetwork: true + hostPID: true + containers: + - name: openvswitch + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/kube-ovn/start-ovs-dpdk-v2.sh"] + securityContext: + runAsUser: 0 + privileged: true + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: HW_OFFLOAD + value: "{{- .Values.features.HW_OFFLOAD }}" + - name: TUNNEL_TYPE + value: "{{- .Values.networking.tunnelType }}" + - name: DPDK_TUNNEL_IFACE + value: "{{- .Values.agent.dpdkTunnelInterface }}" + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: OVN_DB_IPS + value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + - name: OVN_REMOTE_PROBE_INTERVAL + value: "{{ .Values.ovsOvn.ovnRemoteProbeInterval }}" + - name: OVN_REMOTE_OPENFLOW_INTERVAL + value: "{{ .Values.ovsOvn.ovnRemoteOpenflowInterval }}" + volumeMounts: + - mountPath: /opt/ovs-config + name: host-config-ovs + - name: shareddir + mountPath: {{ .Values.kubelet.directory }}/pods + - name: hugepage + mountPath: /dev/hugepages + - mountPath: /lib/modules + name: host-modules + readOnly: true + - mountPath: /var/run/openvswitch + name: host-run-ovs + mountPropagation: HostToContainer + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /sys + name: host-sys + - mountPath: /etc/openvswitch + name: host-config-openvswitch + - mountPath: /etc/ovn + name: host-config-ovn + - mountPath: /var/log/openvswitch + name: host-log-ovs + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /var/run/tls + name: kube-ovn-tls + readinessProbe: + exec: + command: + - bash + - /kube-ovn/ovs-healthcheck.sh + periodSeconds: 5 + timeoutSeconds: 45 + livenessProbe: + exec: + command: + - bash + - /kube-ovn/ovs-healthcheck.sh + initialDelaySeconds: 60 + periodSeconds: 5 + failureThreshold: 5 + timeoutSeconds: 45 + {{- with .Values.ovsOvn.dpdkHybrid.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + nodeSelector: + kubernetes.io/os: "linux" + ovn.kubernetes.io/ovs_dp_type: "userspace" + volumes: + - name: host-config-ovs + hostPath: + path: /opt/ovs-config + type: DirectoryOrCreate + - name: shareddir + hostPath: + path: {{ .Values.kubelet.directory }}/pods + type: '' + - name: hugepage + emptyDir: + medium: HugePages + - name: host-modules + hostPath: + path: /lib/modules + - name: host-run-ovs + hostPath: + path: /run/openvswitch + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-sys + hostPath: + path: /sys + - name: host-config-openvswitch + hostPath: + path: {{ .Values.ovsOvn.ovsDirectory }} + - name: host-config-ovn + hostPath: + path: {{ .Values.ovsOvn.ovnDirectory }} + - name: host-log-ovs + hostPath: + path: {{ .Values.logging.directory }}/openvswitch + - name: host-log-ovn + hostPath: + path: {{ .Values.logging.directory }}/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls +{{- end }} diff --git a/charts/kube-ovn-v2/templates/pinger/pinger-daemonset.yaml b/charts/kube-ovn-v2/templates/pinger/pinger-daemonset.yaml new file mode 100644 index 00000000000..b17b1f43904 --- /dev/null +++ b/charts/kube-ovn-v2/templates/pinger/pinger-daemonset.yaml @@ -0,0 +1,184 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: kube-ovn-pinger + namespace: {{ .Values.namespace }} + {{- with .Values.pinger.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.pinger.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-pinger + app.kubernetes.io/part-of: kube-ovn + updateStrategy: + type: RollingUpdate + template: + metadata: + {{- with .Values.pinger.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-pinger + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.pinger.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + # Legacy labels + app: kube-ovn-pinger + component: network + type: infra + spec: + priorityClassName: system-node-critical + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + serviceAccountName: kube-ovn-app + hostPID: true + initContainers: + - name: hostpath-init + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - "chown -R nobody: /var/log/kube-ovn" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + privileged: true + runAsUser: 0 + volumeMounts: + - name: kube-ovn-log + mountPath: /var/log/kube-ovn + containers: + - name: pinger + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + command: + - /kube-ovn/kube-ovn-pinger + args: + - --external-address= + {{- if eq .Values.networking.stack "Dual" -}} + {{ .Values.pinger.targets.externalAddresses.v4 }},{{ .Values.pinger.targets.externalAddresses.v6 }} + {{- else if eq .Values.networking.stack "IPv4" -}} + {{ .Values.pinger.targets.externalAddresses.v4 }} + {{- else if eq .Values.networking.stack "IPv6" -}} + {{ .Values.pinger.targets.externalAddresses.v6 }} + {{- end }} + - --external-dns= + {{- if eq .Values.networking.stack "Dual" -}} + "{{ .Values.pinger.targets.externalDomain.v6 }}" + {{- else if eq .Values.networking.stack "IPv4" -}} + "{{ .Values.pinger.targets.externalDomain.v4 }}" + {{- else if eq .Values.networking.stack "IPv6" -}} + "{{ .Values.pinger.targets.externalDomain.v6 }}" + {{- end }} + - --ds-namespace={{ .Values.namespace }} + - --logtostderr=false + - --alsologtostderr=true + - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log + - --log_file_max_size=200 + - --enable-metrics={{- .Values.networking.enableMetrics }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + runAsUser: {{ include "kubeovn.runAsUser" . }} + privileged: false + capabilities: + add: + - NET_BIND_SERVICE + - NET_RAW + env: + - name: ENABLE_SSL + value: "{{ .Values.networking.enableSsl }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-run-ovs + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /etc/openvswitch + name: host-config-openvswitch + - mountPath: /var/log/openvswitch + name: host-log-ovs + readOnly: true + - mountPath: /var/log/ovn + name: host-log-ovn + readOnly: true + - mountPath: /var/log/kube-ovn + name: kube-ovn-log + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /var/run/tls + name: kube-ovn-tls + {{- with .Values.pinger.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + nodeSelector: + kubernetes.io/os: "linux" + volumes: + - name: host-run-ovs + hostPath: + path: /run/openvswitch + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-config-openvswitch + hostPath: + path: {{ .Values.ovsOvn.ovsDirectory }} + - name: host-log-ovs + hostPath: + path: {{ .Values.logging.directory }}/openvswitch + - name: kube-ovn-log + hostPath: + path: {{ .Values.logging.directory }}/kube-ovn + - name: host-log-ovn + hostPath: + path: {{ .Values.logging.directory }}/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls diff --git a/charts/kube-ovn-v2/templates/pinger/pinger-service.yaml b/charts/kube-ovn-v2/templates/pinger/pinger-service.yaml new file mode 100644 index 00000000000..a3e1a0da699 --- /dev/null +++ b/charts/kube-ovn-v2/templates/pinger/pinger-service.yaml @@ -0,0 +1,23 @@ +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-pinger + namespace: {{ .Values.namespace }} + {{- with .Values.pinger.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.pinger.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + app.kubernetes.io/name: kube-ovn-pinger + app.kubernetes.io/part-of: kube-ovn + ports: + - name: metrics + port: {{ .Values.pinger.metrics.port }} + {{- if eq .Values.networking.stack "Dual" }} + ipFamilyPolicy: PreferDualStack + {{- end }} diff --git a/charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml b/charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml new file mode 100644 index 00000000000..c7e7661731b --- /dev/null +++ b/charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml @@ -0,0 +1,299 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:ovn +rules: + - apiGroups: + - "kubeovn.io" + resources: + - vpcs + - vpcs/status + - vpc-nat-gateways + - vpc-nat-gateways/status + - vpc-egress-gateways + - vpc-egress-gateways/status + - subnets + - subnets/status + - ippools + - ippools/status + - ips + - vips + - vips/status + - vlans + - vlans/status + - provider-networks + - provider-networks/status + - security-groups + - security-groups/status + - iptables-eips + - iptables-fip-rules + - iptables-dnat-rules + - iptables-snat-rules + - iptables-eips/status + - iptables-fip-rules/status + - iptables-dnat-rules/status + - iptables-snat-rules/status + - ovn-eips + - ovn-fips + - ovn-snat-rules + - ovn-eips/status + - ovn-fips/status + - ovn-snat-rules/status + - ovn-dnat-rules + - ovn-dnat-rules/status + - switch-lb-rules + - switch-lb-rules/status + - vpc-dnses + - vpc-dnses/status + - qos-policies + - qos-policies/status + verbs: + - "*" + - apiGroups: + - "" + resources: + - pods + - namespaces + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - apiGroups: + - "k8s.cni.cncf.io" + resources: + - network-attachment-definitions + verbs: + - get + - apiGroups: + - "" + - networking.k8s.io + resources: + - networkpolicies + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - apiGroups: + - apps + resources: + - deployments + - deployments/scale + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - "" + resources: + - services + - services/status + verbs: + - get + - list + - update + - patch + - create + - delete + - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - create + - delete + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - "*" + - apiGroups: + - "kubevirt.io" + resources: + - virtualmachines + - virtualmachineinstances + verbs: + - get + - list + - apiGroups: + - "policy.networking.k8s.io" + resources: + - adminnetworkpolicies + - baselineadminnetworkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "certificates.k8s.io" + resources: + - "certificatesigningrequests" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/status + - certificatesigningrequests/approval + verbs: + - update + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubeovn.io/signer + resources: + - signers + verbs: + - approve + - sign + - apiGroups: + - kubevirt.io + resources: + - virtualmachineinstancemigrations + verbs: + - "list" + - "watch" + - "get" + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:ovn-ovs +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - patch + - apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - get + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:kube-ovn-app +rules: + - apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/charts/kube-ovn-v2/templates/rbac/ovn-CRB.yaml b/charts/kube-ovn-v2/templates/rbac/ovn-CRB.yaml new file mode 100644 index 00000000000..1b7d706b7f7 --- /dev/null +++ b/charts/kube-ovn-v2/templates/rbac/ovn-CRB.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn +roleRef: + name: system:ovn + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovn + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovn + namespace: {{ .Values.namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: ovn + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-ovs +roleRef: + name: system:ovn-ovs + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovn-ovs + namespace: {{ .Values.namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-app +roleRef: + name: system:kube-ovn-app + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-app + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-app + namespace: {{ .Values.namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-app + namespace: {{ .Values.namespace }} diff --git a/charts/kube-ovn-v2/templates/rbac/ovn-sa.yaml b/charts/kube-ovn-v2/templates/rbac/ovn-sa.yaml new file mode 100644 index 00000000000..95d8f9e492e --- /dev/null +++ b/charts/kube-ovn-v2/templates/rbac/ovn-sa.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovn + namespace: {{ .Values.namespace }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} +- name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovn-ovs + namespace: {{ .Values.namespace }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} + - name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-app + namespace: {{ .Values.namespace }} +{{- if .Values.global.registry.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} +{{- if $secret }} + - name: {{ $secret | quote}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kube-ovn-v2/templates/speaker/speaker.yaml b/charts/kube-ovn-v2/templates/speaker/speaker.yaml new file mode 100644 index 00000000000..3ecce4ca008 --- /dev/null +++ b/charts/kube-ovn-v2/templates/speaker/speaker.yaml @@ -0,0 +1,70 @@ +{{- if .Values.speaker.enabled }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: kube-ovn-speaker + namespace: {{ .Values.namespace }} + {{- with .Values.speaker.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.speaker.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-speaker + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.speaker.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-speaker + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.speaker.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + tolerations: + - operator: Exists + effect: NoSchedule + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kube-ovn-speaker + app.kubernetes.io/part-of: kube-ovn + topologyKey: kubernetes.io/hostname + priorityClassName: system-node-critical + serviceAccountName: ovn + hostNetwork: true + containers: + - name: kube-ovn-speaker + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /kube-ovn/kube-ovn-speaker + {{- with .Values.speaker.args }} + args: + {{- toYaml . | trim | nindent 14 }} + {{- end }} + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- with .Values.speaker.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.speaker.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/webhook/certificate.yaml b/charts/kube-ovn-v2/templates/webhook/certificate.yaml new file mode 100644 index 00000000000..ec6bc9a43a5 --- /dev/null +++ b/charts/kube-ovn-v2/templates/webhook/certificate.yaml @@ -0,0 +1,41 @@ +{{- if .Values.validatingWebhook.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kube-ovn-webhook-serving-cert + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + dnsNames: + - kube-ovn-webhook.kube-system + - kube-ovn-webhook.kube-system.svc + - kube-ovn-webhook.kube-system.svc.cluster.local + issuerRef: + kind: Issuer + name: kube-ovn-webhook-selfsigned-issuer + group: cert-manager.io + secretName: kube-ovn-webhook-secret +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kube-ovn-webhook-selfsigned-issuer + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selfSigned: {} +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/webhook/service.yaml b/charts/kube-ovn-v2/templates/webhook/service.yaml new file mode 100644 index 00000000000..516be6a9133 --- /dev/null +++ b/charts/kube-ovn-v2/templates/webhook/service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.validatingWebhook.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: kube-ovn-webhook + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: kube-ovn-webhook + protocol: TCP + port: 443 + targetPort: 8443 + type: ClusterIP + selector: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + sessionAffinity: None +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/webhook/webhook-deployment.yaml b/charts/kube-ovn-v2/templates/webhook/webhook-deployment.yaml new file mode 100644 index 00000000000..14bcc0ee481 --- /dev/null +++ b/charts/kube-ovn-v2/templates/webhook/webhook-deployment.yaml @@ -0,0 +1,98 @@ +{{- if .Values.validatingWebhook.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-ovn-webhook + namespace: {{ .Values.namespace }} + {{- with .Values.validatingWebhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + template: + metadata: + {{- with .Values.validatingWebhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + {{- with .Values.validatingWebhook.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + tolerations: + - operator: Exists + effect: NoSchedule + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kube-ovn-webhook + app.kubernetes.io/part-of: kube-ovn + topologyKey: kubernetes.io/hostname + serviceAccountName: ovn + containers: + - name: kube-ovn-webhook + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /kube-ovn/kube-ovn-webhook + args: + - --port=8443 + - --health-probe-port=8080 + - --v=3 + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + ports: + - containerPort: 8443 + name: https + protocol: TCP + - containerPort: 8080 + name: health-probe + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kube-ovn-webhook-secret + nodeSelector: + kubernetes.io/os: "linux" +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/webhook/webhook.yaml b/charts/kube-ovn-v2/templates/webhook/webhook.yaml new file mode 100644 index 00000000000..4891993ebab --- /dev/null +++ b/charts/kube-ovn-v2/templates/webhook/webhook.yaml @@ -0,0 +1,72 @@ +{{- if .Values.validatingWebhook.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: kube-ovn-webhook + annotations: + cert-manager.io/inject-ca-from: {{ .Values.namespace }}/kube-ovn-webhook-serving-cert + {{- with .Values.validatingWebhook.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.validatingWebhook.labels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: + - name: pod-ip-validating.kube-ovn.io + rules: + - operations: + - CREATE + apiGroups: + - "apps" + apiVersions: + - v1 + resources: + - deployments + - statefulsets + - daemonsets + - operations: + - CREATE + apiGroups: + - "batch" + apiVersions: + - v1 + resources: + - jobs + - cronjobs + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - "kubeovn.io" + apiVersions: + - v1 + resources: + - subnets + - vpcs + - vips + - vpc-nat-gateways + - iptables-eips + - iptables-dnat-rules + - iptables-snat-rules + - iptables-fip-rules + failurePolicy: Ignore + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + clientConfig: + service: + namespace: {{ .Values.namespace }} + name: kube-ovn-webhook + path: /validating + port: 443 +{{- end }} \ No newline at end of file diff --git a/charts/kube-ovn-v2/values.yaml b/charts/kube-ovn-v2/values.yaml new file mode 100644 index 00000000000..3c449addcdf --- /dev/null +++ b/charts/kube-ovn-v2/values.yaml @@ -0,0 +1,488 @@ +global: + registry: + address: docker.io/kubeovn + imagePullSecrets: [] + images: + kubeovn: + repository: kube-ovn + dpdkRepository: kube-ovn-dpdk + vpcRepository: vpc-nat-gateway + tag: v1.14.0 + support_arm: true + thirdparty: true + +image: + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +# -- Namespace in which the CNI is deployed +namespace: kube-system + +# -- General configuration of the network created by Kube-OVN +networking: + # -- Protocol(s) used by Kube-OVN to allocate IPs to pods and services + # Can be either IPv4, IPv6 or Dual + stack: "IPv4" + # -- Configuration for the default pod subnet + # If .networking.stack is set to IPv4, only the .v4 key is used + # If .networking.stack is set to IPv6, only the .v6 key is used + # If .networking.stack is set to Dual, both keys are used + pods: + # -- Name of the pod subnet once it gets generated in the cluster + subnetName: "ovn-default" + cidr: + v4: "10.16.0.0/16" + v6: "fd00:10:16::/112" + gateways: + v4: "10.16.0.1" + v6: "fd00:10:16::1" + # -- Configuration for the service subnet + # If .networking.stack is set to IPv4, only the .v4 key is used + # If .networking.stack is set to IPv6, only the .v6 key is used + # If .networking.stack is set to Dual, both keys are used + services: + cidr: + v4: "10.96.0.0/12" + v6: "fd00:10:96::/112" + # -- Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet + # If .networking.stack is set to IPv4, only the .v4 key is used + # If .networking.stack is set to IPv6, only the .v6 key is used + # If .networking.stack is set to Dual, both keys are used + join: + # -- Name of the join subnet once it gets generated in the cluster + subnetName: "join" + cidr: + v4: "100.64.0.0/16" + v6: "fd00:100:64::/112" + + # -- Name of the default VPC once it is generated in the cluster + # Pods in the default subnet live in this VPC + defaultVpcName: "ovn-cluster" + # -- Deploy the CNI with SSL encryption in between components + enableSsl: false + # -- Network type can be geneve or vlan + networkType: geneve + # -- Tunnel type can be geneve, vxlan or stt + tunnelType: geneve + # -- IPs to exclude from IPAM in the default subnet + excludeIps: "" + # -- NIC type used on pods to connect them to the CNI + podNicType: "veth-pair" + # -- Enable EIP and SNAT + enableEipSnat: true + # -- Comma-separated string of NodeLocal DNS IP addresses + nodeLocalDnsIp: "" + # -- Enable listening on the metrics endpoint for the CNI daemons + enableMetrics: true + + # -- Configuration if we're running on top of a VLAN + vlan: + providerName: "provider" + interfaceName: "" + name: "ovn-vlan" + id: "100" + + exchangeLinkName: false + enableEcmp: false + enableCompact: false + +# -- Comma-separated list of IPs for each master node +masterNodes: "" +# -- Label used to auto-identify masters +masterNodesLabel: "kube-ovn/role=master" + +# -- Features of Kube-OVN we wish to enable/disable +features: + ENABLE_LB: true + ENABLE_NP: true + ENABLE_EXTERNAL_VPC: true + HW_OFFLOAD: false + ENABLE_LB_SVC: false + ENABLE_KEEP_VM_IP: true + LS_DNAT_MOD_DL_DST: true + LS_CT_SKIP_DST_LPORT_IPS: true + CHECK_GATEWAY: true + LOGICAL_GATEWAY: false + ENABLE_BIND_LOCAL_IP: true + SECURE_SERVING: false + U2O_INTERCONNECTION: false + ENABLE_TPROXY: false + ENABLE_IC: false + ENABLE_NAT_GW: true + ENABLE_OVN_IPSEC: false + ENABLE_ANP: false + SET_VXLAN_TX_OFF: false + OVSDB_CON_TIMEOUT: 3 + OVSDB_INACTIVITY_TIMEOUT: 10 + ENABLE_LIVE_MIGRATION_OPTIMIZE: true + ENABLE_OVN_LB_PREFER_LOCAL: false + +# -- CNI binary/configuration injected on the nodes +cni: + # -- Location of the CNI configuration on the node + configDirectory: "/etc/cni/net.d" + # -- Location on the node where the agent will inject the Kube-OVN binary + binaryDirectory: "/opt/cni/bin" + # -- Location of the CNI configuration inside the agent's pod + localConfigFile: "/kube-ovn/01-kube-ovn.conflist" + # -- Location on the node where the CNI will install Kube-OVN's tooling + toolingDirectory: "/usr/local/bin" + # -- Whether to mount the node's tooling directory into the pod + mountToolingDirectory: false + # -- Priority of Kube-OVN within the CNI configuration directory on the node + # Should be a string representing a double-digit integer + configPriority: "01" + +# -- Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. +# Make sure cert-manager is installed for the generation of certificates for the webhook +# See https://kubeovn.github.io/docs/stable/en/guide/webhook/ +validatingWebhook: + # -- Enable the deployment of the validating webhook + enabled: false + # -- Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) + labels: {} + # -- Annotations to be added to kube-ovn-webhook pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-webhook pods + podLabels: {} + +# -- Configuration for the NAT gateways +natGw: + # -- Prefix appended to the name of the NAT gateways when generating the Pods + # If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be + # manually destroyed and recreated + namePrefix: "vpc-nat-gw" + # -- Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode + bgpSpeaker: + # -- Image used by the NAT gateway sidecar + image: + repository: docker.io/kubeovn/kube-ovn + tag: v1.14.0 + pullPolicy: IfNotPresent + # -- Network attachment definition used to reach the API server when running on BGP mode + # By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true + # See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/ + apiNadProvider: "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" + +# -- API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API +# This requires Multus to be installed +apiNad: + # -- Enable the creation of the API NAD + enabled: false + # -- Name of the NAD + name: ovn-kubernetes-api + # -- Name of the provider, must be in the form "nadName.nadNamespace.ovn" + provider: "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" + # -- Subnet associated with the NAD, it will have full access to the API server + subnet: + # -- Name of the subnet + name: ovn-kubernetes-api + # -- Protocol for the API subnet + protocol: Dual + # -- CIDR block used by the API subnet + cidrBlock: 100.100.0.0/16,fd00:100:100::/112 + +# -- Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons +ovsOvn: + # -- Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) + annotations: {} + # -- Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) + labels: {} + # -- Annotations to be added to ovs-ovn pods + podAnnotations: {} + # -- Labels to be added to ovs-ovn pods + podLabels: {} + + # -- ovs-ovn resource limits & requests, overridden if DPDK is enabled + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "2" + memory: "1000Mi" + + # -- Disable auto-loading of kernel modules by OVS + # If this is disabled, you will have to enable the Open vSwitch kernel module yourself + disableModulesManagement: false + + # -- Directory on the node where Open vSwitch (OVS) lives + ovsDirectory: "/etc/origin/openvswitch" + # -- Directory on the node where Open Virtual Network (OVN) lives + ovnDirectory: "/etc/origin/ovn" + + ovnRemoteProbeInterval: 10000 + ovnRemoteOpenflowInterval: 180 + probeInterval: 180000 + + # -- DPDK support for OVS + # ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ + dpdk: + # -- Enables DPDK support on OVS + enabled: false + # -- Version of the DPDK image + version: "19.11" + + # -- ovs-ovn resource limits & requests when DPDK is enabled + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "1000m" + memory: "200Mi" + limits: + hugepages-1Gi: 1Gi + cpu: "1000m" + memory: "1000Mi" + + # -- DPDK-hybrid support for OVS + # ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ + dpdkHybrid: + # -- Enables DPDK-hybrid support on OVS + enabled: false + # -- ovs-ovn resource limits & requests when DPDK-hybrid is enabled + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + hugepages-2Mi: 1Gi + cpu: "2" + memory: "1000Mi" + +# -- Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world +speaker: + # -- Enable the kube-ovn-speaker + enabled: false + # -- Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) + labels: {} + # -- Annotations to be added to kube-ovn-speaker pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-speaker pods + podLabels: {} + + # -- kube-ovn-speaker resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "500m" + memory: "300Mi" + limits: {} + + # -- Node selector to restrict the deployment of the speaker to specific nodes + nodeSelector: {} + # kubernetes.io/os: "linux" + # ovn.kubernetes.io/bgp: "true" + + # Args passed to the kube-ovn-speaker pod + args: [] + # - --neighbor-address=10.32.32.1 + # - --neighbor-as=65030 + # - --cluster-as=65000 + +# -- Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity +pinger: + # -- Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) + labels: {} + # -- Annotations to be added to kube-ovn-pinger pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-pinger pods + podLabels: {} + + # -- kube-ovn-pinger resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "200m" + memory: "400Mi" + + # -- kube-ovn-pinger metrics configuration + metrics: + # -- Configure the port on which the kube-ovn-monitor service will serve metrics + port: 8080 + + # -- Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity + targets: + # -- Raw IPv4/6 on which to issue pings + externalAddresses: + v4: "1.1.1.1" + v6: "2606:4700:4700::1111" + # -- Domains to resolve and to ping + # Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records + externalDomain: + v4: "kube-ovn.io." + v6: "google.com." + +# -- Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd +monitor: + # -- Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) + labels: {} + # -- Annotations to be added to kube-ovn-monitor pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-monitor pods + podLabels: {} + + # -- kube-ovn-monitor resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "200m" + memory: "200Mi" + + # -- kube-ovn-monitor metrics configuration + metrics: + # -- Configure the port on which the kube-ovn-monitor service will serve metrics + port: 10661 + +# -- Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN +controller: + # -- Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller) + annotations: {} + # -- Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller) + labels: {} + # -- Annotations to be added to kube-ovn-controller pods + podAnnotations: {} + # -- Labels to be added to kube-ovn-controller pods + podLabels: {} + + # -- kube-ovn-controller resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1Gi" + + # -- Controller metrics configuration + metrics: + # -- Configure the port on which the controller service will serve metrics + port: 10660 + +# -- Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd +central: + # -- Annotations to be added to all top-level ovn-central objects (resources under templates/central) + annotations: {} + # -- Labels to be added to all top-level ovn-central objects (resources under templates/central) + labels: {} + # -- Annotations to be added to ovn-central pods + podAnnotations: {} + # -- Labels to be added to ovn-central pods + podLabels: {} + + # -- ovn-central resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "300m" + memory: "200Mi" + limits: + cpu: "3" + memory: "4Gi" + + ovnNorthdProbeInterval: 5000 + ovnNorthdNThreads: 1 + ovnLeaderProbeInterval: 5 + +# -- Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI +agent: + # -- Annotations to be added to all top-level agent objects (resources under templates/agent) + annotations: {} + # -- Labels to be added to all top-level agent objects (resources under templates/agent) + labels: {} + # -- Annotations to be added to the agent pods (kube-ovn-cni) + podAnnotations: {} + # -- Labels to be added to the agent pods (kube-ovn-cni) + podLabels: {} + + # -- Agent daemon resource limits & requests + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "1000m" + memory: "1Gi" + + # -- Agent metrics configuration + metrics: + # -- Configure the port on which the agent service will serve metrics + port: 10665 + + # -- Mirroring of the traffic for debug or analysis + # https://kubeovn.github.io/docs/stable/en/guide/mirror/ + mirroring: + # -- Enable mirroring of the traffic + enabled: false + # -- Interface on which to send the mirrored traffic + interface: mirror0 + + interface: "" + dpdkTunnelInterface: "br-phy" + +# -- Kubelet configuration +kubelet: + # -- Directory in which the kubelet operates + directory: "/var/lib/kubelet" + +# -- Logging configuration for all the daemons +logging: + # -- Directory in which to write the logs + directory: "/var/log" + +# -- Performance tuning parameters +performance: + gcInterval: 360 + inspectInterval: 20 + ovsVsctlConcurrency: 100 + +# -- Array of extra K8s manifests to deploy +## Note: Supports use of custom Helm templates (Go templating) +extraObjects: [] +# - apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: cilium-chaining +# data: +# cni-config: |- +# { +# "name": "generic-veth", +# "cniVersion": "0.3.1", +# "plugins": [ +# { +# "type": "kube-ovn", +# "server_socket": "/run/openvswitch/kube-ovn-daemon.sock", +# "ipam": { +# "type": "kube-ovn", +# "server_socket": "/run/openvswitch/kube-ovn-daemon.sock" +# } +# }, +# { +# "type": "portmap", +# "snat": true, +# "capabilities": {"portMappings": true} +# }, +# { +# "type": "cilium-cni" +# } +# ] +# } From eb1f359f47efb86a1fe6dbfa7f7a9946d7b85259 Mon Sep 17 00:00:00 2001 From: SkalaNetworks Date: Sat, 26 Apr 2025 19:48:58 +0200 Subject: [PATCH 2/4] chore(helm): readme with autogenerated docs Signed-off-by: SkalaNetworks --- charts/kube-ovn-v2/README.md | 1924 +++++++++++++++-- charts/kube-ovn-v2/README.md.gotmpl | 35 + .../templates/speaker/speaker.yaml | 16 +- charts/kube-ovn-v2/values.yaml | 483 +++-- 4 files changed, 2185 insertions(+), 273 deletions(-) create mode 100644 charts/kube-ovn-v2/README.md.gotmpl diff --git a/charts/kube-ovn-v2/README.md b/charts/kube-ovn-v2/README.md index 9fdcc94912f..8ef4e95845c 100644 --- a/charts/kube-ovn-v2/README.md +++ b/charts/kube-ovn-v2/README.md @@ -1,147 +1,1793 @@ -# kube-ovn +# Helm chart for Kube-OVN -![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.14.0](https://img.shields.io/badge/AppVersion-1.14.0-informational?style=flat-square) +![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) -Helm chart for Kube-OVN +This is the v2 of the Helm Chart, replacing the first version in the long term. +Make sure to adjust your old values with the new ones and pre-generate your templates with a dry-run to ensure no breaking change occurs. -## Requirements +## How to install Kube-OVN on Talos Linux -Kubernetes: `>= 1.29.0-0` +To install Kube-OVN on Talos Linux, declare the **OpenvSwitch** module in the `machine` config of your Talos install: + +```yaml +machine: + kernel: + modules: + - name: openvswitch +``` + +Then use the following options to install this chart: + +```yaml +ovsOvn: + disableModulesManagement: true + ovsDirectory: "/var/lib/openvswitch" + ovnDirectory: "/var/lib/ovn" +cni: + mountToolingDirectory: false +``` + +## How to regenerate this README + +This README is generated using [helm-docs](https://github.com/norwoodj/helm-docs). Launch `helm-docs` while in this folder to regenerate the documented values. ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| agent | object | `{"annotations":{},"dpdkTunnelInterface":"br-phy","interface":"","labels":{},"metrics":{"port":10665},"mirroring":{"enabled":false,"interface":"mirror0"},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"100Mi"}}}` | Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI | -| agent.annotations | object | `{}` | Annotations to be added to all top-level agent objects (resources under templates/agent) | -| agent.labels | object | `{}` | Labels to be added to all top-level agent objects (resources under templates/agent) | -| agent.metrics | object | `{"port":10665}` | Agent metrics configuration | -| agent.metrics.port | int | `10665` | Configure the port on which the agent service will serve metrics | -| agent.mirroring | object | `{"enabled":false,"interface":"mirror0"}` | Mirroring of the traffic for debug or analysis https://kubeovn.github.io/docs/stable/en/guide/mirror/ | -| agent.mirroring.enabled | bool | `false` | Enable mirroring of the traffic | -| agent.mirroring.interface | string | `"mirror0"` | Interface on which to send the mirrored traffic | -| agent.podAnnotations | object | `{}` | Annotations to be added to the agent pods (kube-ovn-cni) | -| agent.podLabels | object | `{}` | Labels to be added to the agent pods (kube-ovn-cni) | -| agent.resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Agent daemon resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| apiNad | object | `{"enabled":false,"name":"ovn-kubernetes-api","provider":"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn","subnet":{"cidrBlock":"100.100.0.0/16,fd00:100:100::/112","name":"ovn-kubernetes-api","protocol":"Dual"}}` | API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API This requires Multus to be installed | -| apiNad.enabled | bool | `false` | Enable the creation of the API NAD | -| apiNad.name | string | `"ovn-kubernetes-api"` | Name of the NAD | -| apiNad.provider | string | `"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn"` | Name of the provider, must be in the form "nadName.nadNamespace.ovn" | -| apiNad.subnet | object | `{"cidrBlock":"100.100.0.0/16,fd00:100:100::/112","name":"ovn-kubernetes-api","protocol":"Dual"}` | Subnet associated with the NAD, it will have full access to the API server | -| apiNad.subnet.cidrBlock | string | `"100.100.0.0/16,fd00:100:100::/112"` | CIDR block used by the API subnet | -| apiNad.subnet.name | string | `"ovn-kubernetes-api"` | Name of the subnet | -| apiNad.subnet.protocol | string | `"Dual"` | Protocol for the API subnet | -| central | object | `{"annotations":{},"labels":{},"ovnLeaderProbeInterval":5,"ovnNorthdNThreads":1,"ovnNorthdProbeInterval":5000,"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"3","memory":"4Gi"},"requests":{"cpu":"300m","memory":"200Mi"}}}` | Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd | -| central.annotations | object | `{}` | Annotations to be added to all top-level ovn-central objects (resources under templates/central) | -| central.labels | object | `{}` | Labels to be added to all top-level ovn-central objects (resources under templates/central) | -| central.podAnnotations | object | `{}` | Annotations to be added to ovn-central pods | -| central.podLabels | object | `{}` | Labels to be added to ovn-central pods | -| central.resources | object | `{"limits":{"cpu":"3","memory":"4Gi"},"requests":{"cpu":"300m","memory":"200Mi"}}` | ovn-central resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| cni | object | `{"binaryDirectory":"/opt/cni/bin","configDirectory":"/etc/cni/net.d","configPriority":"01","localConfigFile":"/kube-ovn/01-kube-ovn.conflist","mountToolingDirectory":false,"toolingDirectory":"/usr/local/bin"}` | CNI binary/configuration injected on the nodes | -| cni.binaryDirectory | string | `"/opt/cni/bin"` | Location on the node where the agent will inject the Kube-OVN binary | -| cni.configDirectory | string | `"/etc/cni/net.d"` | Location of the CNI configuration on the node | -| cni.configPriority | string | `"01"` | Priority of Kube-OVN within the CNI configuration directory on the node Should be a string representing a double-digit integer | -| cni.localConfigFile | string | `"/kube-ovn/01-kube-ovn.conflist"` | Location of the CNI configuration inside the agent's pod | -| cni.mountToolingDirectory | bool | `false` | Whether to mount the node's tooling directory into the pod | -| cni.toolingDirectory | string | `"/usr/local/bin"` | Location on the node where the CNI will install Kube-OVN's tooling | -| controller | object | `{"annotations":{},"labels":{},"metrics":{"port":10660},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN | -| controller.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller) | -| controller.labels | object | `{}` | Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller) | -| controller.metrics | object | `{"port":10660}` | Controller metrics configuration | -| controller.metrics.port | int | `10660` | Configure the port on which the controller service will serve metrics | -| controller.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-controller pods | -| controller.podLabels | object | `{}` | Labels to be added to kube-ovn-controller pods | -| controller.resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | kube-ovn-controller resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| extraObjects | list | `[]` | Array of extra K8s manifests to deploy # Note: Supports use of custom Helm templates (Go templating) | -| features | object | `{"CHECK_GATEWAY":true,"ENABLE_ANP":false,"ENABLE_BIND_LOCAL_IP":true,"ENABLE_EXTERNAL_VPC":true,"ENABLE_IC":false,"ENABLE_KEEP_VM_IP":true,"ENABLE_LB":true,"ENABLE_LB_SVC":false,"ENABLE_LIVE_MIGRATION_OPTIMIZE":true,"ENABLE_NAT_GW":true,"ENABLE_NP":true,"ENABLE_OVN_IPSEC":false,"ENABLE_OVN_LB_PREFER_LOCAL":false,"ENABLE_TPROXY":false,"HW_OFFLOAD":false,"LOGICAL_GATEWAY":false,"LS_CT_SKIP_DST_LPORT_IPS":true,"LS_DNAT_MOD_DL_DST":true,"OVSDB_CON_TIMEOUT":3,"OVSDB_INACTIVITY_TIMEOUT":10,"SECURE_SERVING":false,"SET_VXLAN_TX_OFF":false,"U2O_INTERCONNECTION":false}` | Features of Kube-OVN we wish to enable/disable | -| fullnameOverride | string | `""` | | -| global.images.kubeovn.dpdkRepository | string | `"kube-ovn-dpdk"` | | -| global.images.kubeovn.repository | string | `"kube-ovn"` | | -| global.images.kubeovn.support_arm | bool | `true` | | -| global.images.kubeovn.tag | string | `"v1.14.0"` | | -| global.images.kubeovn.thirdparty | bool | `true` | | -| global.images.kubeovn.vpcRepository | string | `"vpc-nat-gateway"` | | -| global.registry.address | string | `"docker.io/kubeovn"` | | -| global.registry.imagePullSecrets | list | `[]` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| kubelet | object | `{"directory":"/var/lib/kubelet"}` | Kubelet configuration | -| kubelet.directory | string | `"/var/lib/kubelet"` | Directory in which the kubelet operates | -| logging | object | `{"directory":"/var/log"}` | Logging configuration for all the daemons | -| logging.directory | string | `"/var/log"` | Directory in which to write the logs | -| masterNodes | string | `""` | Comma-separated list of IPs for each master node | -| masterNodesLabel | string | `"kube-ovn/role=master"` | Label used to auto-identify masters | -| monitor | object | `{"annotations":{},"labels":{},"metrics":{"port":10661},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd | -| monitor.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) | -| monitor.labels | object | `{}` | Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) | -| monitor.metrics | object | `{"port":10661}` | kube-ovn-monitor metrics configuration | -| monitor.metrics.port | int | `10661` | Configure the port on which the kube-ovn-monitor service will serve metrics | -| monitor.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-monitor pods | -| monitor.podLabels | object | `{}` | Labels to be added to kube-ovn-monitor pods | -| monitor.resources | object | `{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | kube-ovn-monitor resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| nameOverride | string | `""` | | -| namespace | string | `"kube-system"` | Namespace in which the CNI is deployed | -| natGw | object | `{"bgpSpeaker":{"apiNadProvider":"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/kubeovn/kube-ovn","tag":"v1.14.0"}},"namePrefix":"vpc-nat-gw"}` | Configuration for the NAT gateways | -| natGw.bgpSpeaker | object | `{"apiNadProvider":"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/kubeovn/kube-ovn","tag":"v1.14.0"}}` | Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode | -| natGw.bgpSpeaker.apiNadProvider | string | `"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn"` | Network attachment definition used to reach the API server when running on BGP mode By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/ | -| natGw.bgpSpeaker.image | object | `{"pullPolicy":"IfNotPresent","repository":"docker.io/kubeovn/kube-ovn","tag":"v1.14.0"}` | Image used by the NAT gateway sidecar | -| natGw.namePrefix | string | `"vpc-nat-gw"` | Prefix appended to the name of the NAT gateways when generating the Pods If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be manually destroyed and recreated | -| networking | object | `{"defaultVpcName":"ovn-cluster","enableCompact":false,"enableEcmp":false,"enableEipSnat":true,"enableMetrics":true,"enableSsl":false,"exchangeLinkName":false,"excludeIps":"","join":{"cidr":{"v4":"100.64.0.0/16","v6":"fd00:100:64::/112"},"subnetName":"join"},"networkType":"geneve","nodeLocalDnsIp":"","podNicType":"veth-pair","pods":{"cidr":{"v4":"10.16.0.0/16","v6":"fd00:10:16::/112"},"gateways":{"v4":"10.16.0.1","v6":"fd00:10:16::1"},"subnetName":"ovn-default"},"services":{"cidr":{"v4":"10.96.0.0/12","v6":"fd00:10:96::/112"}},"stack":"IPv4","tunnelType":"geneve","vlan":{"id":"100","interfaceName":"","name":"ovn-vlan","providerName":"provider"}}` | General configuration of the network created by Kube-OVN | -| networking.defaultVpcName | string | `"ovn-cluster"` | Name of the default VPC once it is generated in the cluster Pods in the default subnet live in this VPC | -| networking.enableEipSnat | bool | `true` | Enable EIP and SNAT | -| networking.enableMetrics | bool | `true` | Enable listening on the metrics endpoint for the CNI daemons | -| networking.enableSsl | bool | `false` | Deploy the CNI with SSL encryption in between components | -| networking.excludeIps | string | `""` | IPs to exclude from IPAM in the default subnet | -| networking.join | object | `{"cidr":{"v4":"100.64.0.0/16","v6":"fd00:100:64::/112"},"subnetName":"join"}` | Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet If .networking.stack is set to IPv4, only the .v4 key is used If .networking.stack is set to IPv6, only the .v6 key is used If .networking.stack is set to Dual, both keys are used | -| networking.join.subnetName | string | `"join"` | Name of the join subnet once it gets generated in the cluster | -| networking.networkType | string | `"geneve"` | Network type can be geneve or vlan | -| networking.nodeLocalDnsIp | string | `""` | Comma-separated string of NodeLocal DNS IP addresses | -| networking.podNicType | string | `"veth-pair"` | NIC type used on pods to connect them to the CNI | -| networking.pods | object | `{"cidr":{"v4":"10.16.0.0/16","v6":"fd00:10:16::/112"},"gateways":{"v4":"10.16.0.1","v6":"fd00:10:16::1"},"subnetName":"ovn-default"}` | Configuration for the default pod subnet If .networking.stack is set to IPv4, only the .v4 key is used If .networking.stack is set to IPv6, only the .v6 key is used If .networking.stack is set to Dual, both keys are used | -| networking.pods.subnetName | string | `"ovn-default"` | Name of the pod subnet once it gets generated in the cluster | -| networking.services | object | `{"cidr":{"v4":"10.96.0.0/12","v6":"fd00:10:96::/112"}}` | Configuration for the service subnet If .networking.stack is set to IPv4, only the .v4 key is used If .networking.stack is set to IPv6, only the .v6 key is used If .networking.stack is set to Dual, both keys are used | -| networking.stack | string | `"IPv4"` | Protocol(s) used by Kube-OVN to allocate IPs to pods and services Can be either IPv4, IPv6 or Dual | -| networking.tunnelType | string | `"geneve"` | Tunnel type can be geneve, vxlan or stt | -| networking.vlan | object | `{"id":"100","interfaceName":"","name":"ovn-vlan","providerName":"provider"}` | Configuration if we're running on top of a VLAN | -| ovsOvn | object | `{"annotations":{},"disableModulesManagement":false,"dpdk":{"enabled":false,"resources":{"limits":{"cpu":"1000m","hugepages-1Gi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"200Mi"}},"version":"19.11"},"dpdkHybrid":{"enabled":false,"resources":{"limits":{"cpu":"2","hugepages-2Mi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}},"labels":{},"ovnDirectory":"/etc/origin/ovn","ovnRemoteOpenflowInterval":180,"ovnRemoteProbeInterval":10000,"ovsDirectory":"/etc/origin/openvswitch","podAnnotations":{},"podLabels":{},"probeInterval":180000,"resources":{"limits":{"cpu":"2","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons | -| ovsOvn.annotations | object | `{}` | Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) | -| ovsOvn.disableModulesManagement | bool | `false` | Disable auto-loading of kernel modules by OVS If this is disabled, you will have to enable the Open vSwitch kernel module yourself | -| ovsOvn.dpdk | object | `{"enabled":false,"resources":{"limits":{"cpu":"1000m","hugepages-1Gi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"200Mi"}},"version":"19.11"}` | DPDK support for OVS ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ | -| ovsOvn.dpdk.enabled | bool | `false` | Enables DPDK support on OVS | -| ovsOvn.dpdk.resources | object | `{"limits":{"cpu":"1000m","hugepages-1Gi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"200Mi"}}` | ovs-ovn resource limits & requests when DPDK is enabled ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| ovsOvn.dpdk.version | string | `"19.11"` | Version of the DPDK image | -| ovsOvn.dpdkHybrid | object | `{"enabled":false,"resources":{"limits":{"cpu":"2","hugepages-2Mi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}}` | DPDK-hybrid support for OVS ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ | -| ovsOvn.dpdkHybrid.enabled | bool | `false` | Enables DPDK-hybrid support on OVS | -| ovsOvn.dpdkHybrid.resources | object | `{"limits":{"cpu":"2","hugepages-2Mi":"1Gi","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | ovs-ovn resource limits & requests when DPDK-hybrid is enabled ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| ovsOvn.labels | object | `{}` | Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) | -| ovsOvn.ovnDirectory | string | `"/etc/origin/ovn"` | Directory on the node where Open Virtual Network (OVN) lives | -| ovsOvn.ovsDirectory | string | `"/etc/origin/openvswitch"` | Directory on the node where Open vSwitch (OVS) lives | -| ovsOvn.podAnnotations | object | `{}` | Annotations to be added to ovs-ovn pods | -| ovsOvn.podLabels | object | `{}` | Labels to be added to ovs-ovn pods | -| ovsOvn.resources | object | `{"limits":{"cpu":"2","memory":"1000Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | ovs-ovn resource limits & requests, overridden if DPDK is enabled ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| performance | object | `{"gcInterval":360,"inspectInterval":20,"ovsVsctlConcurrency":100}` | Performance tuning parameters | -| pinger | object | `{"annotations":{},"labels":{},"metrics":{"port":8080},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"200m","memory":"400Mi"},"requests":{"cpu":"100m","memory":"100Mi"}},"targets":{"externalAddresses":{"v4":"1.1.1.1","v6":"2606:4700:4700::1111"},"externalDomain":{"v4":"kube-ovn.io.","v6":"google.com."}}}` | Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity | -| pinger.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) | -| pinger.labels | object | `{}` | Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) | -| pinger.metrics | object | `{"port":8080}` | kube-ovn-pinger metrics configuration | -| pinger.metrics.port | int | `8080` | Configure the port on which the kube-ovn-monitor service will serve metrics | -| pinger.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-pinger pods | -| pinger.podLabels | object | `{}` | Labels to be added to kube-ovn-pinger pods | -| pinger.resources | object | `{"limits":{"cpu":"200m","memory":"400Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | kube-ovn-pinger resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| pinger.targets | object | `{"externalAddresses":{"v4":"1.1.1.1","v6":"2606:4700:4700::1111"},"externalDomain":{"v4":"kube-ovn.io.","v6":"google.com."}}` | Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity | -| pinger.targets.externalAddresses | object | `{"v4":"1.1.1.1","v6":"2606:4700:4700::1111"}` | Raw IPv4/6 on which to issue pings | -| pinger.targets.externalDomain | object | `{"v4":"kube-ovn.io.","v6":"google.com."}` | Domains to resolve and to ping Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records | -| speaker | object | `{"annotations":{},"args":[],"enabled":false,"labels":{},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{},"requests":{"cpu":"500m","memory":"300Mi"}}}` | Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world | -| speaker.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) | -| speaker.enabled | bool | `false` | Enable the kube-ovn-speaker | -| speaker.labels | object | `{}` | Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) | -| speaker.nodeSelector | object | `{}` | Node selector to restrict the deployment of the speaker to specific nodes | -| speaker.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-speaker pods | -| speaker.podLabels | object | `{}` | Labels to be added to kube-ovn-speaker pods | -| speaker.resources | object | `{"limits":{},"requests":{"cpu":"500m","memory":"300Mi"}}` | kube-ovn-speaker resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| validatingWebhook | object | `{"annotations":{},"enabled":false,"labels":{},"podAnnotations":{},"podLabels":{}}` | Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. Make sure cert-manager is installed for the generation of certificates for the webhook See https://kubeovn.github.io/docs/stable/en/guide/webhook/ | -| validatingWebhook.annotations | object | `{}` | Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) | -| validatingWebhook.enabled | bool | `false` | Enable the deployment of the validating webhook | -| validatingWebhook.labels | object | `{}` | Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) | -| validatingWebhook.podAnnotations | object | `{}` | Annotations to be added to kube-ovn-webhook pods | -| validatingWebhook.podLabels | object | `{}` | Labels to be added to kube-ovn-webhook pods | +

CNI agent configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
agentobject
+"{}"
+
+		Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI.
agent.annotationsobject
+{}
+
+		Annotations to be added to all top-level agent objects (resources under templates/agent)
agent.labelsobject
+{}
+
+		Labels to be added to all top-level agent objects (resources under templates/agent)
agent.metricsobject
+"{}"
+
+		Agent metrics configuration.
agent.metrics.portint
+10665
+
+		Configure the port on which the agent service will serve metrics.
agent.mirroringobject
+"{}"
+
+		Mirroring of the traffic for debug or analysis. https://kubeovn.github.io/docs/stable/en/guide/mirror/
agent.mirroring.enabledbool
+false
+
+		Enable mirroring of the traffic.
agent.mirroring.interfacestring
+"mirror0"
+
+		Interface on which to send the mirrored traffic.
agent.podAnnotationsobject
+{}
+
+		Annotations to be added to the agent pods (kube-ovn-cni)
agent.podLabelsobject
+{}
+
+		Labels to be added to the agent pods (kube-ovn-cni)
agent.resourcesobject
+{
+  "limits": {
+    "cpu": "1000m",
+    "memory": "1Gi"
+  },
+  "requests": {
+    "cpu": "100m",
+    "memory": "100Mi"
+  }
+}
+
+		Agent daemon resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+

CNI agent configuration.

+ + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
agent.dpdkTunnelInterfacestring
+"br-phy"
+
+		""
agent.interfacestring
+""
+
+		""
+

API Network Attachment Definition configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
apiNadobject
+"{}"
+
+		API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API. This requires Multus to be installed.
apiNad.enabledbool
+false
+
+		Enable the creation of the API NAD.
apiNad.namestring
+"ovn-kubernetes-api"
+
+		Name of the NAD.
apiNad.providerstring
+"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn"
+
+		Name of the provider, must be in the form "nadName.nadNamespace.ovn".
apiNad.subnetobject
+"{}"
+
+		Subnet associated with the NAD, it will have full access to the API server.
apiNad.subnet.cidrBlockstring
+"100.100.0.0/16,fd00:100:100::/112"
+
+		CIDR block used by the API subnet.
apiNad.subnet.namestring
+"ovn-kubernetes-api"
+
+		Name of the subnet.
apiNad.subnet.protocolstring
+"Dual"
+
+		Protocol for the API subnet.
+

BGP speaker configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
bgpSpeakerobject
+"{}"
+
+		Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world.
bgpSpeaker.annotationsobject
+{}
+
+		Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker)
bgpSpeaker.argslist
+[]
+
+		Args passed to the kube-ovn-speaker pod.
bgpSpeaker.enabledbool
+false
+
+		Enable the kube-ovn-speaker.
bgpSpeaker.labelsobject
+{}
+
+		Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker)
bgpSpeaker.nodeSelectorobject
+{}
+
+		Node selector to restrict the deployment of the speaker to specific nodes.
bgpSpeaker.podAnnotationsobject
+{}
+
+		Annotations to be added to kube-ovn-speaker pods.
bgpSpeaker.podLabelsobject
+{}
+
+		Labels to be added to kube-ovn-speaker pods.
bgpSpeaker.resourcesobject
+{
+  "limits": {},
+  "requests": {
+    "cpu": "500m",
+    "memory": "300Mi"
+  }
+}
+
+		kube-ovn-speaker resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+

OVN-central daemon configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
centralobject
+"{}"
+
+		Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd.
central.annotationsobject
+{}
+
+		Annotations to be added to all top-level ovn-central objects (resources under templates/central)
central.labelsobject
+{}
+
+		Labels to be added to all top-level ovn-central objects (resources under templates/central)
central.podAnnotationsobject
+{}
+
+		Annotations to be added to ovn-central pods.
central.podLabelsobject
+{}
+
+		Labels to be added to ovn-central pods.
central.resourcesobject
+{
+  "limits": {
+    "cpu": "3",
+    "memory": "4Gi"
+  },
+  "requests": {
+    "cpu": "300m",
+    "memory": "200Mi"
+  }
+}
+
+		ovn-central resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+

OVN-central daemon configuration.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
central.ovnLeaderProbeIntervalint
+5
+
+		""
central.ovnNorthdNThreadsint
+1
+
+		""
central.ovnNorthdProbeIntervalint
+5000
+
+		""
+

CNI configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
cniobject
+"{}"
+
+		CNI binary/configuration injected on the nodes.
cni.binaryDirectorystring
+"/opt/cni/bin"
+
+		Location on the node where the agent will inject the Kube-OVN binary.
cni.configDirectorystring
+"/etc/cni/net.d"
+
+		Location of the CNI configuration on the node.
cni.configPrioritystring
+"01"
+
+		Priority of Kube-OVN within the CNI configuration directory on the node. Should be a string representing a double-digit integer.
cni.localConfigFilestring
+"/kube-ovn/01-kube-ovn.conflist"
+
+		Location of the CNI configuration inside the agent's pod.
cni.mountToolingDirectorybool
+false
+
+		Whether to mount the node's tooling directory into the pod.
cni.toolingDirectorystring
+"/usr/local/bin"
+
+		Location on the node where the CNI will install Kube-OVN's tooling.
+

Kube-OVN controller configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
controllerobject
+"{}"
+
+		Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN.
controller.annotationsobject
+{}
+
+		Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller)
controller.labelsobject
+{}
+
+		Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller)
controller.metricsobject
+"{}"
+
+		Controller metrics configuration.
controller.metrics.portint
+10660
+
+		Configure the port on which the controller service will serve metrics.
controller.podAnnotationsobject
+{}
+
+		Annotations to be added to kube-ovn-controller pods.
controller.podLabelsobject
+{}
+
+		Labels to be added to kube-ovn-controller pods.
controller.resourcesobject
+{
+  "limits": {
+    "cpu": "1000m",
+    "memory": "1Gi"
+  },
+  "requests": {
+    "cpu": "200m",
+    "memory": "200Mi"
+  }
+}
+
+		kube-ovn-controller resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+

Extra objects

+ + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
extraObjectslist
+[]
+
+		Array of extra K8s manifests to deploy. Note: Supports use of custom Helm templates (Go templating)
+

Opt-in/out Features

+ + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
featuresobject
+{
+  "CHECK_GATEWAY": true,
+  "ENABLE_ANP": false,
+  "ENABLE_BIND_LOCAL_IP": true,
+  "ENABLE_EXTERNAL_VPC": true,
+  "ENABLE_IC": false,
+  "ENABLE_KEEP_VM_IP": true,
+  "ENABLE_LB": true,
+  "ENABLE_LB_SVC": false,
+  "ENABLE_LIVE_MIGRATION_OPTIMIZE": true,
+  "ENABLE_NAT_GW": true,
+  "ENABLE_NP": true,
+  "ENABLE_OVN_IPSEC": false,
+  "ENABLE_OVN_LB_PREFER_LOCAL": false,
+  "ENABLE_TPROXY": false,
+  "HW_OFFLOAD": false,
+  "LOGICAL_GATEWAY": false,
+  "LS_CT_SKIP_DST_LPORT_IPS": true,
+  "LS_DNAT_MOD_DL_DST": true,
+  "OVSDB_CON_TIMEOUT": 3,
+  "OVSDB_INACTIVITY_TIMEOUT": 10,
+  "SECURE_SERVING": false,
+  "SET_VXLAN_TX_OFF": false,
+  "U2O_INTERCONNECTION": false
+}
+
+		Features of Kube-OVN we wish to enable/disable.
+

Global parameters

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
fullnameOverridestring
+""
+
+		Full name override.
globalobject
+{
+  "images": {
+    "kubeovn": {
+      "dpdkRepository": "kube-ovn-dpdk",
+      "repository": "kube-ovn",
+      "support_arm": true,
+      "tag": "v1.14.0",
+      "thirdparty": true,
+      "vpcRepository": "vpc-nat-gateway"
+    }
+  },
+  "registry": {
+    "address": "docker.io/kubeovn",
+    "imagePullSecrets": []
+  }
+}
+
+		Global configuration.
imageobject
+"{}"
+
+		Image configuration.
image.pullPolicystring
+"IfNotPresent"
+
+		Pull policy for all images.
masterNodesstring
+""
+
+		Comma-separated list of IPs for each master node.
masterNodesLabelstring
+"kube-ovn/role=master"
+
+		Label used to auto-identify masters.
nameOverridestring
+""
+
+		Name override.
namespacestring
+"kube-system"
+
+		Namespace in which the CNI is deployed.
+

Kubelet configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
kubeletobject
+"{}"
+
+		Kubelet configuration.
kubelet.directorystring
+"/var/lib/kubelet"
+
+		Directory in which the kubelet operates.
logging.directorystring
+"/var/log"
+
+		Directory in which to write the logs.
+

Logging configuration

+ + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
loggingobject
+"{}"
+
+		Logging configuration for all the daemons.
+

OVN monitoring daemon configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
monitorobject
+"{}"
+
+		Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd.
monitor.annotationsobject
+{}
+
+		Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor)
monitor.labelsobject
+{}
+
+		Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor)
monitor.metricsobject
+"{}"
+
+		kube-ovn-monitor metrics configuration.
monitor.metrics.portint
+10661
+
+		Configure the port on which the kube-ovn-monitor service will serve metrics.
monitor.podAnnotationsobject
+{}
+
+		Annotations to be added to kube-ovn-monitor pods.
monitor.podLabelsobject
+{}
+
+		Labels to be added to kube-ovn-monitor pods.
monitor.resourcesobject
+{
+  "limits": {
+    "cpu": "200m",
+    "memory": "200Mi"
+  },
+  "requests": {
+    "cpu": "200m",
+    "memory": "200Mi"
+  }
+}
+
+		kube-ovn-monitor resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+

NAT gateways configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
natGwobject
+"{}"
+
+		Configuration for the NAT gateways.
natGw.bgpSpeakerobject
+"{}"
+
+		Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode.
natGw.bgpSpeaker.apiNadProviderstring
+"{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn"
+
+		Network attachment definition used to reach the API server when running on BGP mode. By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true. See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/
natGw.bgpSpeaker.imageobject
+"{}"
+
+		Image used by the NAT gateway sidecar.
natGw.bgpSpeaker.image.pullPolicystring
+"IfNotPresent"
+
+		Image pull policy.
natGw.bgpSpeaker.image.repositorystring
+"docker.io/kubeovn/kube-ovn"
+
+		Image repository.
natGw.bgpSpeaker.image.tagstring
+"v1.14.0"
+
+		Image tag.
natGw.namePrefixstring
+"vpc-nat-gw"
+
+		Prefix appended to the name of the NAT gateways when generating the Pods. If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be manually destroyed and recreated.
+

Network parameters of the CNI

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
networkingobject
+"{}"
+
+		General configuration of the network created by Kube-OVN.
networking.defaultVpcNamestring
+"ovn-cluster"
+
+		Name of the default VPC once it is generated in the cluster. Pods in the default subnet live in this VPC.
networking.enableCompactbool
+false
+
+		""
networking.enableEcmpbool
+false
+
+		""
networking.enableEipSnatbool
+true
+
+		Enable EIP and SNAT.
networking.enableMetricsbool
+true
+
+		Enable listening on the metrics endpoint for the CNI daemons.
networking.enableSslbool
+false
+
+		Deploy the CNI with SSL encryption in between components.
networking.exchangeLinkNamebool
+false
+
+		""
networking.excludeIpsstring
+""
+
+		IPs to exclude from IPAM in the default subnet.
networking.joinobject
+"{}"
+
+		Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet. If .networking.stack is set to IPv4, only the .v4 key is used. If .networking.stack is set to IPv6, only the .v6 key is used. If .networking.stack is set to Dual, both keys are used.
networking.join.cidrobject
+"{}"
+
+		CIDR used by the join subnet.
networking.join.cidr.v4string
+"100.64.0.0/16"
+
+		IPv4 CIDR.
networking.join.cidr.v6string
+"fd00:100:64::/112"
+
+		IPv6 CIDR.
networking.join.subnetNamestring
+"join"
+
+		Name of the join subnet once it gets generated in the cluster.
networking.networkTypestring
+"geneve"
+
+		Network type can be "geneve" or "vlan".
networking.nodeLocalDnsIpstring
+""
+
+		Comma-separated string of NodeLocal DNS IP addresses.
networking.podNicTypestring
+"veth-pair"
+
+		NIC type used on pods to connect them to the CNI.
networking.podsobject
+"{}"
+
+		Configuration for the default pod subnet. If .networking.stack is set to IPv4, only the .v4 key is used. If .networking.stack is set to IPv6, only the .v6 key is used. If .networking.stack is set to Dual, both keys are used.
networking.pods.cidrobject
+"{}"
+
+		CIDR used by the pods subnet.
networking.pods.cidr.v4string
+"10.16.0.0/16"
+
+		IPv4 CIDR.
networking.pods.cidr.v6string
+"fd00:10:16::/112"
+
+		IPv6 CIDR.
networking.pods.gatewaysobject
+"{}"
+
+		Gateways used in the pod subnet.
networking.pods.gateways.v4string
+"10.16.0.1"
+
+		IPv4 gateway.
networking.pods.gateways.v6string
+"fd00:10:16::1"
+
+		IPv6 gateway.
networking.pods.subnetNamestring
+"ovn-default"
+
+		Name of the pod subnet once it gets generated in the cluster.
networking.servicesobject
+"{}"
+
+		Configuration for the service subnet. If .networking.stack is set to IPv4, only the .v4 key is used. If .networking.stack is set to IPv6, only the .v6 key is used. If .networking.stack is set to Dual, both keys are used.
networking.services.cidrobject
+"{}"
+
+		CIDR used by the service subnet.
networking.services.cidr.v4string
+"10.96.0.0/12"
+
+		IPv4 CIDR.
networking.services.cidr.v6string
+"fd00:10:96::/112"
+
+		IPv6 CIDR.
networking.stackstring
+"IPv4"
+
+		Protocol(s) used by Kube-OVN to allocate IPs to pods and services. Can be either IPv4, IPv6 or Dual.
networking.tunnelTypestring
+"geneve"
+
+		Tunnel type can be "geneve", "vxlan" or "stt".
networking.vlanobject
+{
+  "id": "100",
+  "interfaceName": "",
+  "name": "ovn-vlan",
+  "providerName": "provider"
+}
+
+		Configuration if we're running on top of a VLAN.
+

OVS/OVN daemons configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
ovsOvnobject
+"{}"
+
+		Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons.
ovsOvn.annotationsobject
+{}
+
+		Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn)
ovsOvn.disableModulesManagementbool
+false
+
+		Disable auto-loading of kernel modules by OVS. If this is disabled, you will have to enable the Open vSwitch kernel module yourself.
ovsOvn.dpdkobject
+"{}"
+
+		DPDK support for OVS. ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/
ovsOvn.dpdk.enabledbool
+false
+
+		Enables DPDK support on OVS.
ovsOvn.dpdk.resourcesobject
+{
+  "limits": {
+    "cpu": "1000m",
+    "hugepages-1Gi": "1Gi",
+    "memory": "1000Mi"
+  },
+  "requests": {
+    "cpu": "1000m",
+    "memory": "200Mi"
+  }
+}
+
+		ovs-ovn resource limits & requests when DPDK is enabled. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
ovsOvn.dpdk.versionstring
+"19.11"
+
+		Version of the DPDK image.
ovsOvn.dpdkHybridobject
+"{}"
+
+		DPDK-hybrid support for OVS. ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/
ovsOvn.dpdkHybrid.enabledbool
+false
+
+		Enables DPDK-hybrid support on OVS.
ovsOvn.dpdkHybrid.resourcesobject
+{
+  "limits": {
+    "cpu": "2",
+    "hugepages-2Mi": "1Gi",
+    "memory": "1000Mi"
+  },
+  "requests": {
+    "cpu": "200m",
+    "memory": "200Mi"
+  }
+}
+
+		ovs-ovn resource limits & requests when DPDK-hybrid is enabled. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
ovsOvn.labelsobject
+{}
+
+		Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn)
ovsOvn.ovnDirectorystring
+"/etc/origin/ovn"
+
+		Directory on the node where Open Virtual Network (OVN) lives.
ovsOvn.ovsDirectorystring
+"/etc/origin/openvswitch"
+
+		Directory on the node where Open vSwitch (OVS) lives.
ovsOvn.podAnnotationsobject
+{}
+
+		Annotations to be added to ovs-ovn pods.
ovsOvn.podLabelsobject
+{}
+
+		Labels to be added to ovs-ovn pods.
ovsOvn.resourcesobject
+{
+  "limits": {
+    "cpu": "2",
+    "memory": "1000Mi"
+  },
+  "requests": {
+    "cpu": "200m",
+    "memory": "200Mi"
+  }
+}
+
+		ovs-ovn resource limits & requests, overridden if DPDK is enabled. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+

Performance configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
performanceobject
+"{}"
+
+		Performance tuning parameters.
performance.gcIntervalint
+360
+
+		""
performance.inspectIntervalint
+20
+
+		""
performance.ovsVsctlConcurrencyint
+100
+
+		""
+

Ping daemon configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
pingerobject
+"{}"
+
+		Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity.
pinger.annotationsobject
+{}
+
+		Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger)
pinger.labelsobject
+{}
+
+		Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger)
pinger.metricsobject
+"{}"
+
+		kube-ovn-pinger metrics configuration.
pinger.metrics.portint
+8080
+
+		Configure the port on which the kube-ovn-monitor service will serve metrics.
pinger.podAnnotationsobject
+{}
+
+		Annotations to be added to kube-ovn-pinger pods.
pinger.podLabelsobject
+{}
+
+		Labels to be added to kube-ovn-pinger pods.
pinger.resourcesobject
+{
+  "limits": {
+    "cpu": "200m",
+    "memory": "400Mi"
+  },
+  "requests": {
+    "cpu": "100m",
+    "memory": "100Mi"
+  }
+}
+
+		kube-ovn-pinger resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
pinger.targetsobject
+"{}"
+
+		Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity.
pinger.targets.externalAddressesobject
+"{}"
+
+		Raw IPv4/6 on which to issue pings.
pinger.targets.externalAddresses.v4string
+"1.1.1.1"
+
+		IPv4 address.
pinger.targets.externalAddresses.v6string
+"2606:4700:4700::1111"
+
+		IPv6 address.
pinger.targets.externalDomainobject
+"{}"
+
+		Domains to resolve and to ping. Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records.
pinger.targets.externalDomain.v4string
+"kube-ovn.io."
+
+		Domain name resolving to an IPv4 only (A record)
pinger.targets.externalDomain.v6string
+"google.com."
+
+		Domain name resolving to an IPv6 and IPv4 only (A/AAAA record)
+

Validating webhook configuration

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
validatingWebhookobject
+"{}"
+
+		Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. Make sure cert-manager is installed for the generation of certificates for the webhook. See https://kubeovn.github.io/docs/stable/en/guide/webhook/
validatingWebhook.annotationsobject
+{}
+
+		Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook)
validatingWebhook.enabledbool
+false
+
+		Enable the deployment of the validating webhook.
validatingWebhook.labelsobject
+{}
+
+		Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook)
validatingWebhook.podAnnotationsobject
+{}
+
+		Annotations to be added to kube-ovn-webhook pods.
validatingWebhook.podLabelsobject
+{}
+
+		Labels to be added to kube-ovn-webhook pods.
diff --git a/charts/kube-ovn-v2/README.md.gotmpl b/charts/kube-ovn-v2/README.md.gotmpl new file mode 100644 index 00000000000..617c304a165 --- /dev/null +++ b/charts/kube-ovn-v2/README.md.gotmpl @@ -0,0 +1,35 @@ +# Helm chart for Kube-OVN + +{{ template "chart.versionBadge" . }} {{ template "chart.versionBadge" . }} + +This is the v2 of the Helm Chart, replacing the first version in the long term. +Make sure to adjust your old values with the new ones and pre-generate your templates with a dry-run to ensure no breaking change occurs. + +## How to install Kube-OVN on Talos Linux + +To install Kube-OVN on Talos Linux, declare the **OpenvSwitch** module in the `machine` config of your Talos install: + +```yaml +machine: + kernel: + modules: + - name: openvswitch +``` + +Then use the following options to install this chart: + +```yaml +ovsOvn: + disableModulesManagement: true + ovsDirectory: "/var/lib/openvswitch" + ovnDirectory: "/var/lib/ovn" +cni: + mountToolingDirectory: false +``` + +## How to regenerate this README + +This README is generated using [helm-docs](https://github.com/norwoodj/helm-docs). Launch `helm-docs` while in this folder to regenerate the documented values. + +{{ template "chart.valuesSectionHtml" . }} + diff --git a/charts/kube-ovn-v2/templates/speaker/speaker.yaml b/charts/kube-ovn-v2/templates/speaker/speaker.yaml index 3ecce4ca008..6d13b717a88 100644 --- a/charts/kube-ovn-v2/templates/speaker/speaker.yaml +++ b/charts/kube-ovn-v2/templates/speaker/speaker.yaml @@ -1,14 +1,14 @@ -{{- if .Values.speaker.enabled }} +{{- if .Values.bgpSpeaker.enabled }} kind: DaemonSet apiVersion: apps/v1 metadata: name: kube-ovn-speaker namespace: {{ .Values.namespace }} - {{- with .Values.speaker.annotations }} + {{- with .Values.bgpSpeaker.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.speaker.labels }} + {{- with .Values.bgpSpeaker.labels }} labels: {{- toYaml . | nindent 4 }} {{- end }} @@ -19,14 +19,14 @@ spec: app.kubernetes.io/part-of: kube-ovn template: metadata: - {{- with .Values.speaker.podAnnotations }} + {{- with .Values.bgpSpeaker.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} labels: app.kubernetes.io/name: kube-ovn-speaker app.kubernetes.io/part-of: kube-ovn - {{- with .Values.speaker.podLabels }} + {{- with .Values.bgpSpeaker.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} spec: @@ -50,7 +50,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /kube-ovn/kube-ovn-speaker - {{- with .Values.speaker.args }} + {{- with .Values.bgpSpeaker.args }} args: {{- toYaml . | trim | nindent 14 }} {{- end }} @@ -59,11 +59,11 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP - {{- with .Values.speaker.resources }} + {{- with .Values.bgpSpeaker.resources }} resources: {{- toYaml . | trim | nindent 12 }} {{- end }} - {{- with .Values.speaker.nodeSelector }} + {{- with .Values.bgpSpeaker.nodeSelector }} nodeSelector: {{- toYaml . | trim | nindent 8 }} {{- end }} diff --git a/charts/kube-ovn-v2/values.yaml b/charts/kube-ovn-v2/values.yaml index 3c449addcdf..e17b4adf4e6 100644 --- a/charts/kube-ovn-v2/values.yaml +++ b/charts/kube-ovn-v2/values.yaml @@ -1,3 +1,5 @@ +# -- Global configuration. +# @section -- Global parameters global: registry: address: docker.io/kubeovn @@ -11,89 +13,157 @@ global: support_arm: true thirdparty: true +# -- Image configuration. +# @section -- Global parameters +# @default -- "{}" image: + # -- Pull policy for all images. + # @section -- Global parameters pullPolicy: IfNotPresent +# -- Name override. +# @section -- Global parameters nameOverride: "" +# -- Full name override. +# @section -- Global parameters fullnameOverride: "" -# -- Namespace in which the CNI is deployed +# -- Namespace in which the CNI is deployed. +# @section -- Global parameters namespace: kube-system -# -- General configuration of the network created by Kube-OVN +# -- Comma-separated list of IPs for each master node. +# @section -- Global parameters +masterNodes: "" +# -- Label used to auto-identify masters. +# @section -- Global parameters +masterNodesLabel: "kube-ovn/role=master" + +# -- General configuration of the network created by Kube-OVN. +# @section -- Network parameters of the CNI +# @default -- "{}" networking: - # -- Protocol(s) used by Kube-OVN to allocate IPs to pods and services - # Can be either IPv4, IPv6 or Dual + # -- Protocol(s) used by Kube-OVN to allocate IPs to pods and services. + # Can be either IPv4, IPv6 or Dual. + # @section -- Network parameters of the CNI stack: "IPv4" - # -- Configuration for the default pod subnet - # If .networking.stack is set to IPv4, only the .v4 key is used - # If .networking.stack is set to IPv6, only the .v6 key is used - # If .networking.stack is set to Dual, both keys are used + # -- Configuration for the default pod subnet. + # If .networking.stack is set to IPv4, only the .v4 key is used. + # If .networking.stack is set to IPv6, only the .v6 key is used. + # If .networking.stack is set to Dual, both keys are used. + # @section -- Network parameters of the CNI + # @default -- "{}" pods: - # -- Name of the pod subnet once it gets generated in the cluster + # -- Name of the pod subnet once it gets generated in the cluster. + # @section -- Network parameters of the CNI subnetName: "ovn-default" + # -- CIDR used by the pods subnet. + # @section -- Network parameters of the CNI + # @default -- "{}" cidr: + # -- IPv4 CIDR. + # @section -- Network parameters of the CNI v4: "10.16.0.0/16" + # -- IPv6 CIDR. + # @section -- Network parameters of the CNI v6: "fd00:10:16::/112" + # -- Gateways used in the pod subnet. + # @section -- Network parameters of the CNI + # @default -- "{}" gateways: + # -- IPv4 gateway. + # @section -- Network parameters of the CNI v4: "10.16.0.1" + # -- IPv6 gateway. + # @section -- Network parameters of the CNI v6: "fd00:10:16::1" - # -- Configuration for the service subnet - # If .networking.stack is set to IPv4, only the .v4 key is used - # If .networking.stack is set to IPv6, only the .v6 key is used - # If .networking.stack is set to Dual, both keys are used + # -- Configuration for the service subnet. + # If .networking.stack is set to IPv4, only the .v4 key is used. + # If .networking.stack is set to IPv6, only the .v6 key is used. + # If .networking.stack is set to Dual, both keys are used. + # @section -- Network parameters of the CNI + # @default -- "{}" services: + # -- CIDR used by the service subnet. + # @section -- Network parameters of the CNI + # @default -- "{}" cidr: + # -- IPv4 CIDR. + # @section -- Network parameters of the CNI v4: "10.96.0.0/12" + # -- IPv6 CIDR. + # @section -- Network parameters of the CNI v6: "fd00:10:96::/112" - # -- Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet - # If .networking.stack is set to IPv4, only the .v4 key is used - # If .networking.stack is set to IPv6, only the .v6 key is used - # If .networking.stack is set to Dual, both keys are used + # -- Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet. + # If .networking.stack is set to IPv4, only the .v4 key is used. + # If .networking.stack is set to IPv6, only the .v6 key is used. + # If .networking.stack is set to Dual, both keys are used. + # @section -- Network parameters of the CNI + # @default -- "{}" join: - # -- Name of the join subnet once it gets generated in the cluster + # -- Name of the join subnet once it gets generated in the cluster. + # @section -- Network parameters of the CNI subnetName: "join" + # -- CIDR used by the join subnet. + # @section -- Network parameters of the CNI + # @default -- "{}" cidr: + # -- IPv4 CIDR. + # @section -- Network parameters of the CNI v4: "100.64.0.0/16" + # -- IPv6 CIDR. + # @section -- Network parameters of the CNI v6: "fd00:100:64::/112" - # -- Name of the default VPC once it is generated in the cluster - # Pods in the default subnet live in this VPC + # -- Name of the default VPC once it is generated in the cluster. + # Pods in the default subnet live in this VPC. + # @section -- Network parameters of the CNI defaultVpcName: "ovn-cluster" - # -- Deploy the CNI with SSL encryption in between components + # -- Deploy the CNI with SSL encryption in between components. + # @section -- Network parameters of the CNI enableSsl: false - # -- Network type can be geneve or vlan + # -- Network type can be "geneve" or "vlan". + # @section -- Network parameters of the CNI networkType: geneve - # -- Tunnel type can be geneve, vxlan or stt + # -- Tunnel type can be "geneve", "vxlan" or "stt". + # @section -- Network parameters of the CNI tunnelType: geneve - # -- IPs to exclude from IPAM in the default subnet + # -- IPs to exclude from IPAM in the default subnet. + # @section -- Network parameters of the CNI excludeIps: "" - # -- NIC type used on pods to connect them to the CNI + # -- NIC type used on pods to connect them to the CNI. + # @section -- Network parameters of the CNI podNicType: "veth-pair" - # -- Enable EIP and SNAT + # -- Enable EIP and SNAT. + # @section -- Network parameters of the CNI enableEipSnat: true - # -- Comma-separated string of NodeLocal DNS IP addresses + # -- Comma-separated string of NodeLocal DNS IP addresses. + # @section -- Network parameters of the CNI nodeLocalDnsIp: "" - # -- Enable listening on the metrics endpoint for the CNI daemons + # -- Enable listening on the metrics endpoint for the CNI daemons. + # @section -- Network parameters of the CNI enableMetrics: true - # -- Configuration if we're running on top of a VLAN + # -- Configuration if we're running on top of a VLAN. + # @section -- Network parameters of the CNI vlan: providerName: "provider" interfaceName: "" name: "ovn-vlan" id: "100" + # -- "" + # @section -- Network parameters of the CNI exchangeLinkName: false + # -- "" + # @section -- Network parameters of the CNI enableEcmp: false + # -- "" + # @section -- Network parameters of the CNI enableCompact: false -# -- Comma-separated list of IPs for each master node -masterNodes: "" -# -- Label used to auto-identify masters -masterNodesLabel: "kube-ovn/role=master" - -# -- Features of Kube-OVN we wish to enable/disable +# -- Features of Kube-OVN we wish to enable/disable. +# @section -- Opt-in/out Features features: ENABLE_LB: true ENABLE_NP: true @@ -119,86 +189,132 @@ features: ENABLE_LIVE_MIGRATION_OPTIMIZE: true ENABLE_OVN_LB_PREFER_LOCAL: false -# -- CNI binary/configuration injected on the nodes +# -- CNI binary/configuration injected on the nodes. +# @section -- CNI configuration +# @default -- "{}" cni: - # -- Location of the CNI configuration on the node + # -- Location of the CNI configuration on the node. + # @section -- CNI configuration configDirectory: "/etc/cni/net.d" - # -- Location on the node where the agent will inject the Kube-OVN binary + # -- Location on the node where the agent will inject the Kube-OVN binary. + # @section -- CNI configuration binaryDirectory: "/opt/cni/bin" - # -- Location of the CNI configuration inside the agent's pod + # -- Location of the CNI configuration inside the agent's pod. + # @section -- CNI configuration localConfigFile: "/kube-ovn/01-kube-ovn.conflist" - # -- Location on the node where the CNI will install Kube-OVN's tooling + # -- Location on the node where the CNI will install Kube-OVN's tooling. + # @section -- CNI configuration toolingDirectory: "/usr/local/bin" - # -- Whether to mount the node's tooling directory into the pod + # -- Whether to mount the node's tooling directory into the pod. + # @section -- CNI configuration mountToolingDirectory: false - # -- Priority of Kube-OVN within the CNI configuration directory on the node - # Should be a string representing a double-digit integer + # -- Priority of Kube-OVN within the CNI configuration directory on the node. + # Should be a string representing a double-digit integer. + # @section -- CNI configuration configPriority: "01" # -- Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. -# Make sure cert-manager is installed for the generation of certificates for the webhook +# Make sure cert-manager is installed for the generation of certificates for the webhook. # See https://kubeovn.github.io/docs/stable/en/guide/webhook/ +# @section -- Validating webhook configuration +# @default -- "{}" validatingWebhook: - # -- Enable the deployment of the validating webhook + # -- Enable the deployment of the validating webhook. + # @section -- Validating webhook configuration enabled: false # -- Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) + # @section -- Validating webhook configuration annotations: {} # -- Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) + # @section -- Validating webhook configuration labels: {} - # -- Annotations to be added to kube-ovn-webhook pods + # -- Annotations to be added to kube-ovn-webhook pods. + # @section -- Validating webhook configuration podAnnotations: {} - # -- Labels to be added to kube-ovn-webhook pods + # -- Labels to be added to kube-ovn-webhook pods. + # @section -- Validating webhook configuration podLabels: {} -# -- Configuration for the NAT gateways +# -- Configuration for the NAT gateways. +# @section -- NAT gateways configuration +# @default -- "{}" natGw: - # -- Prefix appended to the name of the NAT gateways when generating the Pods + # -- Prefix appended to the name of the NAT gateways when generating the Pods. # If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be - # manually destroyed and recreated + # manually destroyed and recreated. + # @section -- NAT gateways configuration namePrefix: "vpc-nat-gw" - # -- Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode + # -- Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode. + # @section -- NAT gateways configuration + # @default -- "{}" bgpSpeaker: - # -- Image used by the NAT gateway sidecar + # -- Image used by the NAT gateway sidecar. + # @section -- NAT gateways configuration + # @default -- "{}" image: + # -- Image repository. + # @section -- NAT gateways configuration repository: docker.io/kubeovn/kube-ovn + # -- Image tag. + # @section -- NAT gateways configuration tag: v1.14.0 + # -- Image pull policy. + # @section -- NAT gateways configuration pullPolicy: IfNotPresent - # -- Network attachment definition used to reach the API server when running on BGP mode - # By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true + # -- Network attachment definition used to reach the API server when running on BGP mode. + # By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true. # See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/ + # @section -- NAT gateways configuration apiNadProvider: "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" -# -- API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API -# This requires Multus to be installed +# -- API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API. +# This requires Multus to be installed. +# @section -- API Network Attachment Definition configuration +# @default -- "{}" apiNad: - # -- Enable the creation of the API NAD + # -- Enable the creation of the API NAD. + # @section -- API Network Attachment Definition configuration enabled: false - # -- Name of the NAD + # -- Name of the NAD. + # @section -- API Network Attachment Definition configuration name: ovn-kubernetes-api - # -- Name of the provider, must be in the form "nadName.nadNamespace.ovn" + # -- Name of the provider, must be in the form "nadName.nadNamespace.ovn". + # @section -- API Network Attachment Definition configuration provider: "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" - # -- Subnet associated with the NAD, it will have full access to the API server + # -- Subnet associated with the NAD, it will have full access to the API server. + # @section -- API Network Attachment Definition configuration + # @default -- "{}" subnet: - # -- Name of the subnet + # -- Name of the subnet. + # @section -- API Network Attachment Definition configuration name: ovn-kubernetes-api - # -- Protocol for the API subnet + # -- Protocol for the API subnet. + # @section -- API Network Attachment Definition configuration protocol: Dual - # -- CIDR block used by the API subnet + # -- CIDR block used by the API subnet. + # @section -- API Network Attachment Definition configuration cidrBlock: 100.100.0.0/16,fd00:100:100::/112 -# -- Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons +# -- Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons. +# @section -- OVS/OVN daemons configuration +# @default -- "{}" ovsOvn: # -- Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) + # @section -- OVS/OVN daemons configuration annotations: {} # -- Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) + # @section -- OVS/OVN daemons configuration labels: {} - # -- Annotations to be added to ovs-ovn pods + # -- Annotations to be added to ovs-ovn pods. + # @section -- OVS/OVN daemons configuration podAnnotations: {} - # -- Labels to be added to ovs-ovn pods + # -- Labels to be added to ovs-ovn pods. + # @section -- OVS/OVN daemons configuration podLabels: {} - # -- ovs-ovn resource limits & requests, overridden if DPDK is enabled + # -- ovs-ovn resource limits & requests, overridden if DPDK is enabled. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- OVS/OVN daemons configuration resources: requests: cpu: "200m" @@ -207,29 +323,40 @@ ovsOvn: cpu: "2" memory: "1000Mi" - # -- Disable auto-loading of kernel modules by OVS - # If this is disabled, you will have to enable the Open vSwitch kernel module yourself + # -- Disable auto-loading of kernel modules by OVS. + # If this is disabled, you will have to enable the Open vSwitch kernel module yourself. + # @section -- OVS/OVN daemons configuration disableModulesManagement: false - # -- Directory on the node where Open vSwitch (OVS) lives + # -- Directory on the node where Open vSwitch (OVS) lives. + # @section -- OVS/OVN daemons configuration ovsDirectory: "/etc/origin/openvswitch" - # -- Directory on the node where Open Virtual Network (OVN) lives + # -- Directory on the node where Open Virtual Network (OVN) lives. + # @section -- OVS/OVN daemons configuration ovnDirectory: "/etc/origin/ovn" + # @section -- OVS/OVN daemons configuration. ovnRemoteProbeInterval: 10000 + # @section -- OVS/OVN daemons configuration. ovnRemoteOpenflowInterval: 180 + # @section -- OVS/OVN daemons configuration. probeInterval: 180000 - # -- DPDK support for OVS + # -- DPDK support for OVS. # ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ + # @section -- OVS/OVN daemons configuration + # @default -- "{}" dpdk: - # -- Enables DPDK support on OVS + # -- Enables DPDK support on OVS. + # @section -- OVS/OVN daemons configuration enabled: false - # -- Version of the DPDK image + # -- Version of the DPDK image. + # @section -- OVS/OVN daemons configuration version: "19.11" - # -- ovs-ovn resource limits & requests when DPDK is enabled + # -- ovs-ovn resource limits & requests when DPDK is enabled. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- OVS/OVN daemons configuration resources: requests: cpu: "1000m" @@ -239,13 +366,17 @@ ovsOvn: cpu: "1000m" memory: "1000Mi" - # -- DPDK-hybrid support for OVS + # -- DPDK-hybrid support for OVS. # ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ + # @section -- OVS/OVN daemons configuration + # @default -- "{}" dpdkHybrid: - # -- Enables DPDK-hybrid support on OVS + # -- Enables DPDK-hybrid support on OVS. + # @section -- OVS/OVN daemons configuration enabled: false - # -- ovs-ovn resource limits & requests when DPDK-hybrid is enabled + # -- ovs-ovn resource limits & requests when DPDK-hybrid is enabled. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- OVS/OVN daemons configuration resources: requests: cpu: "200m" @@ -255,51 +386,68 @@ ovsOvn: cpu: "2" memory: "1000Mi" -# -- Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world -speaker: - # -- Enable the kube-ovn-speaker +# -- Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world. +# @section -- BGP speaker configuration +# @default -- "{}" +bgpSpeaker: + # -- Enable the kube-ovn-speaker. + # @section -- BGP speaker configuration enabled: false # -- Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) + # @section -- BGP speaker configuration annotations: {} # -- Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) + # @section -- BGP speaker configuration labels: {} - # -- Annotations to be added to kube-ovn-speaker pods + # -- Annotations to be added to kube-ovn-speaker pods. + # @section -- BGP speaker configuration podAnnotations: {} - # -- Labels to be added to kube-ovn-speaker pods + # -- Labels to be added to kube-ovn-speaker pods. + # @section -- BGP speaker configuration podLabels: {} - # -- kube-ovn-speaker resource limits & requests + # -- kube-ovn-speaker resource limits & requests. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- BGP speaker configuration resources: requests: cpu: "500m" memory: "300Mi" limits: {} - # -- Node selector to restrict the deployment of the speaker to specific nodes + # -- Node selector to restrict the deployment of the speaker to specific nodes. + # @section -- BGP speaker configuration nodeSelector: {} # kubernetes.io/os: "linux" # ovn.kubernetes.io/bgp: "true" - # Args passed to the kube-ovn-speaker pod + # -- Args passed to the kube-ovn-speaker pod. + # @section -- BGP speaker configuration args: [] # - --neighbor-address=10.32.32.1 # - --neighbor-as=65030 # - --cluster-as=65000 -# -- Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity +# -- Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity. +# @section -- Ping daemon configuration +# @default -- "{}" pinger: # -- Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) + # @section -- Ping daemon configuration annotations: {} # -- Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) + # @section -- Ping daemon configuration labels: {} - # -- Annotations to be added to kube-ovn-pinger pods + # -- Annotations to be added to kube-ovn-pinger pods. + # @section -- Ping daemon configuration podAnnotations: {} - # -- Labels to be added to kube-ovn-pinger pods + # -- Labels to be added to kube-ovn-pinger pods. + # @section -- Ping daemon configuration podLabels: {} - # -- kube-ovn-pinger resource limits & requests + # -- kube-ovn-pinger resource limits & requests. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- Ping daemon configuration resources: requests: cpu: "100m" @@ -308,36 +456,60 @@ pinger: cpu: "200m" memory: "400Mi" - # -- kube-ovn-pinger metrics configuration + # -- kube-ovn-pinger metrics configuration. + # @section -- Ping daemon configuration + # @default -- "{}" metrics: - # -- Configure the port on which the kube-ovn-monitor service will serve metrics + # -- Configure the port on which the kube-ovn-monitor service will serve metrics. + # @section -- Ping daemon configuration port: 8080 - # -- Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity + # -- Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity. + # @section -- Ping daemon configuration + # @default -- "{}" targets: - # -- Raw IPv4/6 on which to issue pings + # -- Raw IPv4/6 on which to issue pings. + # @section -- Ping daemon configuration + # @default -- "{}" externalAddresses: + # -- IPv4 address. + # @section -- Ping daemon configuration v4: "1.1.1.1" + # -- IPv6 address. + # @section -- Ping daemon configuration v6: "2606:4700:4700::1111" - # -- Domains to resolve and to ping - # Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records + # -- Domains to resolve and to ping. + # Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records. + # @section -- Ping daemon configuration + # @default -- "{}" externalDomain: + # -- Domain name resolving to an IPv4 only (A record) + # @section -- Ping daemon configuration v4: "kube-ovn.io." + # -- Domain name resolving to an IPv6 and IPv4 only (A/AAAA record) + # @section -- Ping daemon configuration v6: "google.com." -# -- Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd +# -- Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd. +# @section -- OVN monitoring daemon configuration +# @default -- "{}" monitor: # -- Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) + # @section -- OVN monitoring daemon configuration annotations: {} # -- Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) + # @section -- OVN monitoring daemon configuration labels: {} - # -- Annotations to be added to kube-ovn-monitor pods + # -- Annotations to be added to kube-ovn-monitor pods. + # @section -- OVN monitoring daemon configuration podAnnotations: {} - # -- Labels to be added to kube-ovn-monitor pods + # -- Labels to be added to kube-ovn-monitor pods. + # @section -- OVN monitoring daemon configuration podLabels: {} - # -- kube-ovn-monitor resource limits & requests + # -- kube-ovn-monitor resource limits & requests. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- OVN monitoring daemon configuration resources: requests: cpu: "200m" @@ -346,24 +518,34 @@ monitor: cpu: "200m" memory: "200Mi" - # -- kube-ovn-monitor metrics configuration + # -- kube-ovn-monitor metrics configuration. + # @section -- OVN monitoring daemon configuration + # @default -- "{}" metrics: - # -- Configure the port on which the kube-ovn-monitor service will serve metrics + # -- Configure the port on which the kube-ovn-monitor service will serve metrics. + # @section -- OVN monitoring daemon configuration port: 10661 -# -- Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN +# -- Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN. +# @section -- Kube-OVN controller configuration +# @default -- "{}" controller: # -- Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller) + # @section -- Kube-OVN controller configuration annotations: {} # -- Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller) + # @section -- Kube-OVN controller configuration labels: {} - # -- Annotations to be added to kube-ovn-controller pods + # -- Annotations to be added to kube-ovn-controller pods. + # @section -- Kube-OVN controller configuration podAnnotations: {} - # -- Labels to be added to kube-ovn-controller pods + # -- Labels to be added to kube-ovn-controller pods. + # @section -- Kube-OVN controller configuration podLabels: {} - # -- kube-ovn-controller resource limits & requests + # -- kube-ovn-controller resource limits & requests. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- Kube-OVN controller configuration resources: requests: cpu: "200m" @@ -372,24 +554,34 @@ controller: cpu: "1000m" memory: "1Gi" - # -- Controller metrics configuration + # -- Controller metrics configuration. + # @section -- Kube-OVN controller configuration + # @default -- "{}" metrics: - # -- Configure the port on which the controller service will serve metrics + # -- Configure the port on which the controller service will serve metrics. + # @section -- Kube-OVN controller configuration port: 10660 -# -- Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd +# -- Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd. +# @section -- OVN-central daemon configuration +# @default -- "{}" central: # -- Annotations to be added to all top-level ovn-central objects (resources under templates/central) + # @section -- OVN-central daemon configuration annotations: {} # -- Labels to be added to all top-level ovn-central objects (resources under templates/central) + # @section -- OVN-central daemon configuration labels: {} - # -- Annotations to be added to ovn-central pods + # -- Annotations to be added to ovn-central pods. + # @section -- OVN-central daemon configuration podAnnotations: {} - # -- Labels to be added to ovn-central pods + # -- Labels to be added to ovn-central pods. + # @section -- OVN-central daemon configuration podLabels: {} - # -- ovn-central resource limits & requests + # -- ovn-central resource limits & requests. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- OVN-central daemon configuration resources: requests: cpu: "300m" @@ -398,23 +590,36 @@ central: cpu: "3" memory: "4Gi" + # -- "" + # @section -- OVN-central daemon configuration. ovnNorthdProbeInterval: 5000 + # -- "" + # @section -- OVN-central daemon configuration. ovnNorthdNThreads: 1 + # -- "" + # @section -- OVN-central daemon configuration. ovnLeaderProbeInterval: 5 -# -- Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI +# -- Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI. +# @section -- CNI agent configuration +# @default -- "{}" agent: # -- Annotations to be added to all top-level agent objects (resources under templates/agent) + # @section -- CNI agent configuration annotations: {} # -- Labels to be added to all top-level agent objects (resources under templates/agent) + # @section -- CNI agent configuration labels: {} # -- Annotations to be added to the agent pods (kube-ovn-cni) + # @section -- CNI agent configuration podAnnotations: {} # -- Labels to be added to the agent pods (kube-ovn-cni) + # @section -- CNI agent configuration podLabels: {} - # -- Agent daemon resource limits & requests + # -- Agent daemon resource limits & requests. # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # @section -- CNI agent configuration resources: requests: cpu: "100m" @@ -423,40 +628,66 @@ agent: cpu: "1000m" memory: "1Gi" - # -- Agent metrics configuration + # -- Agent metrics configuration. + # @section -- CNI agent configuration + # @default -- "{}" metrics: - # -- Configure the port on which the agent service will serve metrics + # -- Configure the port on which the agent service will serve metrics. + # @section -- CNI agent configuration port: 10665 - # -- Mirroring of the traffic for debug or analysis + # -- Mirroring of the traffic for debug or analysis. # https://kubeovn.github.io/docs/stable/en/guide/mirror/ + # @section -- CNI agent configuration + # @default -- "{}" mirroring: - # -- Enable mirroring of the traffic + # -- Enable mirroring of the traffic. + # @section -- CNI agent configuration enabled: false - # -- Interface on which to send the mirrored traffic + # -- Interface on which to send the mirrored traffic. + # @section -- CNI agent configuration interface: mirror0 + # -- "" + # @section -- CNI agent configuration. interface: "" + # -- "" + # @section -- CNI agent configuration. dpdkTunnelInterface: "br-phy" -# -- Kubelet configuration +# -- Kubelet configuration. +# @section -- Kubelet configuration +# @default -- "{}" kubelet: - # -- Directory in which the kubelet operates + # -- Directory in which the kubelet operates. + # @section -- Kubelet configuration directory: "/var/lib/kubelet" -# -- Logging configuration for all the daemons +# -- Logging configuration for all the daemons. +# @section -- Logging configuration +# @default -- "{}" logging: - # -- Directory in which to write the logs + # -- Directory in which to write the logs. + # @section -- Kubelet configuration directory: "/var/log" -# -- Performance tuning parameters +# -- Performance tuning parameters. +# @section -- Performance configuration +# @default -- "{}" performance: + # -- "" + # @section -- Performance configuration gcInterval: 360 + # -- "" + # @section -- Performance configuration inspectInterval: 20 + # -- "" + # @section -- Performance configuration ovsVsctlConcurrency: 100 -# -- Array of extra K8s manifests to deploy -## Note: Supports use of custom Helm templates (Go templating) +# -- Array of extra K8s manifests to deploy. +# Note: Supports use of custom Helm templates (Go templating) +# @section -- Extra objects extraObjects: [] # - apiVersion: v1 # kind: ConfigMap From c78adfe450a6e783a5f96f1f6ef6b1057394dc5d Mon Sep 17 00:00:00 2001 From: SkalaNetworks Date: Sun, 27 Apr 2025 11:08:13 +0200 Subject: [PATCH 3/4] feat(helm): make master detection cleaner Signed-off-by: SkalaNetworks --- charts/kube-ovn-v2/templates/_helpers.tpl | 20 +++++++++++-------- .../templates/agent/agent-daemonset.yaml | 2 +- .../templates/central/central-deployment.yaml | 6 ++---- .../controller/controller-deployment.yaml | 2 +- .../templates/hooks/upgrade-ovs-ovn.yaml | 2 +- .../templates/ic/ic-controller-deploy.yaml | 2 +- .../templates/monitor/monitor-deployment.yaml | 4 +--- .../templates/ovs-ovn/ovs-ovn-daemonset.yaml | 2 +- .../ovs-ovn/ovs-ovn-dpdk-daemonset.yaml | 2 +- charts/kube-ovn-v2/values.yaml | 9 +++++++-- 10 files changed, 28 insertions(+), 23 deletions(-) diff --git a/charts/kube-ovn-v2/templates/_helpers.tpl b/charts/kube-ovn-v2/templates/_helpers.tpl index 39c7dd8cf5d..7b358e58055 100644 --- a/charts/kube-ovn-v2/templates/_helpers.tpl +++ b/charts/kube-ovn-v2/templates/_helpers.tpl @@ -61,13 +61,8 @@ Get IP-addresses of master nodes {{- $nodes := lookup "v1" "Node" "" "" -}} {{- $ips := list -}} {{- range $node := $nodes.items -}} - {{- $label := splitList "=" $.Values.masterNodesLabel}} - {{- $key := index $label 0 }} - {{- $val := "" }} - {{- if eq (len $label) 2 }} - {{- $val = index $label 1 }} - {{- end }} - {{- if eq (index $node.metadata.labels $key) $val -}} + {{- range $label, $value := $.Values.masterNodesLabels }} + {{- if eq (index $node.metadata.labels $label) $value -}} {{- range $address := $node.status.addresses -}} {{- if eq $address.type "InternalIP" -}} {{- $ips = append $ips $address.address -}} @@ -75,6 +70,7 @@ Get IP-addresses of master nodes {{- end -}} {{- end -}} {{- end -}} + {{- end }} {{- end -}} {{ join "," $ips }} {{- end -}} @@ -83,9 +79,17 @@ Get IP-addresses of master nodes Number of master nodes */}} {{- define "kubeovn.nodeCount" -}} - {{- len (split "," (.Values.masterNodes| default (include "kubeovn.nodeIPs" .))) }} + {{- len (split "," ((join "," .Values.masterNodes) | default (include "kubeovn.nodeIPs" .))) }} {{- end -}} +{{/* +Get IPs of master nodes from values +*/}} +{{- define "kubeovn.masterNodes" -}} + {{- join "," .Values.masterNodes }} +{{- end -}} + + {{- define "kubeovn.ovs-ovn.updateStrategy" -}} {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} {{- if $ds -}} diff --git a/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml b/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml index 0003f238fb1..ea475333272 100644 --- a/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml +++ b/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml @@ -202,7 +202,7 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - {{- if .Values.func.ENABLE_OVN_IPSEC }} + {{- if .Values.features.ENABLE_OVN_IPSEC }} - mountPath: /etc/ovs_ipsec_keys name: ovs-ipsec-keys {{- end }} diff --git a/charts/kube-ovn-v2/templates/central/central-deployment.yaml b/charts/kube-ovn-v2/templates/central/central-deployment.yaml index 91aa2390c04..832e3f71dc6 100644 --- a/charts/kube-ovn-v2/templates/central/central-deployment.yaml +++ b/charts/kube-ovn-v2/templates/central/central-deployment.yaml @@ -95,7 +95,7 @@ spec: - name: ENABLE_SSL value: "{{ .Values.networking.enableSsl }}" - name: NODE_IPS - value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + value: "{{ include "kubeovn.masterNodes" . | default (include "kubeovn.nodeIPs" .) }}" - name: POD_IP valueFrom: fieldRef: @@ -160,9 +160,7 @@ spec: timeoutSeconds: 45 nodeSelector: kubernetes.io/os: "linux" - {{- with splitList "=" .Values.masterNodesLabel}} - {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" - {{- end }} + {{ .Values.masterNodesLabels | toYaml | nindent 8 }} volumes: - name: host-run-ovn hostPath: diff --git a/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml b/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml index 97b4b39bc3d..3fd27ffe891 100644 --- a/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml +++ b/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml @@ -185,7 +185,7 @@ spec: fieldRef: fieldPath: spec.nodeName - name: OVN_DB_IPS - value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + value: "{{ include "kubeovn.masterNodes" . | default (include "kubeovn.nodeIPs" .) }}" - name: POD_IP valueFrom: fieldRef: diff --git a/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml b/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml index 37fc598c861..ba49a894097 100644 --- a/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml +++ b/charts/kube-ovn-v2/templates/hooks/upgrade-ovs-ovn.yaml @@ -146,7 +146,7 @@ spec: - name: ENABLE_SSL value: "{{ .Values.networking.enableSsl }}" - name: OVN_DB_IPS - value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + value: "{{ include "kubeovn.masterNodes" . | default (include "kubeovn.nodeIPs" .) }}" - name: OVN_VERSION_COMPATIBILITY value: '{{ include "kubeovn.ovn.versionCompatibility" . }}' command: diff --git a/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml b/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml index 6d2bd91bff1..a82a07f7916 100644 --- a/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml +++ b/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml @@ -88,7 +88,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: OVN_DB_IPS - value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + value: "{{ include "kubeovn.masterNodes" . | default (include "kubeovn.nodeIPs" .) }}" resources: requests: cpu: 300m diff --git a/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml b/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml index 807d603bcc1..9959cc2be62 100644 --- a/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml +++ b/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml @@ -156,9 +156,7 @@ spec: timeoutSeconds: 5 nodeSelector: kubernetes.io/os: "linux" - {{- with splitList "=" .Values.masterNodesLabel}} - {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" - {{- end }} + {{ .Values.masterNodesLabels | toYaml | nindent 8 }} volumes: - name: host-run-ovn hostPath: diff --git a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml index 0dd378e6766..805f02c1b30 100644 --- a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml +++ b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml @@ -140,7 +140,7 @@ spec: fieldRef: fieldPath: spec.nodeName - name: OVN_DB_IPS - value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + value: "{{ include "kubeovn.masterNodes" . | default (include "kubeovn.nodeIPs" .) }}" - name: OVN_REMOTE_PROBE_INTERVAL value: "{{ .Values.ovsOvn.ovnRemoteProbeInterval }}" - name: OVN_REMOTE_OPENFLOW_INTERVAL diff --git a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml index 79db382fb66..d38c52c8051 100644 --- a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml +++ b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml @@ -71,7 +71,7 @@ spec: fieldRef: fieldPath: spec.nodeName - name: OVN_DB_IPS - value: "{{ .Values.masterNodes| default (include "kubeovn.nodeIPs" .) }}" + value: "{{ include "kubeovn.masterNodes" . | default (include "kubeovn.nodeIPs" .) }}" - name: OVN_REMOTE_PROBE_INTERVAL value: "{{ .Values.ovsOvn.ovnRemoteProbeInterval }}" - name: OVN_REMOTE_OPENFLOW_INTERVAL diff --git a/charts/kube-ovn-v2/values.yaml b/charts/kube-ovn-v2/values.yaml index e17b4adf4e6..294fb9e3b95 100644 --- a/charts/kube-ovn-v2/values.yaml +++ b/charts/kube-ovn-v2/values.yaml @@ -33,11 +33,16 @@ fullnameOverride: "" namespace: kube-system # -- Comma-separated list of IPs for each master node. +# If not specified, fallback to auto-identifying masters based on "masterNodesLabels" # @section -- Global parameters -masterNodes: "" +masterNodes: [] # -- Label used to auto-identify masters. +# Any node that has any of these labels will be considered a master node. +# Note: This feature uses Helm "lookup" function, which is not compatible with tools such as ArgoCD. # @section -- Global parameters -masterNodesLabel: "kube-ovn/role=master" +masterNodesLabels: + kube-ovn/role: master + # node-role.kubernetes.io/control-plane: "" # -- General configuration of the network created by Kube-OVN. # @section -- Network parameters of the CNI From 34574c575a85eae5b51c8653c457e8892692b637 Mon Sep 17 00:00:00 2001 From: SkalaNetworks Date: Sun, 27 Apr 2025 11:30:54 +0200 Subject: [PATCH 4/4] feat(helm): rename feature flags Signed-off-by: SkalaNetworks --- charts/kube-ovn-v2/templates/_helpers.tpl | 2 +- .../templates/agent/agent-daemonset.yaml | 14 ++--- .../controller/controller-deployment.yaml | 26 ++++---- .../templates/ic/ic-controller-deploy.yaml | 2 +- .../templates/monitor/monitor-deployment.yaml | 6 +- .../templates/nat-gw/vpc-nat-config.yaml | 2 +- .../templates/ovs-ovn/ovs-ovn-daemonset.yaml | 2 +- .../ovs-ovn/ovs-ovn-dpdk-daemonset.yaml | 2 +- charts/kube-ovn-v2/values.yaml | 63 ++++++++++++++----- 9 files changed, 75 insertions(+), 44 deletions(-) diff --git a/charts/kube-ovn-v2/templates/_helpers.tpl b/charts/kube-ovn-v2/templates/_helpers.tpl index 7b358e58055..0932f2cb4d0 100644 --- a/charts/kube-ovn-v2/templates/_helpers.tpl +++ b/charts/kube-ovn-v2/templates/_helpers.tpl @@ -137,7 +137,7 @@ Get IPs of master nodes from values {{- end -}} {{- define "kubeovn.runAsUser" -}} - {{- if $.Values.features.ENABLE_OVN_IPSEC -}} + {{- if $.Values.features.enableOvnIpsec -}} 0 {{- else -}} 65534 diff --git a/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml b/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml index ea475333272..c46add98550 100644 --- a/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml +++ b/charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml @@ -125,10 +125,10 @@ spec: - --log_file_max_size=200 - --enable-metrics={{- .Values.networking.enableMetrics }} - --kubelet-dir={{ .Values.kubelet.directory }} - - --enable-tproxy={{ .Values.features.ENABLE_TPROXY }} + - --enable-tproxy={{ .Values.features.enableTproxy }} - --ovs-vsctl-concurrency={{ .Values.performance.ovsVsctlConcurrency }} - - --secure-serving={{- .Values.features.SECURE_SERVING }} - - --enable-ovn-ipsec={{- .Values.features.ENABLE_OVN_IPSEC }} + - --secure-serving={{- .Values.features.enableSecureServing }} + - --enable-ovn-ipsec={{- .Values.features.enableOvnIpsec }} securityContext: runAsGroup: 0 runAsUser: 0 @@ -202,7 +202,7 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - {{- if .Values.features.ENABLE_OVN_IPSEC }} + {{- if .Values.features.enableOvnIpsec }} - mountPath: /etc/ovs_ipsec_keys name: ovs-ipsec-keys {{- end }} @@ -213,7 +213,7 @@ spec: httpGet: port: 10665 path: /readyz - scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.enableSecureServing }}' timeoutSeconds: 5 livenessProbe: failureThreshold: 3 @@ -223,7 +223,7 @@ spec: httpGet: port: 10665 path: /readyz - scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.enableSecureServing }}' timeoutSeconds: 5 {{- with .Values.agent.resources }} resources: @@ -282,7 +282,7 @@ spec: hostPath: path: {{ .Values.cni.toolingDirectory }} {{- end }} - {{- if .Values.features.ENABLE_OVN_IPSEC }} + {{- if .Values.features.enableOvnIpsec }} - name: ovs-ipsec-keys hostPath: path: {{ .Values.ovsOvn.ovsDirectory }} diff --git a/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml b/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml index 3fd27ffe891..6a3d339a19e 100644 --- a/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml +++ b/charts/kube-ovn-v2/templates/controller/controller-deployment.yaml @@ -104,9 +104,9 @@ spec: {{- else if eq .Values.networking.stack "IPv6" -}} {{ .Values.networking.pods.gateways.v6 }} {{- end }} - - --default-gateway-check={{- .Values.features.CHECK_GATEWAY }} - - --default-logical-gateway={{- .Values.features.LOGICAL_GATEWAY }} - - --default-u2o-interconnection={{- .Values.features.U2O_INTERCONNECTION }} + - --default-gateway-check={{- .Values.networking.pods.enableGatewayChecks }} + - --default-logical-gateway={{- .Values.networking.pods.enableLogicalGateways }} + - --default-u2o-interconnection={{- .Values.features.enableU2OInterconnections }} - --default-exclude-ips={{- .Values.networking.excludeIps }} - --cluster-router={{ .Values.networking.defaultVpcName }} - --node-switch={{ .Values.networking.join.subnetName }} @@ -135,10 +135,10 @@ spec: - --ls-dnat-mod-dl-dst={{- .Values.features.LS_DNAT_MOD_DL_DST }} - --ls-ct-skip-dst-lport-ips={{- .Values.features.LS_CT_SKIP_DST_LPORT_IPS }} - --pod-nic-type={{- .Values.networking.podNicType }} - - --enable-lb={{- .Values.features.ENABLE_LB }} - - --enable-np={{- .Values.features.ENABLE_NP }} + - --enable-lb={{- .Values.features.enableLoadbalancer }} + - --enable-np={{- .Values.features.enableNetworkPolicies }} - --enable-eip-snat={{- .Values.networking.enableEipSnat }} - - --enable-external-vpc={{- .Values.features.ENABLE_EXTERNAL_VPC }} + - --enable-external-vpc={{- .Values.features.enableExternalVpcs }} - --enable-ecmp={{- .Values.networking.enableEcmp }} - --logtostderr=false - --alsologtostderr=true @@ -146,16 +146,16 @@ spec: - --inspect-interval={{- .Values.performance.inspectInterval }} - --log_file=/var/log/kube-ovn/kube-ovn-controller.log - --log_file_max_size=200 - - --enable-lb-svc={{- .Values.features.ENABLE_LB_SVC }} - - --keep-vm-ip={{- .Values.features.ENABLE_KEEP_VM_IP }} + - --enable-lb-svc={{- .Values.features.enableLoadbalancer }} + - --keep-vm-ip={{- .Values.features.enableKeepVmIps }} - --enable-metrics={{- .Values.networking.enableMetrics }} - --node-local-dns-ip={{- .Values.networking.nodeLocalDnsIp }} - - --secure-serving={{- .Values.features.SECURE_SERVING }} - - --enable-ovn-ipsec={{- .Values.features.ENABLE_OVN_IPSEC }} + - --secure-serving={{- .Values.features.enableSecureServing }} + - --enable-ovn-ipsec={{- .Values.features.enableOvnIpsec }} - --enable-anp={{- .Values.features.ENABLE_ANP }} - --ovsdb-con-timeout={{- .Values.features.OVSDB_CON_TIMEOUT }} - --ovsdb-inactivity-timeout={{- .Values.features.OVSDB_INACTIVITY_TIMEOUT }} - - --enable-live-migration-optimize={{- .Values.features.ENABLE_LIVE_MIGRATION_OPTIMIZE }} + - --enable-live-migration-optimize={{- .Values.features.enableLiveMigrationOptimization }} - --enable-ovn-lb-prefer-local={{- .Values.features.ENABLE_OVN_LB_PREFER_LOCAL }} - --image={{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} securityContext: @@ -211,14 +211,14 @@ spec: httpGet: port: 10660 path: /readyz - scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.enableSecureServing }}' periodSeconds: 3 timeoutSeconds: 5 livenessProbe: httpGet: port: 10660 path: /readyz - scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.enableSecureServing }}' initialDelaySeconds: 300 periodSeconds: 7 failureThreshold: 5 diff --git a/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml b/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml index a82a07f7916..00d440de225 100644 --- a/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml +++ b/charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.features.ENABLE_IC }} +{{- if .Values.features.enableOvnInterconnections }} kind: Deployment apiVersion: apps/v1 metadata: diff --git a/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml b/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml index 9959cc2be62..0c5c1a50965 100644 --- a/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml +++ b/charts/kube-ovn-v2/templates/monitor/monitor-deployment.yaml @@ -78,7 +78,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ovn-monitor.sh"] args: - - --secure-serving={{- .Values.features.SECURE_SERVING }} + - --secure-serving={{- .Values.features.enableSecureServing }} - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log - --logtostderr=false - --alsologtostderr=true @@ -142,7 +142,7 @@ spec: httpGet: port: 10661 path: /livez - scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.enableSecureServing }}' timeoutSeconds: 5 readinessProbe: failureThreshold: 3 @@ -152,7 +152,7 @@ spec: httpGet: port: 10661 path: /livez - scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.SECURE_SERVING }}' + scheme: '{{ ternary "HTTPS" "HTTP" .Values.features.enableSecureServing }}' timeoutSeconds: 5 nodeSelector: kubernetes.io/os: "linux" diff --git a/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml b/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml index 8b30d17a49a..06112ed9c6f 100755 --- a/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml +++ b/charts/kube-ovn-v2/templates/nat-gw/vpc-nat-config.yaml @@ -22,4 +22,4 @@ metadata: name: ovn-vpc-nat-gw-config namespace: {{ .Values.namespace }} data: - enable-vpc-nat-gw: "{{ .Values.features.ENABLE_NAT_GW }}" \ No newline at end of file + enable-vpc-nat-gw: "{{ .Values.features.enableNatGateways }}" \ No newline at end of file diff --git a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml index 805f02c1b30..283d99aeb1b 100644 --- a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml +++ b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml @@ -132,7 +132,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: HW_OFFLOAD - value: "{{- .Values.features.HW_OFFLOAD }}" + value: "{{- .Values.features.enableHardwareOffload }}" - name: TUNNEL_TYPE value: "{{- .Values.networking.tunnelType }}" - name: KUBE_NODE_NAME diff --git a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml index d38c52c8051..30857c74af4 100644 --- a/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml +++ b/charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-dpdk-daemonset.yaml @@ -61,7 +61,7 @@ spec: fieldRef: fieldPath: status.podIP - name: HW_OFFLOAD - value: "{{- .Values.features.HW_OFFLOAD }}" + value: "{{- .Values.features.enableHardwareOffload }}" - name: TUNNEL_TYPE value: "{{- .Values.networking.tunnelType }}" - name: DPDK_TUNNEL_IFACE diff --git a/charts/kube-ovn-v2/values.yaml b/charts/kube-ovn-v2/values.yaml index 294fb9e3b95..3b03c4cd78c 100644 --- a/charts/kube-ovn-v2/values.yaml +++ b/charts/kube-ovn-v2/values.yaml @@ -82,6 +82,12 @@ networking: # -- IPv6 gateway. # @section -- Network parameters of the CNI v6: "fd00:10:16::1" + # -- Enable default gateway checks + # @section -- Network parameters of the CNI + enableGatewayChecks: true + # -- Enable logical gateways + # @section -- Network parameters of the CNI + enableLogicalGateways: false # -- Configuration for the service subnet. # If .networking.stack is set to IPv4, only the .v4 key is used. # If .networking.stack is set to IPv6, only the .v6 key is used. @@ -170,28 +176,53 @@ networking: # -- Features of Kube-OVN we wish to enable/disable. # @section -- Opt-in/out Features features: - ENABLE_LB: true - ENABLE_NP: true - ENABLE_EXTERNAL_VPC: true - HW_OFFLOAD: false - ENABLE_LB_SVC: false - ENABLE_KEEP_VM_IP: true + # -- Enable Kube-OVN loadbalancers + # @section -- Opt-in/out Features + enableLoadbalancer: true + # -- Enable Kube-OVN network policies + # @section -- Opt-in/out Features + enableNetworkPolicies: true + # -- Enable external VPCs + # @section -- Opt-in/out Features + enableExternalVpcs: true + # -- Enable hardware offloads + # @section -- Opt-in/out Features + enableHardwareOffload: false + # -- Enable Kube-OVN loadbalancer services + # @section -- Opt-in/out Features + enableLoadbalancerService: false + # -- Enable persistent VM IPs + # @section -- Opt-in/out Features + enableKeepVmIps: true + # -- Enable secure serving + # @section -- Opt-in/out Features + enableSecureServing: false + # -- Enable underlay to overlay interconnections + # @section -- Opt-in/out Features + enableU2OInterconnections: false + # -- Enable TProxy + # @section -- Opt-in/out Features + enableTproxy: false + # -- Enable OVN interconnections + # @section -- Opt-in/out Features + enableOvnInterconnections: false + # -- Enable NAT gateways + # @section -- Opt-in/out Features + enableNatGateways: true + # -- Enable IPSEC + # @section -- Opt-in/out Features + enableOvnIpsec: false + # -- Enable optimized live migrations for VMs + # @section -- Opt-in/out Features + enableLiveMigrationOptimization: true + + ENABLE_BIND_LOCAL_IP: true LS_DNAT_MOD_DL_DST: true LS_CT_SKIP_DST_LPORT_IPS: true - CHECK_GATEWAY: true - LOGICAL_GATEWAY: false - ENABLE_BIND_LOCAL_IP: true - SECURE_SERVING: false - U2O_INTERCONNECTION: false - ENABLE_TPROXY: false - ENABLE_IC: false - ENABLE_NAT_GW: true - ENABLE_OVN_IPSEC: false ENABLE_ANP: false SET_VXLAN_TX_OFF: false OVSDB_CON_TIMEOUT: 3 OVSDB_INACTIVITY_TIMEOUT: 10 - ENABLE_LIVE_MIGRATION_OPTIMIZE: true ENABLE_OVN_LB_PREFER_LOCAL: false # -- CNI binary/configuration injected on the nodes.