X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fcluster%2Fcluster.sh;h=397fc8002b4472c633f3760e868ab1388c6a114f;hb=b13f5643b2c17bca79fce39612f8c8c87158632a;hp=7bbc46fd9a30d91dfaabdf87a867ad925f17cb38;hpb=7f5b95aaf15bca22ac6506ac5e1b5db0d0437222;p=icn.git

diff --git a/deploy/cluster/cluster.sh b/deploy/cluster/cluster.sh
index 7bbc46f..397fc80 100755
--- a/deploy/cluster/cluster.sh
+++ b/deploy/cluster/cluster.sh
@@ -7,14 +7,7 @@ LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
 source $LIBDIR/logging.sh
 source $LIBDIR/common.sh
 
-FLANNEL_VERSION="v0.15.0"
-
-# This may be used to update the in-place addon YAML files from the
-# upstream projects
-function build_source {
-    mkdir -p ${SCRIPTDIR}/addons
-
-    # Flannel
+function build_source_flannel {
     curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
     cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
 {{- if eq .Values.cni "flannel" }}
@@ -24,12 +17,40 @@ $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel
 EOF
     sed -i -e 's/  name: flannel-addon/  name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
     sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
+}
 
-    # Flux
+function build_source_flux {
     flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
+    cat <<EOF >>${SCRIPTDIR}/addons/flux-system.yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: psp:privileged:flux-system
+  namespace: flux-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: Group
+  name: system:serviceaccounts:flux-system
+  apiGroup: rbac.authorization.k8s.io
+EOF
     # The name "sync" must be sorted after "flux-system" to ensure
-    # Flux CRDs are instantiated first
+    # CRDs are instantiated first
     cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
+{{- if .Values.flux.decryptionSecret }}
+---
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+  name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
+  namespace: flux-system
+data:
+  sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
+{{- end }}
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
@@ -56,6 +77,12 @@ spec:
   sourceRef:
     kind: GitRepository
     name: {{ .Values.flux.repositoryName }}
+{{- if .Values.flux.decryptionSecret }}
+  decryption:
+    provider: sops
+    secretRef:
+      name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
+{{- end }}
 EOF
     cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
 {{- if .Values.flux }}
@@ -64,7 +91,9 @@ $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-syste
 {{- end }}
 EOF
     sed -i -e 's/  name: flux-addon/  name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
+}
 
+function build_source_podsecurity {
     # PodSecurityPolicy is being replaced in future versions of K8s.
     # The recommended practice is described by K8s at
     # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
@@ -209,11 +238,58 @@ EOF
 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
 EOF
     sed -i -e 's/  name: podsecurity-addon/  name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
+}
+
+function build_source_calico {
+    mkdir -p ${SCRIPTDIR}/addons/calico
+    curl -sL https://docs.projectcalico.org/archive/${CALICO_VERSION%.*}/manifests/calico.yaml -o ${SCRIPTDIR}/addons/calico/calico.yaml
+    # Remove trailing whitespace so that kubectl create configmap
+    # doesn't insert explicit newlines
+    sed -i -r 's/\s+$//g' ${SCRIPTDIR}/addons/calico/calico.yaml
+    cat <<EOF >${SCRIPTDIR}/addons/calico/ip-autodetection-method-patch.yaml
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: calico-node
+  namespace: kube-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: calico-node
+          env:
+            - name: IP_AUTODETECTION_METHOD
+              value: can-reach=www.google.com
+EOF
+    cat <<EOF >${SCRIPTDIR}/addons/calico/kustomization.yaml
+resources:
+- calico.yaml
+patches:
+- path: ip-autodetection-method-patch.yaml
+EOF
+    kustomize build ${SCRIPTDIR}/addons/calico >${SCRIPTDIR}/addons/calico.yaml
+    cat <<EOF >${SCRIPTDIR}/templates/calico-addon.yaml
+{{- if eq .Values.cni "calico" }}
+---
+$(kubectl create configmap calico-addon --from-file=${SCRIPTDIR}/addons/calico.yaml -o yaml --dry-run=client)
+{{- end }}
+EOF
+    sed -i -e 's/  name: calico-addon/  name: {{ .Values.clusterName }}-calico-addon/' ${SCRIPTDIR}/templates/calico-addon.yaml
+}
 
+# This may be used to update the in-place addon YAML files from the
+# upstream projects
+function build_source {
+    mkdir -p ${SCRIPTDIR}/addons
+    build_source_calico
+    build_source_flannel
+    build_source_flux
+    build_source_podsecurity
 }
 
 case $1 in
     "build-source") build_source ;;
+    "foo") build_source_calico ;;
     *) cat <<EOF
 Usage: $(basename $0) COMMAND