src/foundation/scripts/cni/ovn-kubernetes/templates/ovnkube-db.yaml.j2

   1 # service to expose the ovnkube-db pod
   2 apiVersion: v1
   3 kind: Service
   4 metadata:
   5   name: ovnkube-db
   6   namespace: ovn-kubernetes
   7 spec:
   8   ports:
   9   - name: north
  10     port: 6641
  11     protocol: TCP
  12     targetPort: 6641
  13   - name: south
  14     port: 6642
  15     protocol: TCP
  16     targetPort: 6642
  17   sessionAffinity: None
  18   clusterIP: None
  19   type: ClusterIP
  20
  21 ---
  22
  23 # ovnkube-db
  24 # daemonset version 3
  25 # starts ovn NB/SB ovsdb daemons, each in a separate container
  26 # it is running on master for now, but does not need to be the case
  27 kind: Deployment
  28 apiVersion: apps/v1
  29 metadata:
  30   name: ovnkube-db
  31   # namespace set up by install
  32   namespace: ovn-kubernetes
  33   annotations:
  34     kubernetes.io/description: |
  35       This daemonset launches the OVN NB/SB ovsdb service components.
  36 spec:
  37   progressDeadlineSeconds: 600
  38   replicas: 1
  39   revisionHistoryLimit: 10
  40   selector:
  41     matchLabels:
  42       name: ovnkube-db
  43   strategy:
  44     rollingUpdate:
  45       maxSurge: 25%
  46       maxUnavailable: 25%
  47     type: RollingUpdate
  48   template:
  49     metadata:
  50       labels:
  51         name: ovnkube-db
  52         component: network
  53         type: infra
  54         kubernetes.io/os: "linux"
  55       annotations:
  56         scheduler.alpha.kubernetes.io/critical-pod: ''
  57     spec:
  58       # Requires fairly broad permissions - ability to read all services and network functions as well
  59       # as all pods.
  60       serviceAccountName: ovn
  61       hostNetwork: true
  62       containers:
  63       # firewall rules for ovn - assumed to be setup
  64       # iptables -A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 6641 -j ACCEPT
  65       # iptables -A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 6642 -j ACCEPT
  66
  67       # nb-ovsdb - v3
  68       - name: nb-ovsdb
  69         image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
  70         imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
  71
  72         command: ["/root/ovnkube.sh", "nb-ovsdb"]
  73
  74         securityContext:
  75           runAsUser: 0
  76           capabilities:
  77             add: ["NET_ADMIN"]
  78
  79         terminationMessagePolicy: FallbackToLogsOnError
  80         volumeMounts:
  81         # ovn db is stored in the pod in /etc/openvswitch
  82         # (or in /etc/ovn if OVN from new repository is used)
  83         # and on the host in /var/lib/openvswitch/
  84         - mountPath: /etc/openvswitch/
  85           name: host-var-lib-ovs
  86         - mountPath: /etc/ovn/
  87           name: host-var-lib-ovs
  88         - mountPath: /var/log/openvswitch/
  89           name: host-var-log-ovs
  90         - mountPath: /var/log/ovn/
  91           name: host-var-log-ovs
  92         # for the iptables wrapper
  93         - mountPath: /host
  94           name: host-slash
  95           readOnly: true
  96         - mountPath: /ovn-cert
  97           name: host-ovn-cert
  98           readOnly: true
  99
 100         resources:
 101           requests:
 102             cpu: 100m
 103             memory: 300Mi
 104         env:
 105         - name: OVN_DAEMONSET_VERSION
 106           value: "3"
 107         - name: OVN_LOGLEVEL_NB
 108           value: "{{ ovn_loglevel_nb }}"
 109         - name: K8S_APISERVER
 110           valueFrom:
 111             configMapKeyRef:
 112               name: ovn-config
 113               key: k8s_apiserver
 114         - name: OVN_KUBERNETES_NAMESPACE
 115           valueFrom:
 116             fieldRef:
 117               fieldPath: metadata.namespace
 118         - name: K8S_NODE_IP
 119           valueFrom:
 120             fieldRef:
 121               fieldPath: status.hostIP
 122         - name: OVN_SSL_ENABLE
 123           value: "{{ ovn_ssl_en }}"
 124         readinessProbe:
 125           exec:
 126             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovnnb-db"]
 127           initialDelaySeconds: 30
 128           timeoutSeconds: 30
 129           periodSeconds: 60
 130       # end of container
 131
 132       # sb-ovsdb - v3
 133       - name: sb-ovsdb
 134         image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
 135         imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
 136
 137         command: ["/root/ovnkube.sh", "sb-ovsdb"]
 138
 139         securityContext:
 140           runAsUser: 0
 141           capabilities:
 142             add: ["NET_ADMIN"]
 143
 144         terminationMessagePolicy: FallbackToLogsOnError
 145         volumeMounts:
 146         # ovn db is stored in the pod in /etc/openvswitch
 147         # (or in /etc/ovn if OVN from new repository is used)
 148         # and on the host in /var/lib/openvswitch/
 149         - mountPath: /etc/openvswitch/
 150           name: host-var-lib-ovs
 151         - mountPath: /etc/ovn/
 152           name: host-var-lib-ovs
 153         - mountPath: /var/log/openvswitch/
 154           name: host-var-log-ovs
 155         - mountPath: /var/log/ovn/
 156           name: host-var-log-ovs
 157         # for the iptables wrapper
 158         - mountPath: /host
 159           name: host-slash
 160           readOnly: true
 161         - mountPath: /ovn-cert
 162           name: host-ovn-cert
 163           readOnly: true
 164
 165         resources:
 166           requests:
 167             cpu: 100m
 168             memory: 300Mi
 169         env:
 170         - name: OVN_DAEMONSET_VERSION
 171           value: "3"
 172         - name: OVN_LOGLEVEL_SB
 173           value: "{{ ovn_loglevel_sb }}"
 174         - name: K8S_APISERVER
 175           valueFrom:
 176             configMapKeyRef:
 177               name: ovn-config
 178               key: k8s_apiserver
 179         - name: OVN_KUBERNETES_NAMESPACE
 180           valueFrom:
 181             fieldRef:
 182               fieldPath: metadata.namespace
 183         - name: K8S_NODE_IP
 184           valueFrom:
 185             fieldRef:
 186               fieldPath: status.hostIP
 187         - name: OVN_SSL_ENABLE
 188           value: "{{ ovn_ssl_en }}"
 189         readinessProbe:
 190           exec:
 191             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovnsb-db"]
 192           initialDelaySeconds: 30
 193           timeoutSeconds: 30
 194           periodSeconds: 60
 195
 196       # end of container
 197
 198       nodeSelector:
 199         node-role.kubernetes.io/master: ""
 200         kubernetes.io/os: "linux"
 201       volumes:
 202       - name: host-var-lib-ovs
 203         hostPath:
 204           path: /var/lib/openvswitch
 205       - name: host-var-log-ovs
 206         hostPath:
 207           path: /var/log/openvswitch
 208       - name: host-slash
 209         hostPath:
 210           path: /
 211       - name: host-ovn-cert
 212         hostPath:
 213           path: /etc/ovn
 214           type: DirectoryOrCreate
 215       tolerations:
 216       - operator: "Exists"