Converting multus to an app template. Yoink via bjw-s. #491

Merged
jahanson merged 1 commit from multus-app-template-style into main 2024-08-08 07:18:48 -05:00
4 changed files with 288 additions and 24 deletions

View file

@ -0,0 +1,45 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: network-attachment-definitions.k8s.cni.cncf.io
spec:
group: k8s.cni.cncf.io
scope: Namespaced
names:
plural: network-attachment-definitions
singular: network-attachment-definition
kind: NetworkAttachmentDefinition
shortNames:
- net-attach-def
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing
Working Group to express the intent for attaching pods to one or more logical or physical
networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec'
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this represen
tation of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment'
type: object
properties:
config:
description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
type: string

View file

@ -1,5 +1,5 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
@ -8,33 +8,207 @@ spec:
interval: 30m
chart:
spec:
chart: multus
version: 5.0.4
chart: app-template
version: 3.3.2
interval: 30m
sourceRef:
kind: HelmRepository
name: angelnu
name: bjw-s
namespace: flux-system
interval: 30m
values:
image:
repository: ghcr.io/k8snetworkplumbingwg/multus-cni
tag: v4.0.2-thick
configMaps:
daemon-config:
data:
daemon-config.json: |
{
"cniVersion": "0.3.1",
"logToStderr": true,
"logLevel": "verbose",
"binDir": "/opt/cni/bin",
"chrootDir": "/hostroot",
"cniConfigDir": "/host/etc/cni/net.d",
"confDir": "/host/etc/cni/net.d",
"multusAutoconfigDir": "/host/etc/cni/net.d",
"multusConfigFile": "auto",
"socketDir": "/host/run/multus/"
}
cni:
image:
repository: ghcr.io/angelnu/cni-plugins
tag: 1.5.1
controllers:
uninstall:
type: job
paths:
config: /etc/cni/net.d
bin: /opt/cni/bin
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
helm.sh/hook: pre-delete, pre-upgrade
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: hook-succeeded
resources:
requests:
cpu: 5m
memory: 200Mi
limits:
memory: 200Mi
pod:
hostNetwork: true
hostPaths:
netns: /var/run/netns
containers:
uninstall:
image:
repository: alpine
tag: 3.20.2
command:
- /bin/sh
- -c
args:
- |
rm -rf /host/etc/cni/net.d/*multus*
rm -rf /host/opt/cni/bin/*multus*
multus:
type: daemonset
annotations:
reloader.stakater.com/auto: "true"
pod:
hostNetwork: true
hostPID: true
containers:
multus-daemon:
image: &image
repository: ghcr.io/k8snetworkplumbingwg/multus-cni
tag: v4.1.0-thick
env:
MULTUS_NODE_NAME:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
requests:
cpu: "5m"
memory: "96Mi"
limits:
memory: "96Mi"
securityContext:
privileged: true
initContainers:
cni-plugins-installer:
image:
repository: ghcr.io/angelnu/cni-plugins
tag: 1.5.1
resources:
requests:
cpu: "10m"
memory: "15Mi"
securityContext:
capabilities:
drop:
- ALL
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
multus-shim-installer:
image: *image
command:
- /bin/sh
- -c
args: |
set -x
cp /usr/src/multus-cni/bin/multus-shim /host/opt/cni/bin/multus-shim
resources:
requests:
cpu: "10m"
memory: "15Mi"
securityContext:
capabilities:
drop:
- ALL
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
persistence:
cni:
type: hostPath
hostPath: /etc/cni/net.d
advancedMounts:
uninstall:
uninstall:
- path: /host/etc/cni/net.d
multus:
multus-daemon:
- path: /host/etc/cni/net.d
cnibin:
type: hostPath
hostPath: /opt/cni/bin
advancedMounts:
uninstall:
uninstall:
- path: /host/opt/cni/bin
multus:
cni-plugins-installer:
- path: /host/opt/cni/bin
multus-shim-installer:
- path: /host/opt/cni/bin
multus-daemon:
# multus-daemon expects that cnibin path must be identical between pod and container host.
# e.g. if the cni bin is in '/opt/cni/bin' on the container host side, then it should be
# mount to '/opt/cni/bin' in multus-daemon, not to any other directory, like '/opt/bin' or
# '/usr/bin'.
- path: /opt/cni/bin
config:
type: configMap
name: multus-daemon-config
advancedMounts:
multus:
multus-daemon:
- path: /etc/cni/net.d/multus.d
hostroot:
type: hostPath
hostPath: /
advancedMounts:
multus:
multus-daemon:
- path: /hostroot
mountPropagation: HostToContainer
host-run:
type: hostPath
hostPath: /run
advancedMounts:
multus:
multus-daemon:
- path: /host/run
host-var-lib-cni-multus:
type: hostPath
hostPath: /var/lib/cni/multus
advancedMounts:
multus:
multus-daemon:
- path: /var/lib/cni/multus
host-var-lib-kubelet:
type: hostPath
hostPath: /var/lib/kubelet
advancedMounts:
multus:
multus-daemon:
- path: /var/lib/kubelet
host-run-k8s-cni-cncf-io:
type: hostPath
hostPath: /run/k8s.cni.cncf.io
advancedMounts:
multus:
multus-daemon:
- path: /run/k8s.cni.cncf.io
host-run-netns:
type: hostPath
hostPath: /var/run/netns/
advancedMounts:
multus:
multus-daemon:
- path: /run/netns/
mountPropagation: HostToContainer
serviceAccount:
create: true

View file

@ -4,3 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ./rbac.yaml
- ./crd.yaml

View file

@ -0,0 +1,43 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: multus
rules:
- apiGroups: ["k8s.cni.cncf.io"]
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- pods/status
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
- events.k8s.io
resources:
- events
verbs:
- create
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: multus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: multus
subjects:
- kind: ServiceAccount
name: multus
namespace: network