Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / refs/heads/main / . / charts / metallb / templates / speaker.yaml
blob: 1a4c7b2aa97b4800fab815d164309f2fc0dbc6b5 [file] [log] [blame]
Giorgi Lekveishvili285ab622023-11-22 13:50:45 +0400[diff] [blame]1{{- if .Values.speaker.frr.enabled }}
2# FRR expects to have these files owned by frr:frr on startup.
3# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup.
4apiVersion: v1
5kind: ConfigMap
6metadata:
7 name: {{ template "metallb.fullname" . }}-frr-startup
8 namespace: {{ .Release.Namespace | quote }}
9 labels:
10 {{- include "metallb.labels" . | nindent 4 }}
11 app.kubernetes.io/component: speaker
12data:
13 daemons: |
14 # This file tells the frr package which daemons to start.
15 #
16 # Sample configurations for these daemons can be found in
17 # /usr/share/doc/frr/examples/.
18 #
19 # ATTENTION:
20 #
21 # When activating a daemon for the first time, a config file, even if it is
22 # empty, has to be present *and* be owned by the user and group "frr", else
23 # the daemon will not be started by /etc/init.d/frr. The permissions should
24 # be u=rw,g=r,o=.
25 # When using "vtysh" such a config file is also needed. It should be owned by
26 # group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
27 #
28 # The watchfrr and zebra daemons are always started.
29 #
30 bgpd=yes
31 ospfd=no
32 ospf6d=no
33 ripd=no
34 ripngd=no
35 isisd=no
36 pimd=no
37 ldpd=no
38 nhrpd=no
39 eigrpd=no
40 babeld=no
41 sharpd=no
42 pbrd=no
43 bfdd=yes
44 fabricd=no
45 vrrpd=no
46
47 #
48 # If this option is set the /etc/init.d/frr script automatically loads
49 # the config via "vtysh -b" when the servers are started.
50 # Check /etc/pam.d/frr if you intend to use "vtysh"!
51 #
52 vtysh_enable=yes
53 zebra_options=" -A 127.0.0.1 -s 90000000"
54 bgpd_options=" -A 127.0.0.1 -p 0"
55 ospfd_options=" -A 127.0.0.1"
56 ospf6d_options=" -A ::1"
57 ripd_options=" -A 127.0.0.1"
58 ripngd_options=" -A ::1"
59 isisd_options=" -A 127.0.0.1"
60 pimd_options=" -A 127.0.0.1"
61 ldpd_options=" -A 127.0.0.1"
62 nhrpd_options=" -A 127.0.0.1"
63 eigrpd_options=" -A 127.0.0.1"
64 babeld_options=" -A 127.0.0.1"
65 sharpd_options=" -A 127.0.0.1"
66 pbrd_options=" -A 127.0.0.1"
67 staticd_options="-A 127.0.0.1"
68 bfdd_options=" -A 127.0.0.1"
69 fabricd_options="-A 127.0.0.1"
70 vrrpd_options=" -A 127.0.0.1"
71
72 # configuration profile
73 #
74 #frr_profile="traditional"
75 #frr_profile="datacenter"
76
77 #
78 # This is the maximum number of FD's that will be available.
79 # Upon startup this is read by the control files and ulimit
80 # is called. Uncomment and use a reasonable value for your
81 # setup if you are expecting a large number of peers in
82 # say BGP.
83 #MAX_FDS=1024
84
85 # The list of daemons to watch is automatically generated by the init script.
86 #watchfrr_options=""
87
88 # for debugging purposes, you can specify a "wrap" command to start instead
89 # of starting the daemon directly, e.g. to use valgrind on ospfd:
90 # ospfd_wrap="/usr/bin/valgrind"
91 # or you can use "all_wrap" for all daemons, e.g. to use perf record:
92 # all_wrap="/usr/bin/perf record --call-graph -"
93 # the normal daemon command is added to this at the end.
94 vtysh.conf: |+
95 service integrated-vtysh-config
96 frr.conf: |+
97 ! This file gets overriden the first time the speaker renders a config.
98 ! So anything configured here is only temporary.
99 frr version 7.5.1
100 frr defaults traditional
101 hostname Router
102 line vty
103 log file /etc/frr/frr.log informational
104{{- end }}
105---
106{{- if .Values.speaker.enabled }}
107apiVersion: apps/v1
108kind: DaemonSet
109metadata:
110 name: {{ template "metallb.fullname" . }}-speaker
111 namespace: {{ .Release.Namespace | quote }}
112 labels:
113 {{- include "metallb.labels" . | nindent 4 }}
114 app.kubernetes.io/component: speaker
115 {{- range $key, $value := .Values.speaker.labels }}
116 {{ $key }}: {{ $value | quote }}
117 {{- end }}
118spec:
119 {{- if .Values.speaker.updateStrategy }}
120 updateStrategy: {{- toYaml .Values.speaker.updateStrategy | nindent 4 }}
121 {{- end }}
122 selector:
123 matchLabels:
124 {{- include "metallb.selectorLabels" . | nindent 6 }}
125 app.kubernetes.io/component: speaker
126 template:
127 metadata:
128 {{- if or .Values.prometheus.scrapeAnnotations .Values.speaker.podAnnotations }}
129 annotations:
130 {{- if .Values.prometheus.scrapeAnnotations }}
131 prometheus.io/scrape: "true"
132 {{- if not .Values.speaker.frr.enabled }}
133 prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
134 {{- end }}
135 {{- end }}
136 {{- with .Values.speaker.podAnnotations }}
137 {{- toYaml . | nindent 8 }}
138 {{- end }}
139 {{- end }}
140 labels:
141 {{- include "metallb.selectorLabels" . | nindent 8 }}
142 app.kubernetes.io/component: speaker
143 {{- range $key, $value := .Values.speaker.labels }}
144 {{ $key }}: {{ $value | quote }}
145 {{- end }}
146 spec:
147 {{- if .Values.speaker.runtimeClassName }}
148 runtimeClassName: {{ .Values.speaker.runtimeClassName }}
149 {{- end }}
150 {{- with .Values.imagePullSecrets }}
151 imagePullSecrets:
152 {{- toYaml . | nindent 8 }}
153 {{- end }}
154 serviceAccountName: {{ template "metallb.speaker.serviceAccountName" . }}
155 terminationGracePeriodSeconds: 0
156 hostNetwork: true
157 volumes:
158 {{- if .Values.speaker.memberlist.enabled }}
159 - name: memberlist
160 secret:
161 secretName: {{ include "metallb.secretName" . }}
162 defaultMode: 420
163 {{- end }}
164 {{- if .Values.speaker.excludeInterfaces.enabled }}
165 - name: metallb-excludel2
166 configMap:
167 defaultMode: 256
168 name: metallb-excludel2
169 {{- end }}
170 {{- if .Values.speaker.frr.enabled }}
171 - name: frr-sockets
172 emptyDir: {}
173 - name: frr-startup
174 configMap:
175 name: {{ template "metallb.fullname" . }}-frr-startup
176 - name: frr-conf
177 emptyDir: {}
178 - name: reloader
179 emptyDir: {}
180 - name: metrics
181 emptyDir: {}
182 {{- if .Values.prometheus.speakerMetricsTLSSecret }}
183 - name: metrics-certs
184 secret:
185 secretName: {{ .Values.prometheus.speakerMetricsTLSSecret }}
186 {{- end }}
187 initContainers:
188 # Copies the initial config files with the right permissions to the shared volume.
189 - name: cp-frr-files
190 image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
191 securityContext:
192 runAsUser: 100
193 runAsGroup: 101
194 command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"]
195 volumeMounts:
196 - name: frr-startup
197 mountPath: /tmp/frr
198 - name: frr-conf
199 mountPath: /etc/frr
200 # Copies the reloader to the shared volume between the speaker and reloader.
201 - name: cp-reloader
202 image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
203 command: ["/bin/sh", "-c", "cp -f /frr-reloader.sh /etc/frr_reloader/"]
204 volumeMounts:
205 - name: reloader
206 mountPath: /etc/frr_reloader
207 # Copies the metrics exporter
208 - name: cp-metrics
209 image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
210 command: ["/bin/sh", "-c", "cp -f /frr-metrics /etc/frr_metrics/"]
211 volumeMounts:
212 - name: metrics
213 mountPath: /etc/frr_metrics
214 shareProcessNamespace: true
215 {{- end }}
216 containers:
217 - name: speaker
218 image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
219 {{- if .Values.speaker.image.pullPolicy }}
220 imagePullPolicy: {{ .Values.speaker.image.pullPolicy }}
221 {{- end }}
222 {{- if .Values.speaker.command }}
223 command:
224 - {{ .Values.speaker.command }}
225 {{- end }}
226 args:
227 - --port={{ .Values.prometheus.metricsPort }}
228 {{- with .Values.speaker.logLevel }}
229 - --log-level={{ . }}
230 {{- end }}
231 {{- if .Values.loadBalancerClass }}
232 - --lb-class={{ .Values.loadBalancerClass }}
233 {{- end }}
234 env:
235 - name: METALLB_NODE_NAME
236 valueFrom:
237 fieldRef:
238 fieldPath: spec.nodeName
239 - name: METALLB_HOST
240 valueFrom:
241 fieldRef:
242 fieldPath: status.hostIP
243 {{- if .Values.speaker.memberlist.enabled }}
244 - name: METALLB_ML_BIND_ADDR
245 valueFrom:
246 fieldRef:
247 fieldPath: status.podIP
248 - name: METALLB_ML_LABELS
249 value: "app.kubernetes.io/name={{ include "metallb.name" . }},app.kubernetes.io/component=speaker"
250 - name: METALLB_ML_BIND_PORT
251 value: "{{ .Values.speaker.memberlist.mlBindPort }}"
252 - name: METALLB_ML_SECRET_KEY_PATH
253 value: "{{ .Values.speaker.memberlist.mlSecretKeyPath }}"
254 {{- end }}
255 {{- if .Values.speaker.frr.enabled }}
256 - name: FRR_CONFIG_FILE
257 value: /etc/frr_reloader/frr.conf
258 - name: FRR_RELOADER_PID_FILE
259 value: /etc/frr_reloader/reloader.pid
260 - name: METALLB_BGP_TYPE
261 value: frr
262 {{- end }}
263 ports:
264 - name: monitoring
265 containerPort: {{ .Values.prometheus.metricsPort }}
266 {{- if .Values.speaker.memberlist.enabled }}
267 - name: memberlist-tcp
268 containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
269 protocol: TCP
270 - name: memberlist-udp
271 containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
272 protocol: UDP
273 {{- end }}
274 {{- if .Values.speaker.livenessProbe.enabled }}
275 livenessProbe:
276 httpGet:
277 path: /metrics
278 port: monitoring
279 initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
280 periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
281 timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
282 successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
283 failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
284 {{- end }}
285 {{- if .Values.speaker.readinessProbe.enabled }}
286 readinessProbe:
287 httpGet:
288 path: /metrics
289 port: monitoring
290 initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }}
291 periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }}
292 timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }}
293 successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }}
294 failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }}
295 {{- end }}
296 {{- with .Values.speaker.resources }}
297 resources:
298 {{- toYaml . | nindent 10 }}
299 {{- end }}
300 securityContext:
301 allowPrivilegeEscalation: false
302 readOnlyRootFilesystem: true
303 capabilities:
304 drop:
305 - ALL
306 add:
307 - NET_RAW
308 {{- if or .Values.speaker.frr.enabled .Values.speaker.memberlist.enabled .Values.speaker.excludeInterfaces.enabled }}
309 volumeMounts:
310 {{- if .Values.speaker.memberlist.enabled }}
311 - name: memberlist
312 mountPath: {{ .Values.speaker.memberlist.mlSecretKeyPath }}
313 {{- end }}
314 {{- if .Values.speaker.frr.enabled }}
315 - name: reloader
316 mountPath: /etc/frr_reloader
317 {{- end }}
318 {{- if .Values.speaker.excludeInterfaces.enabled }}
319 - name: metallb-excludel2
320 mountPath: /etc/metallb
321 {{- end }}
322 {{- end }}
323 {{- if .Values.speaker.frr.enabled }}
324 - name: frr
325 securityContext:
326 capabilities:
327 add:
328 - NET_ADMIN
329 - NET_RAW
330 - SYS_ADMIN
331 - NET_BIND_SERVICE
332 image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
333 {{- if .Values.speaker.frr.image.pullPolicy }}
334 imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
335 {{- end }}
336 env:
337 - name: TINI_SUBREAPER
338 value: "true"
339 volumeMounts:
340 - name: frr-sockets
341 mountPath: /var/run/frr
342 - name: frr-conf
343 mountPath: /etc/frr
344 # The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
345 # If the log file isn't created in 60 seconds the tail fails and the container is restarted.
346 # This workaround is needed to have the frr logs as part of kubectl logs -c frr < speaker_pod_name >.
347 command:
348 - /bin/sh
349 - -c
350 - |
351 /sbin/tini -- /usr/lib/frr/docker-start &
352 attempts=0
353 until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do
354 sleep 1
355 attempts=$(( $attempts + 1 ))
356 done
357 tail -f /etc/frr/frr.log
358 {{- with .Values.speaker.frr.resources }}
359 resources:
360 {{- toYaml . | nindent 12 }}
361 {{- end }}
362 {{- if .Values.speaker.livenessProbe.enabled }}
363 livenessProbe:
364 httpGet:
365 path: /livez
366 port: {{ .Values.speaker.frr.metricsPort }}
367 initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
368 periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
369 timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
370 successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
371 failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
372 {{- end }}
373 {{- if .Values.speaker.startupProbe.enabled }}
374 startupProbe:
375 httpGet:
376 path: /livez
377 port: {{ .Values.speaker.frr.metricsPort }}
378 failureThreshold: {{ .Values.speaker.startupProbe.failureThreshold }}
379 periodSeconds: {{ .Values.speaker.startupProbe.periodSeconds }}
380 {{- end }}
381 - name: reloader
382 image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
383 {{- if .Values.speaker.frr.image.pullPolicy }}
384 imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
385 {{- end }}
386 command: ["/etc/frr_reloader/frr-reloader.sh"]
387 volumeMounts:
388 - name: frr-sockets
389 mountPath: /var/run/frr
390 - name: frr-conf
391 mountPath: /etc/frr
392 - name: reloader
393 mountPath: /etc/frr_reloader
394 {{- with .Values.speaker.reloader.resources }}
395 resources:
396 {{- toYaml . | nindent 12 }}
397 {{- end }}
398 - name: frr-metrics
399 image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
400 command: ["/etc/frr_metrics/frr-metrics"]
401 args:
402 - --metrics-port={{ .Values.speaker.frr.metricsPort }}
403 ports:
404 - containerPort: {{ .Values.speaker.frr.metricsPort }}
405 name: monitoring
406 volumeMounts:
407 - name: frr-sockets
408 mountPath: /var/run/frr
409 - name: frr-conf
410 mountPath: /etc/frr
411 - name: metrics
412 mountPath: /etc/frr_metrics
413 {{- with .Values.speaker.frrMetrics.resources }}
414 resources:
415 {{- toYaml . | nindent 12 }}
416 {{- end }}
417 {{- end }}
418 {{- if .Values.prometheus.secureMetricsPort }}
419 - name: kube-rbac-proxy
420 image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
421 imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
422 args:
423 - --logtostderr
424 - --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
425 - --upstream=http://$(METALLB_HOST):{{ .Values.prometheus.metricsPort }}/
426 - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
427 {{- if .Values.prometheus.speakerMetricsTLSSecret }}
428 - --tls-private-key-file=/etc/metrics/tls.key
429 - --tls-cert-file=/etc/metrics/tls.crt
430 {{- end }}
431 ports:
432 - containerPort: {{ .Values.prometheus.secureMetricsPort }}
433 name: metricshttps
434 env:
435 - name: METALLB_HOST
436 valueFrom:
437 fieldRef:
438 fieldPath: status.hostIP
439 resources:
440 requests:
441 cpu: 10m
442 memory: 20Mi
443 terminationMessagePolicy: FallbackToLogsOnError
444 {{- if .Values.prometheus.speakerMetricsTLSSecret }}
445 volumeMounts:
446 - name: metrics-certs
447 mountPath: /etc/metrics
448 readOnly: true
449 {{- end }}
450 {{ end }}
451 {{- if .Values.speaker.frr.secureMetricsPort }}
452 - name: kube-rbac-proxy-frr
453 image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }}
454 imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
455 args:
456 - --logtostderr
457 - --secure-listen-address=:{{ .Values.speaker.frr.secureMetricsPort }}
458 - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
459 - --upstream=http://$(METALLB_HOST):{{ .Values.speaker.frr.metricsPort }}/
460 {{- if .Values.prometheus.speakerMetricsTLSSecret }}
461 - --tls-private-key-file=/etc/metrics/tls.key
462 - --tls-cert-file=/etc/metrics/tls.crt
463 {{- end }}
464 ports:
465 - containerPort: {{ .Values.speaker.frr.secureMetricsPort }}
466 name: metricshttps
467 env:
468 - name: METALLB_HOST
469 valueFrom:
470 fieldRef:
471 fieldPath: status.hostIP
472 resources:
473 requests:
474 cpu: 10m
475 memory: 20Mi
476 terminationMessagePolicy: FallbackToLogsOnError
477 {{- if .Values.prometheus.speakerMetricsTLSSecret }}
478 volumeMounts:
479 - name: metrics-certs
480 mountPath: /etc/metrics
481 readOnly: true
482 {{- end }}
483 {{ end }}
484 nodeSelector:
485 "kubernetes.io/os": linux
486 {{- with .Values.speaker.nodeSelector }}
487 {{- toYaml . | nindent 8 }}
488 {{- end }}
489 {{- with .Values.speaker.affinity }}
490 affinity:
491 {{- toYaml . | nindent 8 }}
492 {{- end }}
493 {{- if or .Values.speaker.tolerateMaster .Values.speaker.tolerations }}
494 tolerations:
495 {{- if .Values.speaker.tolerateMaster }}
496 - key: node-role.kubernetes.io/master
497 effect: NoSchedule
498 operator: Exists
499 - key: node-role.kubernetes.io/control-plane
500 effect: NoSchedule
501 operator: Exists
502 {{- end }}
503 {{- with .Values.speaker.tolerations }}
504 {{- toYaml . | nindent 6 }}
505 {{- end }}
506 {{- end }}
507 {{- with .Values.speaker.priorityClassName }}
508 priorityClassName: {{ . | quote }}
509 {{- end }}
510{{- end }}