{#
Copyright 2019 Nokia

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
#}
---
apiVersion: apps/v1beta2
kind: DaemonSet
metadata:
  name: kube-dns
  namespace: kube-system
  labels:
    {{ caas.kubernetes_component_label }}: kube-dns
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    matchLabels:
      {{ caas.kubernetes_component_label }}: kube-dns
  template:
    metadata:
      labels:
        {{ caas.kubernetes_component_label }}: kube-dns
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
    spec:
      priorityClassName: "system-cluster-critical"
      hostNetwork: true
      nodeSelector:
        nodetype: caas_master
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
      volumes:
      - name: time-mount
        hostPath:
          path: /etc/localtime
      - name: secret
        hostPath:
          path: /etc/kubernetes/ssl
      - name: secret-root-ca
        hostPath:
          path: /etc/openssl/ca.pem
      - name: resolv
        hostPath:
          path: /etc/resolv.conf
      - name: kubeconfig
        hostPath:
          path: /etc/kubernetes/kubeconfig
      - name: external-dns-conf
        configMap:
          name: external-dns-cm
      containers:
      - name: kubedns
        image: {{ container_image_names | select('search', '/kubedns') | list | last }}
        securityContext:
          runAsUser: {{ caas.uid.kubedns }}
        resources:
          # TODO: Set memory limits when we've profiled the container for large
          # clusters, then set request = limit to keep this container in
          # guaranteed class. Currently, this container falls into the
          # "burstable" category so the kubelet doesn't backoff from restarting it.
          limits:
            memory: 170Mi
          requests:
            cpu: 10m
            memory: 70Mi
        livenessProbe:
          tcpSocket:
            port: 10053
          initialDelaySeconds: 60
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /readiness
            port: 8081
            scheme: HTTP
          # we poll on pod startup for the Kubernetes master service and
          # only setup the /readiness HTTP server once that's available.
          initialDelaySeconds: 3
          timeoutSeconds: 5
        command:
        - /usr/bin/kube-dns
        args:
        - --domain={{ caas.dns_domain }}.
        - --dns-port=10053
        - --config-dir=/etc/dns_config
        - --v=2
        ports:
        - containerPort: 10053
          name: dns-local
          protocol: UDP
        - containerPort: 10053
          name: dns-tcp-local
          protocol: TCP
        - containerPort: 10055
          name: metrics
          protocol: TCP
        resources:
          requests:
            cpu: 10m
            memory: 70Mi
        volumeMounts:
        - name: time-mount
          mountPath: /etc/localtime
          readOnly: true
        - name: secret
          mountPath: /etc/kubernetes/ssl
          readOnly: true
        - name: secret-root-ca
          mountPath: /etc/openssl/ca.pem
          readOnly: true
        - name: kubeconfig
          mountPath: /etc/kubernetes/kubeconfig
          readOnly: true
        - name: resolv
          mountPath: /etc/resolv.conf
        - name: external-dns-conf
          mountPath: /etc/dns_config
      - name: dnsmasq
        image: {{ container_image_names | select('search', '/kubedns') | list | last }}
        securityContext:
          capabilities:
            add: ["NET_BIND_SERVICE"]
          runAsUser: {{ caas.uid.kubedns }}
        livenessProbe:
          tcpSocket:
            port: 53
          initialDelaySeconds: 60
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
        command:
        - /usr/bin/dnsmasq-nanny
        args:
        - -v=2
        - -logtostderr
        - -configDir=/etc/k8s/dns/dnsmasq-nanny
        - -restartDnsmasq=true
        - --
        - -k
        - --interface={{ networking.infra_internal.interface }}
        - --bind-interfaces
        - --dns-forward-max=1000
        - --cache-size=10000
        - --server=/{{ caas.dns_domain }}/127.0.0.1#10053
        # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
        resources:
          requests:
            cpu: 150m
            memory: 20Mi
        volumeMounts:
        - name: time-mount
          mountPath: /etc/localtime
          readOnly: true
        - name: secret
          mountPath: /etc/kubernetes/ssl
          readOnly: true
        - name: kubeconfig
          mountPath: /etc/kubernetes/kubeconfig
          readOnly: true
        - name: resolv
          mountPath: /etc/resolv.conf
        - name: external-dns-conf
          mountPath: /etc/k8s/dns/dnsmasq-nanny
      dnsPolicy: Default  # Don't use cluster DNS.
      serviceAccountName: kube-dns