# Configs section
# Note: using ".." for ports, because in v1 there is a bug
# which leads to an error
# "..error unmarshaling JSON: json: cannot unmarshal number into Go value of type string.."
# (https://github.com/kubernetes/kubernetes/issues/2763)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: env
namespace: kube-system
data:
AUTH_MODE: noauth
ANALYTICS_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
ANALYTICSDB_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
CLOUD_ORCHESTRATOR: none
CONFIG_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
CONFIGDB_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
CONTROL_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
CONTROLLER_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
LOG_LEVEL: SYS_NOTICE
METADATA_PROXY_SECRET: contrail
RABBITMQ_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
RABBITMQ_NODE_PORT: "5673"
ZOOKEEPER_NODES: 172.31.a.a,172.31.b.b,172.31.c.c
ZOOKEEPER_PORTS: "2888:3888"
ZOOKEEPER_PORT: "2181"
KUBERNETES_CLUSTER_NAME: k8s2
KUBERNETES_POD_SUBNETS: 10.32.2.0/24
KUBERNETES_IP_FABRIC_SUBNETS: 10.64.2.0/24
KUBERNETES_SERVICE_SUBNETS: 10.96.2.0/24
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nodemgr-config
namespace: kube-system
data:
DOCKER_HOST: "unix://mnt/docker.sock"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-manager-config
namespace: kube-system
data:
KUBERNETES_API_SERVER: 172.31.x.x
KUBERNETES_API_SECURE_PORT: "6443"
K8S_TOKEN_FILE: "/tmp/serviceaccount/token"
# Containers section
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: contrail-kube-manager
namespace: kube-system
labels:
app: contrail-kube-manager
spec:
selector:
matchLabels:
app: contrail-kube-manager
template:
metadata:
labels:
app: contrail-kube-manager
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "node-role.opencontrail.org/config"
operator: Exists
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
automountServiceAccountToken: false
hostNetwork: true
initContainers:
- name: contrail-node-init
image: "opencontrailnightly/contrail-node-init:2002-latest"
imagePullPolicy: ""
securityContext:
privileged: true
env:
- name: CONTRAIL_STATUS_IMAGE
value: "opencontrailnightly/contrail-status:2002-latest"
envFrom:
- configMapRef:
name: env
volumeMounts:
- mountPath: /host/usr/bin
name: host-usr-bin
containers:
- name: contrail-kube-manager
image: "opencontrailnightly/contrail-kubernetes-kube-manager:2002-latest"
imagePullPolicy: ""
envFrom:
- configMapRef:
name: env
- configMapRef:
name: kube-manager-config
volumeMounts:
- mountPath: /var/log/contrail
name: kube-manager-logs
- mountPath: /tmp/serviceaccount
name: pod-secret
volumes:
- name: kube-manager-logs
hostPath:
path: /var/log/contrail/kube-manager
- name: pod-secret
secret:
secretName: contrail-kube-manager-token
- name: host-usr-bin
hostPath:
path: /usr/bin
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: contrail-agent
namespace: kube-system
labels:
app: contrail-agent
spec:
selector:
matchLabels:
app: contrail-agent
template:
metadata:
labels:
app: contrail-agent
spec:
#Disable affinity for single node setup
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "node-role.opencontrail.org/config"
operator: NotIn
values:
- "true"
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
automountServiceAccountToken: false
hostNetwork: true
initContainers:
- name: contrail-node-init
image: "opencontrailnightly/contrail-node-init:2002-latest"
imagePullPolicy: ""
securityContext:
privileged: true
env:
- name: CONTRAIL_STATUS_IMAGE
value: "opencontrailnightly/contrail-status:2002-latest"
envFrom:
- configMapRef:
name: env
volumeMounts:
- mountPath: /host/usr/bin
name: host-usr-bin
- name: contrail-vrouter-kernel-init
image: "opencontrailnightly/contrail-vrouter-kernel-init:2002-latest"
imagePullPolicy: ""
securityContext:
privileged: true
envFrom:
- configMapRef:
name: env
volumeMounts:
- mountPath: /usr/src
name: usr-src
- mountPath: /lib/modules
name: lib-modules
- mountPath: /host/bin
name: host-bin
- mountPath: /var/log/contrail
name: agent-logs
- mountPath: /etc/contrail
name: etc-contrail
- mountPath: /etc/sysconfig/network-scripts
name: network-scripts
- name: contrail-kubernetes-cni-init
image: "opencontrailnightly/contrail-kubernetes-cni-init:2002-latest"
imagePullPolicy: ""
envFrom:
- configMapRef:
name: env
volumeMounts:
- mountPath: /var/lib/contrail
name: var-lib-contrail
- mountPath: /host/etc_cni
name: etc-cni
- mountPath: /host/opt_cni_bin
name: opt-cni-bin
- mountPath: /host/log_cni
name: var-log-contrail-cni
- mountPath: /var/log/contrail
name: agent-logs
containers:
- name: contrail-vrouter-agent
image: "opencontrailnightly/contrail-vrouter-agent:2002-latest"
imagePullPolicy: ""
# TODO: Priveleged mode is requied because w/o it the device /dev/net/tun
# is not present in the container. The mounting it into container
# doesnt help because of permissions are not enough syscalls,
# e.g. https://github.com/Juniper/contrail-controller/blob/master/src/vnsw/agent/contrail/linux/pkt0_interface.cc: 48.
securityContext:
privileged: true
envFrom:
- configMapRef:
name: env
volumeMounts:
- mountPath: /var/log/contrail
name: agent-logs
- mountPath: /var/crashes
name: var-crashes
- mountPath: /tmp/serviceaccount
name: pod-secret
- mountPath: /host/bin
name: host-bin
- mountPath: /var/run/libvirt
name: var-run-libvirt
- mountPath: /etc/contrail
name: etc-contrail
- mountPath: /etc/sysconfig/network-scripts
name: network-scripts
- mountPath: /dev
name: dev
- mountPath: /usr/src
name: usr-src
- mountPath: /lib/modules
name: lib-modules
- mountPath: /var/lib/contrail
name: var-lib-contrail
lifecycle:
preStop:
exec:
command: ["/clean-up.sh"]
- name: contrail-agent-nodemgr
image: "opencontrailnightly/contrail-nodemgr:2002-latest"
imagePullPolicy: ""
envFrom:
- configMapRef:
name: env
- configMapRef:
name: nodemgr-config
env:
- name: NODE_TYPE
value: vrouter
# todo: there is type Socket in new kubernetes, it is possible to use full
# path:
# hostPath:
# path: /var/run/docker.sock and
# type: Socket
volumeMounts:
- mountPath: /var/log/contrail
name: agent-logs
- mountPath: /mnt
name: docker-unix-socket
volumes:
- name: dev
hostPath:
path: /dev
- name: docker-unix-socket
hostPath:
path: /var/run
- name: pod-secret
secret:
secretName: contrail-kube-manager-token
- name: usr-src
hostPath:
path: /usr/src
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-lib-contrail
hostPath:
path: /var/lib/contrail
- name: var-crashes
hostPath:
path: /var/crashes/vrouter
- name: etc-cni
hostPath:
path: /etc/cni
- name: opt-cni-bin
hostPath:
path: /opt/cni/bin
- name: var-log-contrail-cni
hostPath:
path: /var/log/contrail/cni
- name: agent-logs
hostPath:
path: /var/log/contrail/agent
- name: host-bin
hostPath:
path: /bin
- name: etc-contrail
hostPath:
path: /etc/contrail/vrouter
- name: var-run-libvirt
hostPath:
path: /var/run/libvirt
- name: network-scripts
hostPath:
path: /etc/sysconfig/network-scripts
- name: host-usr-bin
hostPath:
path: /usr/bin
# Meta information section
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: contrail-kube-manager
namespace: kube-system
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contrail-kube-manager
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: contrail-kube-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: contrail-kube-manager
subjects:
- kind: ServiceAccount
name: contrail-kube-manager
namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
name: contrail-kube-manager-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: contrail-kube-manager
type: kubernetes.io/service-account-token