---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: genie-plugin
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - "alpha.network.k8s.io"
    resources:
      - logicalnetworks
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - "alpha.network.k8s.io"
    resources:
      - physicalnetworks
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - "k8s.cni.cncf.io"
    resources:
      - network-attachment-definitions
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
  - apiGroups:
      - "admissionregistration.k8s.io"
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
      - create
      - delete

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: genie-plugin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: genie-plugin
subjects:
- kind: ServiceAccount
  name: genie-plugin
  namespace: kube-system
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: genie-plugin
  namespace: kube-system

---
# This ConfigMap can be used to configure a self-hosted CNI-Genie installation.
kind: ConfigMap
apiVersion: v1
metadata:
  name: genie-config
  namespace: kube-system
data:
  # The CNI network configuration to install on each node.
  cni_genie_network_config: |-
    {
        "name": "k8s-pod-network",
        "type": "genie",
        "cniVersion": "0.2.0",
        "log_level": "info",
        "datastore_type": "kubernetes",
        "hostname": "__KUBERNETES_NODE_NAME__",
        "policy": {
            "type": "k8s",
            "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
        },
        "kubernetes": {
            "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
            "kubeconfig": "/etc/cni/net.d/genie-kubeconfig"
        },
        "romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__",
        "segment_label_name": "romanaSegment"
    }

---
# Install CNI-Genie plugin on each slave node.
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: genie-plugin
  namespace: kube-system
  labels:
    k8s-app: genie
spec:
  selector:
    matchLabels:
      k8s-app: genie
  template:
    metadata:
      labels:
        k8s-app: genie
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      hostNetwork: true
      hostPID: true
      serviceAccountName: genie-plugin
      containers:
        # Create a container with install.sh that
        # Installs required 00-genie.conf and genie binary
        # on slave node.
        - name: install-cni
          image: quay.io/huawei-cni-genie/genie-plugin:latest
          imagePullPolicy: Always
          command: ["/launch.sh"]
          env:
            - name: CNI_NETWORK_CONFIG
              valueFrom:
                configMapKeyRef:
                  name: genie-config
                  key: cni_genie_network_config
            - name: KUBERNETES_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - mountPath: /host/opt/cni/bin
              name: cni-bin-dir
            - mountPath: /host/etc/cni/net.d
              name: cni-net-dir
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - key: node.kubernetes.io/not-ready
        effect: NoSchedule
        operator: Exists
      volumes:
        - name: cni-bin-dir
          hostPath:
            path: /opt/cni/bin
        - name: cni-net-dir
          hostPath:
            path: /etc/cni/net.d

---
# Genie network admission controller daemonset configuration
# Genie network admission controller pods will run only in master nodes
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: genie-network-admission-controller
  namespace: kube-system
  labels:
    role: genie-network-admission-controller
spec:
  selector:
    matchLabels:
      role: genie-network-admission-controller
  template:
    metadata:
      labels:
        role: genie-network-admission-controller
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      - key: node.kubernetes.io/not-ready
        effect: NoSchedule
        operator: Exists
      - key: CriticalAddonsOnly
        operator: Exists
      nodeSelector:
        node-role.kubernetes.io/master: ""
      hostNetwork: true
      serviceAccountName: genie-plugin
      containers:
        - name: genie-network-admission-controller
          image: quay.io/huawei-cni-genie/genie-admission-controller:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 8000
---
# Genie network admission controller service
apiVersion: v1
kind: Service
metadata:
  labels:
    role: genie-network-admission-controller
  name: genie-network-admission-controller
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8000
  selector:
    role: genie-network-admission-controller