---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: romana-listener
rules:
- apiGroups:
  - "*"
  resources:
  - pods
  - namespaces
  - nodes
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "*"
  resources:
  - services
  verbs:
  - update
  - list
  - watch
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: romana-listener
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: romana-listener
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: romana-listener
subjects:
- kind: ServiceAccount
  name: romana-listener
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: romana-agent
rules:
- apiGroups:
  - "*"
  resources:
  - pods
  - nodes
  verbs:
  - get
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: romana-agent
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: romana-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: romana-agent
subjects:
- kind: ServiceAccount
  name: romana-agent
  namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
  name: romana-etcd
  namespace: kube-system
spec:
  clusterIP: 10.96.0.88
  ports:
  - name: etcd
    port: 12379
    protocol: TCP
    targetPort: 12379
  selector:
    romana-app: etcd
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: romana-etcd
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        romana-app: etcd
    spec:
      nodeSelector:
        node-role.kubernetes.io/master: ""
      hostNetwork: true
      securityContext:
        seLinuxOptions:
          type: spc_t
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      containers:
      - name: romana-etcd
        image: gcr.io/google_containers/etcd-amd64:3.0.17
        command:
        - etcd
        - "--listen-client-urls=http://0.0.0.0:12379"
        - "--listen-peer-urls=http://127.0.0.1:12380"
        - "--advertise-client-urls=http://10.96.0.88:12379"
        - "--data-dir=/var/etcd/data"
        volumeMounts:
        - name: etcd-data
          mountPath: "/var/etcd/data"
        livenessProbe:
          httpGet:
            path: "/health"
            port: 12379
            host: 127.0.0.1
          initialDelaySeconds: 15
          timeoutSeconds: 15
      volumes:
      - name: etcd-data
        hostPath:
          path: "/var/lib/romana/etcd-db"
---
apiVersion: v1
kind: Service
metadata:
  name: romana
  namespace: kube-system
spec:
  clusterIP: 10.96.0.99
  ports:
  - name: daemon
    port: 9600
    protocol: TCP
    targetPort: 9600
  selector:
    romana-app: daemon
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: romana-daemon
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        romana-app: daemon
    spec:
      nodeSelector:
        node-role.kubernetes.io/master: ""
      hostNetwork: true
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      containers:
      - name: romana-daemon
        image: quay.io/romana/daemon:v2.0.2
        imagePullPolicy: Always
        #args:
        #- --debug=true
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: romana-listener
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        romana-app: listener
    spec:
      nodeSelector:
        node-role.kubernetes.io/master: ""
      hostNetwork: true
      serviceAccountName: romana-listener
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      containers:
      - name: romana-listener
        image: quay.io/romana/listener:v2.0.2
        imagePullPolicy: Always
        #args:
        #- --debug=true
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: romana-agent
  namespace: kube-system
spec:
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        romana-app: agent
    spec:
      hostNetwork: true
      securityContext:
        seLinuxOptions:
          type: spc_t
      serviceAccountName: romana-agent
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      containers:
      - name: romana-agent
        image: quay.io/romana/agent:v2.0.2
        imagePullPolicy: Always
        #args:
        #- --debug=true
        env:
        - name: NODENAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: NODEIP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        securityContext:
          privileged: true
        volumeMounts:
        - name: host-usr-local-bin
          mountPath: /host/usr/local/bin
        - name: host-etc-romana
          mountPath: /host/etc/romana
        - name: host-cni-bin
          mountPath: /host/opt/cni/bin
        - name: host-cni-net-d
          mountPath: /host/etc/cni/net.d
        - name: run-path
          mountPath: /var/run/romana
        - name: host-etc-rlog
          mountPath: /host/etc/rlog
      volumes:
      - name: host-usr-local-bin
        hostPath:
          path: /usr/local/bin
      - name: host-etc-romana
        hostPath:
          path: /etc/romana
      - name: host-cni-bin
        hostPath:
          path: /opt/cni/bin
      - name: host-cni-net-d
        hostPath:
          path: /etc/cni/net.d
      - name: run-path
        hostPath:
          path: /var/run/romana
      - name: host-etc-rlog
        hostPath:
          path: /etc/rlog