--- /dev/null
+---
+# Source: contiv-vpp/templates/vpp.yaml
+# Contiv-VPP deployment YAML file. This deploys Contiv VPP networking on a Kuberntes cluster.
+# The deployment consists of the following components:
+# - contiv-etcd - deployed on k8s master
+# - contiv-vswitch - deployed on each k8s node
+# - contiv-ksr - deployed on k8s master
+
+###########################################################
+# Configuration
+###########################################################
+
+# This config map contains contiv-agent configuration. The most important part is the ipamConfig,
+# which may be updated in case the default IPAM settings do not match your needs.
+# nodeConfig may be used in case your nodes have more than 1 VPP interface. In that case, one
+# of them needs to be marked as the main inter-node interface, and the rest of them can be
+# configured with any IP addresses (the IPs cannot conflict with the main IPAM config).
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: contiv-agent-cfg
+ namespace: kube-system
+data:
+ contiv.conf: |-
+ useNoOverlay: false
+ useTAPInterfaces: true
+ tapInterfaceVersion: 2
+ tapv2RxRingSize: 256
+ tapv2TxRingSize: 256
+ tcpChecksumOffloadDisabled: true
+ STNVersion: 1
+ natExternalTraffic: true
+ mtuSize: 1450
+ scanIPNeighbors: true
+ ipNeighborScanInterval: 1
+ ipNeighborStaleThreshold: 4
+ enablePacketTrace: false
+ routeServiceCIDRToVPP: false
+ crdNodeConfigurationDisabled: true
+ ipamConfig:
+ nodeInterconnectDHCP: false
+ nodeInterconnectCIDR: 192.168.16.0/24
+ podSubnetCIDR: 10.1.0.0/16
+ podSubnetOneNodePrefixLen: 24
+ vppHostSubnetCIDR: 172.30.0.0/16
+ vppHostSubnetOneNodePrefixLen: 24
+ vxlanCIDR: 192.168.30.0/24
+ controller.conf: |
+ enableRetry: true
+ delayRetry: 1000000000
+ maxRetryAttempts: 3
+ enableExpBackoffRetry: true
+ delayLocalResync: 5000000000
+ startupResyncDeadline: 30000000000
+ enablePeriodicHealing: false
+ periodicHealingInterval: 30000000000
+ delayAfterErrorHealing: 5000000000
+ remoteDBProbingInterval: 3000000000
+ recordEventHistory: true
+ eventHistoryAgeLimit: 1440
+ permanentlyRecordedInitPeriod: 60
+ service.conf: |
+ cleanupIdleNATSessions: true
+ tcpNATSessionTimeout: 180
+ otherNATSessionTimeout: 5
+ serviceLocalEndpointWeight: 1
+ disableNATVirtualReassembly: false
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: vpp-agent-cfg
+ namespace: kube-system
+data:
+ govpp.conf: |
+ health-check-probe-interval: 3000000000
+ health-check-reply-timeout: 500000000
+ health-check-threshold: 3
+ reply-timeout: 3000000000
+ logs.conf: |
+ default-level: debug
+ loggers:
+ - name: statscollector
+ level: info
+ - name: vpp.if-state
+ level: info
+ - name: linux.arp-conf
+ level: info
+ - name: vpp-rest
+ level: info
+ grpc.conf: |
+ network: unix
+ endpoint: /var/run/contiv/cni.sock
+ force-socket-removal: true
+ permission: 700
+ http.conf: |
+ endpoint: "0.0.0.0:9999"
+ bolt.conf: |
+ db-path: /var/bolt/bolt.db
+ file-mode: 432
+ lock-timeout: 0
+ telemetry.conf: |
+ polling-interval: 30000000000
+ disabled: true
+ linux-ifplugin.conf: |
+ dump-go-routines-count: 5
+ linux-l3plugin.conf: |
+ dump-go-routines-count: 5
+ kvscheduler.conf: |
+ record-transaction-history: true
+ transaction-history-age-limit: 1440
+ permanently-recorded-init-period: 60
+
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: contiv-cni-cfg
+ namespace: kube-system
+data:
+ # The CNI network configuration to install on each node. The special
+ # values in this config will be automatically populated.
+ 10-contiv-vpp.conflist: |-
+ {
+ "name": "k8s-pod-network",
+ "cniVersion": "0.3.1",
+ "plugins": [
+ {
+ "type": "contiv-cni",
+ "grpcServer": "/var/run/contiv/cni.sock",
+ "logFile": "/var/run/contiv/cni.log"
+ },
+ {
+ "type": "portmap",
+ "capabilities": {
+ "portMappings": true
+ },
+ "externalSetMarkChain": "KUBE-MARK-MASQ"
+ }
+ ]
+ }
+---
+
+###########################################################
+#
+# !!! DO NOT EDIT THINGS BELOW THIS LINE !!!
+#
+###########################################################
+
+
+###########################################################
+# Components and other resources
+###########################################################
+
+# This installs the contiv-etcd (ETCD server to be used by Contiv) on the master node in a Kubernetes cluster.
+# In odrer to dump the content of ETCD, you can use the kubectl exec command similar to this:
+# kubectl exec contiv-etcd-cxqhr -n kube-system etcdctl -- get --endpoints=[127.0.0.1:12379] --prefix="true" ""
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+ name: contiv-etcd-amd64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-etcd
+spec:
+ selector:
+ matchLabels:
+ k8s-app: contiv-etcd
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-etcd
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Only run this pod on the master.
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ beta.kubernetes.io/arch: amd64
+ hostNetwork: true
+
+ containers:
+ - name: contiv-etcd
+ image: quay.io/coreos/etcd:v3.3.11
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: CONTIV_ETCD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ETCDCTL_API
+ value: "3"
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - /usr/local/bin/etcd --name=contiv-etcd --data-dir=/var/etcd/contiv-data
+ --advertise-client-urls=http://0.0.0.0:12379 --listen-client-urls=http://0.0.0.0:12379
+ --listen-peer-urls=http://0.0.0.0:12380
+ volumeMounts:
+ - name: var-etcd
+ mountPath: /var/etcd/
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - |
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ etcdctl get --endpoints=$HOST_IP:32379 /
+ periodSeconds: 3
+ initialDelaySeconds: 20
+ resources:
+ requests:
+ cpu: 100m
+ volumes:
+ - name: var-etcd
+ hostPath:
+ path: /var/etcd
+
+---
+# This installs the contiv-etcd (ETCD server to be used by Contiv) on the master node in a Kubernetes cluster.
+# In odrer to dump the content of ETCD, you can use the kubectl exec command similar to this:
+# kubectl exec contiv-etcd-cxqhr -n kube-system etcdctl -- get --endpoints=[127.0.0.1:12379] --prefix="true" ""
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+ name: contiv-etcd-arm64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-etcd
+spec:
+ selector:
+ matchLabels:
+ k8s-app: contiv-etcd
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-etcd
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Only run this pod on the master.
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ beta.kubernetes.io/arch: arm64
+ hostNetwork: true
+
+ containers:
+ - name: contiv-etcd
+ image: quay.io/coreos/etcd:v3.3.11-arm64
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: CONTIV_ETCD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ETCDCTL_API
+ value: "3"
+ - name: ETCD_UNSUPPORTED_ARCH
+ value: "arm64"
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - /usr/local/bin/etcd --name=contiv-etcd --data-dir=/var/etcd/contiv-data
+ --advertise-client-urls=http://0.0.0.0:12379 --listen-client-urls=http://0.0.0.0:12379
+ --listen-peer-urls=http://0.0.0.0:12380
+ volumeMounts:
+ - name: var-etcd
+ mountPath: /var/etcd/
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - |
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ etcdctl get --endpoints=$HOST_IP:32379 /
+ periodSeconds: 3
+ initialDelaySeconds: 20
+ resources:
+ requests:
+ cpu: 100m
+ volumes:
+ - name: var-etcd
+ hostPath:
+ path: /var/etcd
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: contiv-etcd
+ namespace: kube-system
+spec:
+ type: NodePort
+ # Match contiv-etcd DaemonSet.
+ selector:
+ k8s-app: contiv-etcd
+ ports:
+ - port: 12379
+ nodePort: 32379
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: contiv-ksr-http-cfg
+ namespace: kube-system
+data:
+ http.conf: |
+ endpoint: "0.0.0.0:9191"
+
+---
+# This config map contains ETCD configuration for connecting to the contiv-etcd defined above.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: contiv-etcd-cfg
+ namespace: kube-system
+data:
+ etcd.conf: |
+ insecure-transport: true
+ dial-timeout: 10000000000
+ allow-delayed-start: true
+ endpoints:
+ - "__HOST_IP__:32379"
+
+---
+
+# This config map contains ETCD configuration for connecting to the contiv-etcd defined above with auto compact.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: contiv-etcd-withcompact-cfg
+ namespace: kube-system
+data:
+ etcd.conf: |
+ insecure-transport: true
+ dial-timeout: 10000000000
+ auto-compact: 600000000000
+ allow-delayed-start: true
+ reconnect-interval: 2000000000
+ endpoints:
+ - "__HOST_IP__:32379"
+
+---
+
+# This installs contiv-vswitch on each master and worker node in a Kubernetes cluster.
+# It consists of the following containers:
+# - contiv-vswitch container: contains VPP and its management agent
+# - contiv-cni container: installs CNI on the host
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-vswitch-amd64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-vswitch
+spec:
+ selector:
+ matchLabels:
+ k8s-app: contiv-vswitch
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-vswitch
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ nodeSelector:
+ beta.kubernetes.io/arch: amd64
+ hostNetwork: true
+ hostPID: true
+
+ # Init containers are executed before regular containers, must finish successfully before regular ones
+ # are started.
+ initContainers:
+ # This container installs the Contiv CNI binaries and CNI network config file on each node.
+ - name: contiv-cni
+ image: iecedge/cni:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: SLEEP
+ value: "false"
+ volumeMounts:
+ - mountPath: /opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /etc/cni/net.d
+ name: cni-net-dir
+ - mountPath: /cni/cfg
+ name: contiv-cni-cfg
+ - mountPath: /var/run/contiv
+ name: contiv-run
+
+ # This init container extracts/copies default VPP config to the host and initializes VPP core dumps.
+ - name: vpp-init
+ image: iecedge/vswitch:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ set -eu
+ chmod 700 /run/vpp
+ rm -rf /dev/shm/db /dev/shm/global_vm /dev/shm/vpe-api
+ if [ ! -e /host/etc/vpp/contiv-vswitch.conf ]; then
+ cp /etc/vpp/contiv-vswitch.conf /host/etc/vpp/
+ fi
+ if [ ! -d /var/run/contiv ]; then
+ mkdir /var/run/contiv
+ fi
+ chmod 700 /var/run/contiv
+ rm -f /var/run/contiv/cni.sock
+ if ip link show vpp1 >/dev/null 2>&1; then
+ ip link del vpp1
+ fi
+ cp -f /usr/local/bin/vppctl /host/usr/local/bin/vppctl
+ sysctl -w debug.exception-trace=1
+ sysctl -w kernel.core_pattern="/var/contiv/dumps/%e-%t"
+ ulimit -c unlimited
+ echo 2 > /proc/sys/fs/suid_dumpable
+ # replace localhost IP by node IP since node port doesn't work
+ # on localhost IP in a certain scenario
+ cp /etc/etcd/etcd.conf /tmp/etcd.conf
+ set +e
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ sed -i "s/__HOST_IP__/$HOST_IP/g" /tmp/etcd.conf
+ resources: {}
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: usr-local-bin
+ mountPath: /host/usr/local/bin
+ - name: vpp-cfg
+ mountPath: /host/etc/vpp
+ - name: shm
+ mountPath: /dev/shm
+ - name: vpp-run
+ mountPath: /run/vpp
+ - name: contiv-run
+ mountPath: /var/run/contiv
+ - name: tmp
+ mountPath: /tmp
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+ - name: core-dumps
+ mountPath: /var/contiv/dumps
+
+ containers:
+ # Runs contiv-vswitch container on each Kubernetes node.
+ # It contains the vSwitch VPP and its management agent.
+ - name: contiv-vswitch
+ image: iecedge/vswitch:v3.2.1
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ ports:
+ # readiness + liveness probe
+ - containerPort: 9999
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 9999
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 15
+ livenessProbe:
+ httpGet:
+ path: /liveness
+ port: 9999
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 60
+ env:
+ - name: MICROSERVICE_LABEL
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: GOVPPMUX_NOSOCK
+ value: "1"
+ - name: CONTIV_CONFIG
+ value: "/etc/contiv/contiv.conf"
+ - name: CONTROLLER_CONFIG
+ value: "/etc/contiv/controller.conf"
+ - name: SERVICE_CONFIG
+ value: "/etc/contiv/service.conf"
+ - name: ETCD_CONFIG
+ value: "/tmp/etcd.conf"
+ - name: BOLT_CONFIG
+ value: "/etc/vpp-agent/bolt.conf"
+ # Uncomment to log graph traversal (very verbose):
+ # - name: KVSCHED_LOG_GRAPH_WALK
+ # value: "true"
+ # Uncomment to verify effect of every transaction:
+ # - name: KVSCHED_VERIFY_MODE
+ # value: "true"
+ - name: TELEMETRY_CONFIG
+ value: "/etc/vpp-agent/telemetry.conf"
+ - name: GOVPP_CONFIG
+ value: "/etc/vpp-agent/govpp.conf"
+ - name: LOGS_CONFIG
+ value: "/etc/vpp-agent/logs.conf"
+ - name: HTTP_CONFIG
+ value: "/etc/vpp-agent/http.conf"
+ - name: GRPC_CONFIG
+ value: "/etc/vpp-agent/grpc.conf"
+ - name: LINUX_IFPLUGIN_CONFIG
+ value: "/etc/vpp-agent/linux-ifplugin.conf"
+ - name: LINUX_L3PLUGIN_CONFIG
+ value: "/etc/vpp-agent/linux-l3plugin.conf"
+ - name: KVSCHEDULER_CONFIG
+ value: "/etc/vpp-agent/kvscheduler.conf"
+ volumeMounts:
+ - name: var-bolt
+ mountPath: /var/bolt
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+ - name: vpp-cfg
+ mountPath: /etc/vpp
+ - name: shm
+ mountPath: /dev/shm
+ - name: dev
+ mountPath: /dev
+ - name: sys-bus-pci
+ mountPath: /sys/bus/pci
+ - name: vpp-run
+ mountPath: /run/vpp
+ - name: contiv-run
+ mountPath: /var/run/contiv
+ - name: contiv-agent-cfg
+ mountPath: /etc/contiv
+ - name: vpp-agent-cfg
+ mountPath: /etc/vpp-agent
+ - name: tmp
+ mountPath: /tmp
+ - name: core-dumps
+ mountPath: /var/contiv/dumps
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+ resources:
+ requests:
+ cpu: 250m
+
+ volumes:
+ # Used to connect to contiv-etcd.
+ - name: etcd-cfg
+ configMap:
+ name: contiv-etcd-cfg
+ # Used to install CNI.
+ - name: cni-bin-dir
+ hostPath:
+ path: /opt/cni/bin
+ - name: cni-net-dir
+ hostPath:
+ path: /etc/cni/net.d
+ # VPP startup config folder.
+ - name: vpp-cfg
+ hostPath:
+ path: /etc/vpp
+ # To install vppctl.
+ - name: usr-local-bin
+ hostPath:
+ path: /usr/local/bin
+ # /dev mount is required for DPDK-managed NICs on VPP (/dev/uio0) and for shared memory communication
+ # with VPP (/dev/shm)
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: shm
+ hostPath:
+ path: /dev/shm
+ # /sys/bus/pci is required for binding PCI devices to specific drivers
+ - name: sys-bus-pci
+ hostPath:
+ path: /sys/bus/pci
+ # For CLI unix socket.
+ - name: vpp-run
+ hostPath:
+ path: /run/vpp
+ # For CNI / STN unix domain socket
+ - name: contiv-run
+ hostPath:
+ path: /var/run/contiv
+ # Used to configure contiv agent.
+ - name: contiv-agent-cfg
+ configMap:
+ name: contiv-agent-cfg
+ # Used to configure vpp agent.
+ - name: vpp-agent-cfg
+ configMap:
+ name: vpp-agent-cfg
+ # Used for vswitch core dumps
+ - name: core-dumps
+ hostPath:
+ path: /var/contiv/dumps
+ # /tmp in the vswitch container (needs to be persistent between container restarts to obtain post-mortem files)
+ - name: tmp
+ emptyDir:
+ medium: Memory
+ # persisted bolt data
+ - name: var-bolt
+ hostPath:
+ path: /var/bolt
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+ # CNI config
+ - name: contiv-cni-cfg
+ configMap:
+ name: contiv-cni-cfg
+
+---
+# This installs contiv-vswitch on each master and worker node in a Kubernetes cluster.
+# It consists of the following containers:
+# - contiv-vswitch container: contains VPP and its management agent
+# - contiv-cni container: installs CNI on the host
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-vswitch-arm64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-vswitch
+spec:
+ selector:
+ matchLabels:
+ k8s-app: contiv-vswitch
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-vswitch
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ nodeSelector:
+ beta.kubernetes.io/arch: arm64
+ hostNetwork: true
+ hostPID: true
+
+ # Init containers are executed before regular containers, must finish successfully before regular ones
+ # are started.
+ initContainers:
+ # This container installs the Contiv CNI binaries and CNI network config file on each node.
+ - name: contiv-cni
+ image: iecedge/cni-arm64:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: SLEEP
+ value: "false"
+ volumeMounts:
+ - mountPath: /opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /etc/cni/net.d
+ name: cni-net-dir
+ - mountPath: /cni/cfg
+ name: contiv-cni-cfg
+ - mountPath: /var/run/contiv
+ name: contiv-run
+
+ # This init container extracts/copies default VPP config to the host and initializes VPP core dumps.
+ - name: vpp-init
+ image: iecedge/vswitch-arm64:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ set -eu
+ chmod 700 /run/vpp
+ rm -rf /dev/shm/db /dev/shm/global_vm /dev/shm/vpe-api
+ if [ ! -e /host/etc/vpp/contiv-vswitch.conf ]; then
+ cp /etc/vpp/contiv-vswitch.conf /host/etc/vpp/
+ fi
+ if [ ! -d /var/run/contiv ]; then
+ mkdir /var/run/contiv
+ fi
+ chmod 700 /var/run/contiv
+ rm -f /var/run/contiv/cni.sock
+ if ip link show vpp1 >/dev/null 2>&1; then
+ ip link del vpp1
+ fi
+ cp -f /usr/local/bin/vppctl /host/usr/local/bin/vppctl
+ sysctl -w debug.exception-trace=1
+ sysctl -w kernel.core_pattern="/var/contiv/dumps/%e-%t"
+ ulimit -c unlimited
+ echo 2 > /proc/sys/fs/suid_dumpable
+ # replace localhost IP by node IP since node port doesn't work
+ # on localhost IP in a certain scenario
+ cp /etc/etcd/etcd.conf /tmp/etcd.conf
+ set +e
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ sed -i "s/__HOST_IP__/$HOST_IP/g" /tmp/etcd.conf
+ resources: {}
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: usr-local-bin
+ mountPath: /host/usr/local/bin
+ - name: vpp-cfg
+ mountPath: /host/etc/vpp
+ - name: shm
+ mountPath: /dev/shm
+ - name: vpp-run
+ mountPath: /run/vpp
+ - name: contiv-run
+ mountPath: /var/run/contiv
+ - name: tmp
+ mountPath: /tmp
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+ - name: core-dumps
+ mountPath: /var/contiv/dumps
+
+ containers:
+ # Runs contiv-vswitch container on each Kubernetes node.
+ # It contains the vSwitch VPP and its management agent.
+ - name: contiv-vswitch
+ image: iecedge/vswitch-arm64:v3.2.1
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ ports:
+ # readiness + liveness probe
+ - containerPort: 9999
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 9999
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 15
+ livenessProbe:
+ httpGet:
+ path: /liveness
+ port: 9999
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 60
+ env:
+ - name: MICROSERVICE_LABEL
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: GOVPPMUX_NOSOCK
+ value: "1"
+ - name: CONTIV_CONFIG
+ value: "/etc/contiv/contiv.conf"
+ - name: CONTROLLER_CONFIG
+ value: "/etc/contiv/controller.conf"
+ - name: SERVICE_CONFIG
+ value: "/etc/contiv/service.conf"
+ - name: ETCD_CONFIG
+ value: "/tmp/etcd.conf"
+ - name: BOLT_CONFIG
+ value: "/etc/vpp-agent/bolt.conf"
+ # Uncomment to log graph traversal (very verbose):
+ # - name: KVSCHED_LOG_GRAPH_WALK
+ # value: "true"
+ # Uncomment to verify effect of every transaction:
+ # - name: KVSCHED_VERIFY_MODE
+ # value: "true"
+ - name: TELEMETRY_CONFIG
+ value: "/etc/vpp-agent/telemetry.conf"
+ - name: GOVPP_CONFIG
+ value: "/etc/vpp-agent/govpp.conf"
+ - name: LOGS_CONFIG
+ value: "/etc/vpp-agent/logs.conf"
+ - name: HTTP_CONFIG
+ value: "/etc/vpp-agent/http.conf"
+ - name: GRPC_CONFIG
+ value: "/etc/vpp-agent/grpc.conf"
+ - name: LINUX_IFPLUGIN_CONFIG
+ value: "/etc/vpp-agent/linux-ifplugin.conf"
+ - name: LINUX_L3PLUGIN_CONFIG
+ value: "/etc/vpp-agent/linux-l3plugin.conf"
+ - name: KVSCHEDULER_CONFIG
+ value: "/etc/vpp-agent/kvscheduler.conf"
+ volumeMounts:
+ - name: var-bolt
+ mountPath: /var/bolt
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+ - name: vpp-cfg
+ mountPath: /etc/vpp
+ - name: shm
+ mountPath: /dev/shm
+ - name: dev
+ mountPath: /dev
+ - name: sys-bus-pci
+ mountPath: /sys/bus/pci
+ - name: vpp-run
+ mountPath: /run/vpp
+ - name: contiv-run
+ mountPath: /var/run/contiv
+ - name: contiv-agent-cfg
+ mountPath: /etc/contiv
+ - name: vpp-agent-cfg
+ mountPath: /etc/vpp-agent
+ - name: tmp
+ mountPath: /tmp
+ - name: core-dumps
+ mountPath: /var/contiv/dumps
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+ resources:
+ requests:
+ cpu: 250m
+
+ volumes:
+ # Used to connect to contiv-etcd.
+ - name: etcd-cfg
+ configMap:
+ name: contiv-etcd-cfg
+ # Used to install CNI.
+ - name: cni-bin-dir
+ hostPath:
+ path: /opt/cni/bin
+ - name: cni-net-dir
+ hostPath:
+ path: /etc/cni/net.d
+ # VPP startup config folder.
+ - name: vpp-cfg
+ hostPath:
+ path: /etc/vpp
+ # To install vppctl.
+ - name: usr-local-bin
+ hostPath:
+ path: /usr/local/bin
+ # /dev mount is required for DPDK-managed NICs on VPP (/dev/uio0) and for shared memory communication with
+ # VPP (/dev/shm)
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: shm
+ hostPath:
+ path: /dev/shm
+ # /sys/bus/pci is required for binding PCI devices to specific drivers
+ - name: sys-bus-pci
+ hostPath:
+ path: /sys/bus/pci
+ # For CLI unix socket.
+ - name: vpp-run
+ hostPath:
+ path: /run/vpp
+ # For CNI / STN unix domain socket
+ - name: contiv-run
+ hostPath:
+ path: /var/run/contiv
+ # Used to configure contiv agent.
+ - name: contiv-agent-cfg
+ configMap:
+ name: contiv-agent-cfg
+ # Used to configure vpp agent.
+ - name: vpp-agent-cfg
+ configMap:
+ name: vpp-agent-cfg
+ # Used for vswitch core dumps
+ - name: core-dumps
+ hostPath:
+ path: /var/contiv/dumps
+ # /tmp in the vswitch container (needs to be persistent between container restarts to obtain post-mortem files)
+ - name: tmp
+ emptyDir:
+ medium: Memory
+ # persisted bolt data
+ - name: var-bolt
+ hostPath:
+ path: /var/bolt
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+ # CNI config
+ - name: contiv-cni-cfg
+ configMap:
+ name: contiv-cni-cfg
+
+---
+# This installs the contiv-ksr (Kubernetes State Reflector) on the master node in a Kubernetes cluster.
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-ksr-amd64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-ksr
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-ksr
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Only run this pod on the master.
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ beta.kubernetes.io/arch: amd64
+ hostNetwork: true
+ # This grants the required permissions to contiv-ksr.
+ serviceAccountName: contiv-ksr
+
+ initContainers:
+ # This init container waits until etcd is started
+ - name: wait-foretcd
+ env:
+ - name: ETCDPORT
+ value: "32379"
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ image: busybox:1.29.3
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ cp /etc/etcd/etcd.conf /tmp/cfg/etcd.conf
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ sed -i "s/__HOST_IP__/$HOST_IP/g" /tmp/cfg/etcd.conf
+ until nc -w 2 $HOST_IP:$ETCDPORT; do echo waiting for etcd; sleep 2; done;
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+
+
+ containers:
+ - name: contiv-ksr
+ image: iecedge/ksr:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: ETCD_CONFIG
+ value: "/tmp/cfg/etcd.conf"
+ - name: HTTP_CONFIG
+ value: "/etc/http/http.conf"
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: http-cfg
+ mountPath: /etc/http
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 9191
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 10
+ livenessProbe:
+ httpGet:
+ path: /liveness
+ port: 9191
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 30
+ resources:
+ requests:
+ cpu: 100m
+ volumes:
+ # Used to connect to contiv-etcd.
+ - name: etcd-cfg
+ configMap:
+ name: contiv-etcd-withcompact-cfg
+ - name: tmp-cfg
+ emptyDir: {}
+ - name: http-cfg
+ configMap:
+ name: contiv-ksr-http-cfg
+
+---
+# This installs the contiv-ksr (Kubernetes State Reflector) on the master node in a Kubernetes cluster.
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-ksr-arm64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-ksr
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-ksr
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Only run this pod on the master.
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ beta.kubernetes.io/arch: arm64
+ hostNetwork: true
+ # This grants the required permissions to contiv-ksr.
+ serviceAccountName: contiv-ksr
+
+ initContainers:
+ # This init container waits until etcd is started
+ - name: wait-foretcd
+ env:
+ - name: ETCDPORT
+ value: "32379"
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ image: arm64v8/busybox:1.29.3
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ cp /etc/etcd/etcd.conf /tmp/cfg/etcd.conf
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ sed -i "s/__HOST_IP__/$HOST_IP/g" /tmp/cfg/etcd.conf
+ until nc -w 2 $HOST_IP:$ETCDPORT; do echo waiting for etcd; sleep 2; done;
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+
+
+ containers:
+ - name: contiv-ksr
+ image: iecedge/ksr-arm64:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: ETCD_CONFIG
+ value: "/tmp/cfg/etcd.conf"
+ - name: HTTP_CONFIG
+ value: "/etc/http/http.conf"
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: http-cfg
+ mountPath: /etc/http
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 9191
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 10
+ livenessProbe:
+ httpGet:
+ path: /liveness
+ port: 9191
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 30
+ resources:
+ requests:
+ cpu: 100m
+ volumes:
+ # Used to connect to contiv-etcd.
+ - name: etcd-cfg
+ configMap:
+ name: contiv-etcd-withcompact-cfg
+ - name: tmp-cfg
+ emptyDir: {}
+ - name: http-cfg
+ configMap:
+ name: contiv-ksr-http-cfg
+
+---
+
+# This cluster role defines a set of permissions required for contiv-ksr.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: contiv-ksr
+ namespace: kube-system
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ resources:
+ - pods
+ - namespaces
+ - networkpolicies
+ - services
+ - endpoints
+ - nodes
+ verbs:
+ - watch
+ - list
+
+---
+
+# This defines a service account for contiv-ksr.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: contiv-ksr
+ namespace: kube-system
+
+---
+
+# This binds the contiv-ksr cluster role with contiv-ksr service account.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: contiv-ksr
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: contiv-ksr
+subjects:
+ - kind: ServiceAccount
+ name: contiv-ksr
+ namespace: kube-system
+
+---
+
+# This installs the contiv-crd on the master node in a Kubernetes cluster.
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-crd-amd64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-crd
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-crd
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Only run this pod on the master.
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ beta.kubernetes.io/arch: amd64
+ hostNetwork: true
+ # This grants the required permissions to contiv-crd.
+ serviceAccountName: contiv-crd
+
+ initContainers:
+ # This init container waits until etcd is started
+ - name: wait-foretcd
+ env:
+ - name: ETCDPORT
+ value: "32379"
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ image: busybox:1.29.3
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ cp /etc/etcd/etcd.conf /tmp/cfg/etcd.conf
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ sed -i "s/__HOST_IP__/$HOST_IP/g" /tmp/cfg/etcd.conf
+ until nc -w 2 $HOST_IP:$ETCDPORT; do echo waiting for etcd; sleep 2; done;
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+
+ # This init container copies contiv-netctl tool to the host.
+ - name: netctl-init
+ image: iecedge/crd:v3.2.1
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ echo '#!/bin/sh
+ kubectl get pods -n kube-system | \
+ grep contiv-crd | \
+ cut -d " " -f 1 | \
+ xargs -I{} kubectl exec -n kube-system {} \
+ /contiv-netctl "$@"' \
+ > /host/usr/local/bin/contiv-netctl || true
+ chmod +x /host/usr/local/bin/contiv-netctl || true
+ volumeMounts:
+ - name: usr-local-bin
+ mountPath: /host/usr/local/bin
+
+ containers:
+ - name: contiv-crd
+ image: iecedge/crd:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: ETCD_CONFIG
+ value: "/tmp/cfg/etcd.conf"
+ - name: HTTP_CONFIG
+ value: "/etc/http/http.conf"
+ - name: HTTP_CLIENT_CONFIG
+ value: "/etc/http/http.client.conf"
+ - name: CONTIV_CRD_VALIDATE_INTERVAL
+ value: "5"
+ - name: CONTIV_CRD_VALIDATE_STATE
+ value: "SB"
+ - name: DISABLE_NETCTL_REST
+ value: "true"
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: http-cfg
+ mountPath: /etc/http
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 9090
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 10
+ livenessProbe:
+ httpGet:
+ path: /liveness
+ port: 9090
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 30
+ resources:
+ requests:
+ cpu: 100m
+
+ volumes:
+ # Used to connect to contiv-etcd.
+ - name: etcd-cfg
+ configMap:
+ name: contiv-etcd-cfg
+ - name: usr-local-bin
+ hostPath:
+ path: /usr/local/bin
+ - name: http-cfg
+ configMap:
+ name: contiv-crd-http-cfg
+ - name: tmp-cfg
+ emptyDir: {}
+---
+# This installs the contiv-crd on the master node in a Kubernetes cluster.
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: contiv-crd-arm64
+ namespace: kube-system
+ labels:
+ k8s-app: contiv-crd
+spec:
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ k8s-app: contiv-crd
+ annotations:
+ # Marks this pod as a critical add-on.
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ # We need this to schedule on the master no matter what else is going on, so tolerate everything.
+ - key: ''
+ operator: Exists
+ effect: ''
+ # This likely isn't needed due to the above wildcard, but keep it in for now.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ # Only run this pod on the master.
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ beta.kubernetes.io/arch: arm64
+ hostNetwork: true
+ # This grants the required permissions to contiv-crd.
+ serviceAccountName: contiv-crd
+
+ initContainers:
+ # This init container waits until etcd is started
+ - name: wait-foretcd
+ env:
+ - name: ETCDPORT
+ value: "32379"
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ image: arm64v8/busybox:1.29.3
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ cp /etc/etcd/etcd.conf /tmp/cfg/etcd.conf
+ echo "$HOST_IP" | grep -q ':'
+ if [ "$?" -eq "0" ];
+ then
+ HOST_IP="[$HOST_IP]"
+ fi
+ sed -i "s/__HOST_IP__/$HOST_IP/g" /tmp/cfg/etcd.conf
+ until nc -w 2 $HOST_IP:$ETCDPORT; do echo waiting for etcd; sleep 2; done;
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: etcd-cfg
+ mountPath: /etc/etcd
+
+ # This init container copies contiv-netctl tool to the host.
+ - name: netctl-init
+ image: iecedge/crd-arm64:v3.2.1
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ echo '#!/bin/sh
+ kubectl get pods -n kube-system | \
+ grep contiv-crd | \
+ cut -d " " -f 1 | \
+ xargs -I{} kubectl exec -n kube-system {} \
+ /contiv-netctl "$@"' \
+ > /host/usr/local/bin/contiv-netctl || true
+ chmod +x /host/usr/local/bin/contiv-netctl || true
+ volumeMounts:
+ - name: usr-local-bin
+ mountPath: /host/usr/local/bin
+
+ containers:
+ - name: contiv-crd
+ image: iecedge/crd-arm64:v3.2.1
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: ETCD_CONFIG
+ value: "/tmp/cfg/etcd.conf"
+ - name: HTTP_CONFIG
+ value: "/etc/http/http.conf"
+ - name: HTTP_CLIENT_CONFIG
+ value: "/etc/http/http.client.conf"
+ - name: CONTIV_CRD_VALIDATE_INTERVAL
+ value: "5"
+ - name: CONTIV_CRD_VALIDATE_STATE
+ value: "SB"
+ - name: DISABLE_NETCTL_REST
+ value: "true"
+ volumeMounts:
+ - name: tmp-cfg
+ mountPath: /tmp/cfg
+ - name: http-cfg
+ mountPath: /etc/http
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 9090
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 10
+ livenessProbe:
+ httpGet:
+ path: /liveness
+ port: 9090
+ periodSeconds: 3
+ timeoutSeconds: 2
+ failureThreshold: 3
+ initialDelaySeconds: 30
+ resources:
+ requests:
+ cpu: 100m
+
+ volumes:
+ # Used to connect to contiv-etcd.
+ - name: etcd-cfg
+ configMap:
+ name: contiv-etcd-cfg
+ - name: usr-local-bin
+ hostPath:
+ path: /usr/local/bin
+ - name: http-cfg
+ configMap:
+ name: contiv-crd-http-cfg
+ - name: tmp-cfg
+ emptyDir: {}
+---
+
+# This cluster role defines a set of permissions required for contiv-crd.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: contiv-crd
+ namespace: kube-system
+rules:
+ - apiGroups:
+ - apiextensions.k8s.io
+ - nodeconfig.contiv.vpp
+ - telemetry.contiv.vpp
+ resources:
+ - customresourcedefinitions
+ - telemetryreports
+ - nodeconfigs
+ verbs:
+ - "*"
+
+---
+
+# This defines a service account for contiv-crd.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: contiv-crd
+ namespace: kube-system
+
+---
+
+# This binds the contiv-crd cluster role with contiv-crd service account.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: contiv-crd
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: contiv-crd
+subjects:
+ - kind: ServiceAccount
+ name: contiv-crd
+ namespace: kube-system
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: contiv-crd-http-cfg
+ namespace: kube-system
+data:
+ http.conf: |
+ endpoint: "0.0.0.0:9090"
+ http.client.conf: |
+ port: 9999
+ use-https: false
Code Review / iec.git / commitdiff