Split out CNI resources from ponsimv2 chart
Change-Id: Ia9b78c325f0258a87ee9cab665e063a37513a6c8
diff --git a/ponnet/Chart.yaml b/ponnet/Chart.yaml
new file mode 100644
index 0000000..d9ee22f
--- /dev/null
+++ b/ponnet/Chart.yaml
@@ -0,0 +1,17 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: ponnet
+version: 1.0.0
diff --git a/ponnet/templates/_helpers.tpl b/ponnet/templates/_helpers.tpl
new file mode 100644
index 0000000..7ce70d5
--- /dev/null
+++ b/ponnet/templates/_helpers.tpl
@@ -0,0 +1,25 @@
+
+{{- /*
+ Copyright 2017-present Open Networking Foundation
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */ -}}
+
+{{- define "ponnet.release_labels" }}
+app: {{ printf "%s-%s" .Release.Name .Chart.Name | trunc 63 }}
+version: {{ .Chart.Version }}
+release: {{ .Release.Name }}
+{{- end }}
+{{- define "ponnet.full_name" -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 -}}
+{{- end -}}
diff --git a/ponnet/templates/genie-cni-1.8.yml b/ponnet/templates/genie-cni-1.8.yml
new file mode 100644
index 0000000..0fbf50a
--- /dev/null
+++ b/ponnet/templates/genie-cni-1.8.yml
@@ -0,0 +1,328 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: genie-plugin
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - "alpha.network.k8s.io"
+ resources:
+ - logicalnetworks
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - "alpha.network.k8s.io"
+ resources:
+ - physicalnetworks
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - apiGroups:
+ - "admissionregistration.k8s.io"
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+ - create
+ - delete
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: genie-policy
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: genie-plugin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: genie-plugin
+subjects:
+- kind: ServiceAccount
+ name: genie-plugin
+ namespace: kube-system
+- kind: ServiceAccount
+ name: genie-policy
+ namespace: kube-system
+- kind: Group
+ name: system:authenticated
+ apiGroup: rbac.authorization.k8s.io
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: genie-policy
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: genie-policy
+subjects:
+- kind: ServiceAccount
+ name: genie-policy
+ namespace: kube-system
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: genie-plugin
+ namespace: kube-system
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: genie-policy
+ namespace: kube-system
+
+---
+# This ConfigMap can be used to configure a self-hosted CNI-Genie installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: genie-config
+ namespace: kube-system
+data:
+ # The CNI network configuration to install on each node.
+ cni_genie_network_config: |-
+ {
+ "name": "k8s-pod-network",
+ "type": "genie",
+ "log_level": "info",
+ "datastore_type": "kubernetes",
+ "default_plugin": "calico",
+ "hostname": "__KUBERNETES_NODE_NAME__",
+ "policy": {
+ "type": "k8s",
+ "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
+ },
+ "kubernetes": {
+ "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
+ "kubeconfig": "/etc/cni/net.d/genie-kubeconfig"
+ },
+ "romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__",
+ "segment_label_name": "romanaSegment"
+ }
+
+---
+# Install CNI-Genie plugin on each slave node.
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+ name: genie-plugin
+ namespace: kube-system
+ labels:
+ k8s-app: genie
+spec:
+ selector:
+ matchLabels:
+ k8s-app: genie
+ template:
+ metadata:
+ labels:
+ k8s-app: genie
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: |
+ [
+ {
+ "key": "dedicated",
+ "value": "master",
+ "effect": "NoSchedule"
+ },
+ {
+ "key": "CriticalAddonsOnly",
+ "operator": "Exists"
+ }
+ ]
+ spec:
+ hostNetwork: true
+ hostPID: true
+ serviceAccountName: genie-plugin
+ containers:
+ # Create a container with install.sh that
+ # Installs required 00-genie.conf and genie binary
+ # on slave node.
+ - name: install-cni
+ image: quay.io/huawei-cni-genie/genie-plugin:latest
+ imagePullPolicy: Always
+ command: ["/launch.sh"]
+ env:
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ name: genie-config
+ key: cni_genie_network_config
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ volumes:
+ - name: cni-bin-dir
+ hostPath:
+ path: /opt/cni/bin
+ - name: cni-net-dir
+ hostPath:
+ path: /etc/cni/net.d
+
+---
+# Genie network admission controller daemonset configuration
+# Genie network admission controller pods will run only in master nodes
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: genie-network-admission-controller
+ namespace: kube-system
+spec:
+ template:
+ metadata:
+ labels:
+ role: genie-network-admission-controller
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ spec:
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ - key: CriticalAddonsOnly
+ operator: Exists
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ hostNetwork: true
+ serviceAccountName: genie-plugin
+ containers:
+ - name: genie-network-admission-controller
+ image: quay.io/huawei-cni-genie/genie-admission-controller:latest
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8000
+---
+# Genie network admission controller service
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ role: genie-network-admission-controller
+ name: genie-network-admission-controller
+ namespace: kube-system
+spec:
+ ports:
+ - port: 443
+ targetPort: 8000
+ selector:
+ role: genie-network-admission-controller
+
+---
+# Daemonset configuration for geine network policy
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+ name: genie-policy-controller
+ namespace: kube-system
+ labels:
+ k8s-app: genie-policy
+spec:
+ selector:
+ matchLabels:
+ k8s-app: genie-policy
+ template:
+ metadata:
+ labels:
+ k8s-app: genie-policy
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: |
+ [
+ {
+ "key": "dedicated",
+ "value": "master",
+ "effect": "NoSchedule"
+ },
+ {
+ "key": "CriticalAddonsOnly",
+ "operator": "Exists"
+ }
+ ]
+ spec:
+ hostNetwork: true
+ hostPID: true
+ serviceAccountName: genie-policy
+ containers:
+ - name: policy-engine
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: quay.io/huawei-cni-genie/genie-policy-controller:latest
+ imagePullPolicy: Always
+ command:
+ - /genie-policy
+ args:
+ - -kubeconfig=/etc/kubernetes/admin.conf
+ - -logtostderr=true
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ readOnly: true
+ volumes:
+ - name: etc-kubernetes
+ hostPath:
+ path: /etc/kubernetes
\ No newline at end of file
diff --git a/ponnet/templates/pon0-cni.yaml b/ponnet/templates/pon0-cni.yaml
new file mode 100644
index 0000000..b35815b
--- /dev/null
+++ b/ponnet/templates/pon0-cni.yaml
@@ -0,0 +1,203 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: pon0-plugin
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - "alpha.network.k8s.io"
+ resources:
+ - logicalnetworks
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - "alpha.network.k8s.io"
+ resources:
+ - physicalnetworks
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - apiGroups:
+ - "admissionregistration.k8s.io"
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - update
+ - create
+ - delete
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: pon0-plugin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: pon0-plugin
+subjects:
+- kind: ServiceAccount
+ name: pon0-plugin
+ namespace: kube-system
+- kind: Group
+ name: system:authenticated
+ apiGroup: rbac.authorization.k8s.io
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: pon0-plugin
+ namespace: kube-system
+
+---
+# This ConfigMap can be used to configure a self-hosted Pon0 installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: pon0-config
+ namespace: kube-system
+data:
+ # The CNI network configuration to install on each node.
+ cni_pon0_network_config: |-
+ {
+ "name": "pon0",
+ "type": "bridge",
+ "bridge": "pon0",
+ "isGateway": true,
+ "ipMask": true,
+ "ipam": {
+ "type": "host-local",
+ "subnet": "10.22.0.0/16",
+ "routes": [
+ { "dst": "0.0.0.0/0" }
+ ]
+ }
+ }
+
+---
+# This ConfigMap can be used to configure a self-hosted Pon0 installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: pon1-config
+ namespace: kube-system
+data:
+ # The CNI network configuration to install on each node.
+ cni_pon1_network_config: |-
+ {
+ "name": "pon1",
+ "type": "bridge",
+ "bridge": "pon1",
+ "isGateway": true,
+ "ipMask": true,
+ "ipam": {
+ "type": "host-local",
+ "subnet": "10.23.0.0/16",
+ "routes": [
+ { "dst": "0.0.0.0/0" }
+ ]
+ }
+ }
+
+---
+# Install Pon0 CNI conf on each slave node.
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+ name: pon0-plugin
+ namespace: kube-system
+ labels:
+ k8s-app: pon0
+spec:
+ selector:
+ matchLabels:
+ k8s-app: pon0
+ template:
+ metadata:
+ labels:
+ k8s-app: pon0
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: |
+ [
+ {
+ "key": "dedicated",
+ "value": "master",
+ "effect": "NoSchedule"
+ },
+ {
+ "key": "CriticalAddonsOnly",
+ "operator": "Exists"
+ }
+ ]
+ spec:
+ hostNetwork: true
+ hostPID: true
+ serviceAccountName: pon0-plugin
+ containers:
+ # Create a container with place_conf.sh that
+ # Installs required 20-pon0.conf on slave node.
+ - name: install-cni
+ image: {{ .Values.pull_docker_registry }}{{ .Values.images.pon0.repository }}:{{ .Values.images.pon0.tag }}
+ imagePullPolicy: {{ .Values.images.pon0.pullPolicy }}
+ command: ["/place_conf.sh"]
+ env:
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ name: pon0-config
+ key: cni_pon0_network_config
+ - name: CNI_PON1_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ name: pon1-config
+ key: cni_pon1_network_config
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ volumes:
+ - name: cni-bin-dir
+ hostPath:
+ path: /opt/cni/bin
+ - name: cni-net-dir
+ hostPath:
+ path: /etc/cni/net.d
diff --git a/ponnet/values.yaml b/ponnet/values.yaml
new file mode 100644
index 0000000..402fb1f
--- /dev/null
+++ b/ponnet/values.yaml
@@ -0,0 +1,25 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+pull_docker_registry:
+
+images:
+ pon0:
+ repository: gopinatht/pon0-network
+ tag: 'latest'
+ pullPolicy: 'Always'
+
+global:
+ namespace: voltha