# ovnkube-db HA using Corosync/Pacemaker
# daemonset version 3
# starts ovn NB/SB ovsdb daemons in a single container
kind: Deployment
apiVersion: apps/v1
metadata:
  name: ovnkube-db
  # namespace set up by install
  namespace: ovn-kubernetes
  annotations:
    kubernetes.io/description: |
      This daemonset launches the OVN NB/SB DB server in a single container.
spec:
  progressDeadlineSeconds: 600
  replicas: {{ ovn_db_replicas | default(3) }}
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      name: ovnkube-db
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        name: ovnkube-db
        component: network
        type: infra
        openshift.io/component: network
        beta.kubernetes.io/os: "linux"
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      # Requires fairly broad permissions - ability to read all services and network functions as well
      # as all pods.
      serviceAccountName: ovn
      hostNetwork: true
      # required to be scheduled on node with openvswitch.org/ovnkube-db=true label but can
      # only have one instance per node
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: openvswitch.org/ovnkube-db
                operator: In
                values:
                - "true"
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: name
                operator: In
                values:
                - ovnkube-db
            topologyKey: kubernetes.io/hostname

      containers:
      # ovsdb with corosync in one container - v3
      - name: ovsdb
        image: "{{ ovn_db_vip_image | default('docker.io/ovnkube/ovndb-vip-u:latest') }}"
        imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
        command: ["/root/ovndb-vip.sh", "run-ovndb"]

        securityContext:
          runAsUser: 0
          capabilities:
            add: ["NET_ADMIN"]

        volumeMounts:
        # ovn db is stored in the pod in /etc/openvswitch
        # and on the host in /var/lib/openvswitch/
        - mountPath: /etc/openvswitch/
          name: host-var-lib-ovs
        - mountPath: /var/log/openvswitch/
          name: host-var-log-ovs
        - mountPath: /etc/corosync
          name: host-etc-corosync
        - mountPath: /var/log/corosync
          name: host-var-log-corosync
        - mountPath: /dev/shm
          name: dshm

        resources:
          requests:
            cpu: 100m
            memory: 1024Mi
        env:
        - name: OVN_DAEMONSET_VERSION
          value: "3"
        - name: OVN_LOG_NB
          value: "-vconsole:info -vfile:info"
        - name: K8S_APISERVER
          valueFrom:
            configMapKeyRef:
              name: ovn-config
              key: k8s_apiserver
        - name: OVN_KUBERNETES_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: OVN_DB_VIP
          value: "{{ ovn_db_vip }}"
        ports:
        - name: healthz
          containerPort: 10256
        # TODO: Temporarily disabled until we determine how to wait for clean default
        # config
        # livenessProbe:
        #   initialDelaySeconds: 10
        #   httpGet:
        #     path: /healthz
        #     port: 10256
        #     scheme: HTTP
        lifecycle:
      # end of container

      volumes:
      - name: host-var-lib-ovs
        hostPath:
          path: /var/lib/openvswitch
      - name: host-var-log-ovs
        hostPath:
          path: /var/log/openvswitch
      - name: host-var-log-corosync
        hostPath:
          path: /var/log/corosync
      - name: host-etc-corosync
        hostPath:
          path: /etc/corosync
      - name: dshm
        emptyDir:
          medium: Memory

      tolerations:
      - operator: "Exists"