From 29a06f76b9669d4e1a1ecbb9ff2e903385dc7266 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Fri, 5 Jan 2024 11:52:47 +0000 Subject: [PATCH] feat(tigera-operator): Updated image to v1.32.3 (#856) Signed-off-by: Steve Hipwell --- charts/tigera-operator/CHANGELOG.md | 8 + charts/tigera-operator/Chart.yaml | 8 +- charts/tigera-operator/README.md | 1 + .../crds/apiservers.operator.tigera.io.yaml | 96 +- .../bgpfilters.crd.projectcalico.org.yaml | 24 +- ...xconfigurations.crd.projectcalico.org.yaml | 106 +- ...networkpolicies.crd.projectcalico.org.yaml | 14 + ...networkpolicies.crd.projectcalico.org.yaml | 14 + .../installations.operator.tigera.io.yaml | 7017 +++++++++++++---- charts/tigera-operator/templates/_helpers.tpl | 4 +- .../templates/job-uninstall.yaml | 82 + charts/tigera-operator/values.yaml | 3 + 12 files changed, 5671 insertions(+), 1706 deletions(-) create mode 100644 charts/tigera-operator/templates/job-uninstall.yaml diff --git a/charts/tigera-operator/CHANGELOG.md b/charts/tigera-operator/CHANGELOG.md index c7eea655..ac7eb072 100644 --- a/charts/tigera-operator/CHANGELOG.md +++ b/charts/tigera-operator/CHANGELOG.md @@ -20,6 +20,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [UNRELEASED] +### Added + +- Added an uninstall job to make sure that _Tigera Operator_ can be uninstalled. This is on by default but can be disabled by setting `uninstall.enabled` to `true`. + +### Changed + +- Updated the _Tigera Operator_ OCI image to [v1.32.3](https://github.com/tigera/operator/releases/tag/v1.32.3) (_Calico_ [v3.27.0](https://github.com/projectcalico/calico/releases/tag/v3.27.0)). + ## [v2.8.1] - 2023-11-21 ### Changed diff --git a/charts/tigera-operator/Chart.yaml b/charts/tigera-operator/Chart.yaml index f0f78145..ccdf313e 100644 --- a/charts/tigera-operator/Chart.yaml +++ b/charts/tigera-operator/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: tigera-operator description: Helm chart for the Tigera Operator for Calico. type: application -version: 2.8.1 -appVersion: 1.30.9 +version: 2.9.0 +appVersion: 1.32.3 keywords: - kubernetes - cni @@ -25,5 +25,7 @@ maintainers: annotations: artifacthub.io/alternativeName: tigera artifacthub.io/changes: | + - kind: added + description: "Added an uninstall job to make sure that _Tigera Operator_ can be uninstalled. This is on by default but can be disabled by setting `uninstall.enabled` to `true`." - kind: changed - description: "Updated the _Tigera Operator_ OCI image to [v1.30.9](https://github.com/tigera/operator/releases/tag/v1.30.9) (_Calico_ [v3.26.4](https://github.com/projectcalico/calico/releases/tag/v3.26.4))." + description: "Updated the _Tigera Operator_ OCI image to [v1.32.3](https://github.com/tigera/operator/releases/tag/v1.32.3) (_Calico_ [v3.27.0](https://github.com/projectcalico/calico/releases/tag/v3.27.0))." diff --git a/charts/tigera-operator/README.md b/charts/tigera-operator/README.md index e634abd8..616c10ab 100644 --- a/charts/tigera-operator/README.md +++ b/charts/tigera-operator/README.md @@ -59,3 +59,4 @@ The following table lists the configurable parameters of the _Tigera Operator_ c | `installation.spec` | The [Tigera Operator Spec](https://docs.projectcalico.org/reference/installation/api#operator.tigera.io/v1.Installation) to deploy _Calico_ with. | `{}` | | `apiServer.enabled` | If `true`, install an `APIServer` plane according to the `apiServer.spec`. | `false` | | `apiServer.spec` | The [APIServer Spec](https://projectcalico.docs.tigera.io/maintenance/install-apiserver) to enable kubectl to manage _Calico_ APIs. | `{}` | +| `uninstall.enabled` | If `true`, run a `Job` as a pre-delete _Helm_ hook to make sure that _Tigera Operator_ can be uninstalled. | `true` | diff --git a/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml b/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml index 1bb289ad..29d5dc57 100644 --- a/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml +++ b/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml @@ -260,6 +260,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with @@ -393,10 +394,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: @@ -505,6 +508,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over @@ -584,6 +588,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies @@ -720,6 +725,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the @@ -794,6 +800,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a @@ -932,6 +939,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over @@ -1011,6 +1019,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies @@ -1147,6 +1156,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the @@ -1221,6 +1231,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a @@ -1284,6 +1295,35 @@ spec: conjunction with the deprecated ComponentResources, then this value takes precedence. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1346,6 +1386,35 @@ spec: API server Deployment will use its default value for this init container's resources. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1530,6 +1599,7 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic matchLabelKeys: description: MatchLabelKeys is a set of pod @@ -1616,9 +1686,9 @@ spec: are ignored. All nodes are included in the calculations. \n If this value is nil, the behavior is equivalent to the Honor policy. - This is a alpha-level feature enabled by the - NodeInclusionPolicyInPodTopologySpread feature - flag." + This is a beta-level feature default enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." type: string nodeTaintsPolicy: description: @@ -1630,8 +1700,8 @@ spec: are included. - Ignore: node taints are ignored. All nodes are included. \n If this value is nil, the behavior is equivalent to the Ignore - policy. This is a alpha-level feature enabled - by the NodeInclusionPolicyInPodTopologySpread + policy. This is a beta-level feature default + enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." type: string topologyKey: @@ -1659,9 +1729,9 @@ spec: the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule - the pod in any location, but giving higher + the pod in any location, but giving higher precedence to topologies that would help reduce - the skew. A constraint is considered "Unsatisfiable" + the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in @@ -1700,14 +1770,12 @@ spec: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - \n \ttype FooStatus struct{ \t // Represents the observations - of a foo's current state. \t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\" \t // - +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map - \t // +listMapKey=type \t Conditions []metav1.Condition + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields - \t}" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: description: diff --git a/charts/tigera-operator/crds/calico/bgpfilters.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/bgpfilters.crd.projectcalico.org.yaml index f12941b5..584fdbb3 100644 --- a/charts/tigera-operator/crds/calico/bgpfilters.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/bgpfilters.crd.projectcalico.org.yaml @@ -47,12 +47,14 @@ spec: type: string cidr: type: string + interface: + type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array exportV6: @@ -68,12 +70,14 @@ spec: type: string cidr: type: string + interface: + type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array importV4: @@ -89,12 +93,14 @@ spec: type: string cidr: type: string + interface: + type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array importV6: @@ -110,12 +116,14 @@ spec: type: string cidr: type: string + interface: + type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array type: object diff --git a/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml index f08c4138..4ecf436d 100644 --- a/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml @@ -56,13 +56,35 @@ spec: - Enable - Disable type: string + bpfCTLBLogFilter: + description: + "BPFCTLBLogFilter specifies, what is logged by connect + time load balancer when BPFLogLevel is debug. Currently has to be + specified as 'all' when BPFLogFilters is set to see CTLB logs. + [Default: unset - means logs are emitted when BPFLogLevel id debug + and BPFLogFilters not set.]" + type: string + bpfConnectTimeLoadBalancing: + description: + "BPFConnectTimeLoadBalancing when in BPF mode, controls + whether Felix installs the connect-time load balancer. The connect-time + load balancer is required for the host to be able to reach Kubernetes + services and it improves the performance of pod-to-service connections.When + set to TCP, connect time load balancing is available only for services + with TCP ports. [Default: TCP]" + enum: + - TCP + - Enabled + - Disabled + type: string bpfConnectTimeLoadBalancingEnabled: description: "BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service - connections. The only reason to disable it is for debugging purposes. [Default: + connections. The only reason to disable it is for debugging purposes. + This will be deprecated. Use BPFConnectTimeLoadBalancing [Default: true]" type: boolean bpfDSROptoutCIDRs: @@ -83,6 +105,13 @@ spec: the cluster. It should not match the workload interfaces (usually named cali...). type: string + bpfDisableGROForIfaces: + description: + BPFDisableGROForIfaces is a regular expression that controls + which interfaces Felix should disable the Generic Receive Offload + [GRO] option. It should not match the workload interfaces (usually + named cali...). + type: string bpfDisableUnprivileged: description: "BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled @@ -101,6 +130,7 @@ spec: with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: Loose]" + pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string bpfExtToServiceConnmark: description: @@ -120,13 +150,34 @@ spec: is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]' + pattern: ^(?i)(Tunnel|DSR)?$ type: string + bpfForceTrackPacketsFromIfaces: + description: + "BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic + from these interfaces to skip Calico's iptables NOTRACK rule, allowing + traffic from those interfaces to be tracked by Linux conntrack. Should + only be used for interfaces that are not used for the Calico fabric. For + example, a docker bridge device for non-Calico-networked containers. + [Default: docker+]" + items: + type: string + type: array bpfHostConntrackBypass: description: "BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for workloads and services. [Default: true - bypass Linux conntrack]" type: boolean + bpfHostNetworkedNATWithoutCTLB: + description: + "BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls + whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing + determines the CTLB behavior. [Default: Enabled]" + enum: + - Enabled + - Disabled + type: string bpfKubeProxyEndpointSlicesEnabled: description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls @@ -145,6 +196,7 @@ spec: minimum time between updates to the dataplane for Felix's embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string bpfL3IfacePattern: description: @@ -155,12 +207,24 @@ spec: as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. type: string + bpfLogFilters: + additionalProperties: + type: string + description: + "BPFLogFilters is a map of key=values where the value + is a pcap filter expression and the key is an interface name with + 'all' denoting all interfaces, 'weps' all workload endpoints and + 'heps' all host endpoints. \n When specified as an env var, it accepts + a comma-separated list of key=values. [Default: unset - means all + debug logs are emitted]" + type: object bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. [Default: Off].' + pattern: ^(?i)(Off|Info|Debug)?$ type: string bpfMapSizeConntrack: description: @@ -234,6 +298,7 @@ spec: to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]" + pattern: ^(?i)(insert|append)?$ type: string dataplaneDriver: description: @@ -254,8 +319,10 @@ spec: debugMemoryProfilePath: type: string debugSimulateCalcGraphHangAfter: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string debugSimulateDataplaneHangAfter: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string defaultEndpointToHostAction: description: @@ -271,6 +338,7 @@ spec: endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' + pattern: ^(?i)(Drop|Accept|Return)?$ type: string deviceRouteProtocol: description: @@ -292,6 +360,7 @@ spec: disableConntrackInvalidCheck: type: boolean endpointReportingDelay: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string endpointReportingEnabled: type: boolean @@ -365,6 +434,7 @@ spec: based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will force the feature, empty or omitted values are auto-detected. + pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ type: string featureGates: description: @@ -372,6 +442,7 @@ spec: Calico features. Values are specified in a comma separated list with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is used to enable features that are not fully production ready. + pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ type: string floatingIPs: description: @@ -439,6 +510,7 @@ spec: InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. The rescan can be disabled by setting the interval to 0. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipipEnabled: description: @@ -457,13 +529,16 @@ spec: all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. [Default: 90s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will be used. The default is Auto. + pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$ type: string iptablesFilterAllowAction: + pattern: ^(?i)(Accept|Return)?$ type: string iptablesFilterDenyAction: description: @@ -471,6 +546,7 @@ spec: that is denied by network policy. By default Calico blocks traffic with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. + pattern: ^(?i)(Drop|Reject)?$ type: string iptablesLockFilePath: description: @@ -485,6 +561,7 @@ spec: wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50ms]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesLockTimeout: description: @@ -494,8 +571,10 @@ spec: also take the lock. When running Felix inside a container, this requires the /run directory of the host to be mounted into the calico/node or calico/felix container. [Default: 0s disabled]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesMangleAllowAction: + pattern: ^(?i)(Accept|Return)?$ type: string iptablesMarkMask: description: @@ -514,6 +593,7 @@ spec: back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn't respect the iptables lock. [Default: 1s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesRefreshInterval: description: @@ -525,6 +605,7 @@ spec: was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipv6Support: description: @@ -565,17 +646,20 @@ spec: description: "LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]" + pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string logSeverityScreen: description: "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]" + pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string logSeveritySys: description: "LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. [Default: Info]" + pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string maxIpsetSize: type: integer @@ -619,6 +703,7 @@ spec: pattern: ^.* x-kubernetes-int-or-string: true netlinkTimeout: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string openstackRegion: description: @@ -683,11 +768,13 @@ spec: "ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. Must be non-zero in OpenStack deployments. [Default: 30s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string reportingTTL: description: "ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string routeRefreshInterval: description: @@ -695,12 +782,14 @@ spec: the routes in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable route refresh. [Default: 90s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string routeSource: description: "RouteSource configures where Felix gets its routing information. - WorkloadIPs: use workload endpoints to construct routes. - CalicoIPAM: the default - use IPAM data to construct routes." + pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ type: string routeSyncDisabled: description: @@ -744,6 +833,7 @@ spec: packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", in which case such routing loops continue to be allowed. [Default: Drop]' + pattern: ^(?i)(Drop|Reject|Disabled)?$ type: string sidecarAccelerationEnabled: description: @@ -762,11 +852,13 @@ spec: description: "UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string usageReportingInterval: description: "UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string useInternalDataplaneDriver: description: @@ -794,6 +886,15 @@ spec: type: integer vxlanVNI: type: integer + windowsManageFirewallRules: + description: + "WindowsManageFirewallRules configures whether or not + Felix will program Windows Firewall rules. (to allow inbound access + to its own metrics ports) [Default: Disabled]" + enum: + - Enabled + - Disabled + type: string wireguardEnabled: description: "WireguardEnabled controls whether Wireguard is enabled @@ -825,6 +926,7 @@ spec: description: "WireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string wireguardListeningPort: description: @@ -857,6 +959,7 @@ spec: the allowedSourcePrefixes annotation to send traffic with a source IP address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. + pattern: ^(?i)(Disabled|Any)?$ type: string xdpEnabled: description: @@ -869,6 +972,7 @@ spec: all XDP state to ensure that no other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to disable XDP refresh. [Default: 90s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string type: object type: object diff --git a/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml index 21653535..fbdeaf0c 100644 --- a/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml @@ -893,6 +893,20 @@ spec: with identical order will be applied in alphanumerical order based on the Policy "Name". type: number + performanceHints: + description: + "PerformanceHints contains a list of hints to Calico's + policy engine to help process the policy more efficiently. Hints + never change the enforcement behaviour of the policy. \n Currently, + the only available hint is \"AssumeNeededOnEveryNode\". When that + hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for \"preloading\" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work done + to preload the policy (and to maintain it) is wasted." + items: + type: string + type: array preDNAT: description: PreDNAT indicates to apply the rules in this policy before diff --git a/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml index f768a44d..11ebd990 100644 --- a/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml @@ -875,6 +875,20 @@ spec: with identical order will be applied in alphanumerical order based on the Policy "Name". type: number + performanceHints: + description: + "PerformanceHints contains a list of hints to Calico's + policy engine to help process the policy more efficiently. Hints + never change the enforcement behaviour of the policy. \n Currently, + the only available hint is \"AssumeNeededOnEveryNode\". When that + hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for \"preloading\" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work done + to preload the policy (and to maintain it) is wasted." + items: + type: string + type: array selector: description: "The selector is an expression used to pick pick out diff --git a/charts/tigera-operator/crds/installations.operator.tigera.io.yaml b/charts/tigera-operator/crds/installations.operator.tigera.io.yaml index 8dadf377..6cc8a51a 100644 --- a/charts/tigera-operator/crds/installations.operator.tigera.io.yaml +++ b/charts/tigera-operator/crds/installations.operator.tigera.io.yaml @@ -1304,6 +1304,35 @@ spec: deprecated ComponentResources, then this value takes precedence. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1619,6 +1648,18 @@ spec: on interfaces that do not match the given regex. type: string type: object + windowsDataplane: + description: + "WindowsDataplane is used to select the dataplane + used for Windows nodes. In particular, it causes the operator + to add required mounts and environment variables for the particular + dataplane. If not specified, it is disabled and the operator + will not render the Calico Windows nodes daemonset. Default: + Disabled" + enum: + - HNS + - Disabled + type: string type: object calicoNodeDaemonSet: description: @@ -2877,6 +2918,35 @@ spec: with the deprecated ComponentResources, then this value takes precedence. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2946,6 +3016,35 @@ spec: in conjunction with the deprecated ComponentResources, then this value takes precedence. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3055,15 +3154,15 @@ spec: type: object type: object type: object - calicoWindowsUpgradeDaemonSet: + calicoNodeWindowsDaemonSet: description: - CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade + CalicoNodeWindowsDaemonSet configures the calico-node-windows DaemonSet. properties: metadata: description: Metadata is a subset of a Kubernetes object's metadata - that is added to the Deployment. + that is added to the DaemonSet. properties: annotations: additionalProperties: @@ -3086,26 +3185,26 @@ spec: type: object spec: description: - Spec is the specification of the calico-windows-upgrade + Spec is the specification of the calico-node-windows DaemonSet. properties: minReadySeconds: description: MinReadySeconds is the minimum number of seconds - for which a newly created Deployment pod should be ready + for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. If specified, this overrides any minReadySeconds - value that may be set on the calico-windows-upgrade DaemonSet. - If omitted, the calico-windows-upgrade DaemonSet will use - its default value for minReadySeconds. + value that may be set on the calico-node-windows DaemonSet. + If omitted, the calico-node-windows DaemonSet will use its + default value for minReadySeconds. format: int32 maximum: 2147483647 minimum: 0 type: integer template: description: - Template describes the calico-windows-upgrade - DaemonSet pod that will be created. + Template describes the calico-node-windows DaemonSet + pod that will be created. properties: metadata: description: @@ -3134,19 +3233,18 @@ spec: type: object spec: description: - Spec is the calico-windows-upgrade DaemonSet's + Spec is the calico-node-windows DaemonSet's PodSpec. properties: affinity: description: "Affinity is a group of affinity scheduling - rules for the calico-windows-upgrade pods. If specified, + rules for the calico-node-windows pods. If specified, this overrides any affinity that may be set on the - calico-windows-upgrade DaemonSet. If omitted, the - calico-windows-upgrade DaemonSet will use its default - value for affinity. WARNING: Please note that this - field will override the default calico-windows-upgrade - DaemonSet affinity." + calico-node-windows DaemonSet. If omitted, the calico-node-windows + DaemonSet will use its default value for affinity. + WARNING: Please note that this field will override + the default calico-node-windows DaemonSet affinity." properties: nodeAffinity: description: @@ -4288,35 +4386,164 @@ spec: type: object containers: description: - Containers is a list of calico-windows-upgrade + Containers is a list of calico-node-windows containers. If specified, this overrides the specified - calico-windows-upgrade DaemonSet containers. If - omitted, the calico-windows-upgrade DaemonSet will - use its default values for its containers. + calico-node-windows DaemonSet containers. If omitted, + the calico-node-windows DaemonSet will use its default + values for its containers. items: description: - CalicoWindowsUpgradeDaemonSetContainer - is a calico-windows-upgrade DaemonSet container. + CalicoNodeWindowsDaemonSetContainer + is a calico-node-windows DaemonSet container. properties: name: description: Name is an enum which identifies - the calico-windows-upgrade DaemonSet container + the calico-node-windows DaemonSet container by name. enum: - - calico-windows-upgrade + - calico-node-windows type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, this - overrides the named calico-windows-upgrade - DaemonSet container's resources. If omitted, - the calico-windows-upgrade DaemonSet will - use its default value for this container's - resources. + overrides the named calico-node-windows DaemonSet + container's resources. If omitted, the calico-node-windows + DaemonSet will use its default value for this + container's resources. If used in conjunction + with the deprecated ComponentResources, then + this value takes precedence. + properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum + amount of compute resources required. + If Requests is omitted for a container, + it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + type: object + required: + - name + type: object + type: array + initContainers: + description: + InitContainers is a list of calico-node-windows + init containers. If specified, this overrides the + specified calico-node-windows DaemonSet init containers. + If omitted, the calico-node-windows DaemonSet will + use its default values for its init containers. + items: + description: + CalicoNodeWindowsDaemonSetInitContainer + is a calico-node-windows DaemonSet init container. + properties: + name: + description: + Name is an enum which identifies + the calico-node-windows DaemonSet init container + by name. + enum: + - install-cni + - hostpath-init + - flexvol-driver + - mount-bpffs + - node-certs-key-cert-provisioner + - calico-node-windows-prometheus-server-tls-key-cert-provisioner + type: string + resources: + description: + Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, this + overrides the named calico-node-windows DaemonSet + init container's resources. If omitted, the + calico-node-windows DaemonSet will use its + default value for this container's resources. + If used in conjunction with the deprecated + ComponentResources, then this value takes + precedence. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4353,25 +4580,25 @@ spec: additionalProperties: type: string description: - "NodeSelector is the calico-windows-upgrade + "NodeSelector is the calico-node-windows pod's scheduling constraints. If specified, each - of the key/value pairs are added to the calico-windows-upgrade + of the key/value pairs are added to the calico-node-windows DaemonSet nodeSelector provided the key does not already exist in the object's nodeSelector. If - omitted, the calico-windows-upgrade DaemonSet will + omitted, the calico-node-windows DaemonSet will use its default value for nodeSelector. WARNING: Please note that this field will modify the default - calico-windows-upgrade DaemonSet nodeSelector." + calico-node-windows DaemonSet nodeSelector." type: object tolerations: description: - "Tolerations is the calico-windows-upgrade + "Tolerations is the calico-node-windows pod's tolerations. If specified, this overrides - any tolerations that may be set on the calico-windows-upgrade - DaemonSet. If omitted, the calico-windows-upgrade - DaemonSet will use its default value for tolerations. - WARNING: Please note that this field will override - the default calico-windows-upgrade DaemonSet tolerations." + any tolerations that may be set on the calico-node-windows + DaemonSet. If omitted, the calico-node-windows DaemonSet + will use its default value for tolerations. WARNING: + Please note that this field will override the default + calico-node-windows DaemonSet tolerations." items: description: The pod this Toleration is attached @@ -4427,279 +4654,58 @@ spec: type: object type: object type: object - certificateManagement: + calicoWindowsUpgradeDaemonSet: description: - CertificateManagement configures pods to submit a CertificateSigningRequest - to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. - This feature requires that you bring your own CSR signing and approval - process, otherwise pods will be stuck during initialization. - properties: - caCert: - description: - Certificate of the authority that signs the CertificateSigningRequests - in PEM format. - format: byte - type: string - keyAlgorithm: - description: - "Specify the algorithm used by pods to generate a - key pair that is associated with the X.509 certificate request. - Default: RSAWithSize2048" - enum: - - "" - - RSAWithSize2048 - - RSAWithSize4096 - - RSAWithSize8192 - - ECDSAWithCurve256 - - ECDSAWithCurve384 - - ECDSAWithCurve521 - type: string - signatureAlgorithm: - description: - "Specify the algorithm used for the signature of - the X.509 certificate request. Default: SHA256WithRSA" - enum: - - "" - - SHA256WithRSA - - SHA384WithRSA - - SHA512WithRSA - - ECDSAWithSHA256 - - ECDSAWithSHA384 - - ECDSAWithSHA512 - type: string - signerName: - description: - "When a CSR is issued to the certificates.k8s.io - API, the signerName is added to the request in order to accommodate - for clusters with multiple signers. Must be formatted as: `/`." - type: string - required: - - caCert - - signerName - type: object - cni: - description: CNI specifies the CNI that will be used by this installation. + Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated + and will be removed from the API in the future. CalicoWindowsUpgradeDaemonSet + configures the calico-windows-upgrade DaemonSet. properties: - ipam: + metadata: description: - IPAM specifies the pod IP address management that - will be used in the Calico or Calico Enterprise installation. + Metadata is a subset of a Kubernetes object's metadata + that is added to the Deployment. properties: - type: + annotations: + additionalProperties: + type: string description: - "Specifies the IPAM plugin that will be used - in the Calico or Calico Enterprise installation. * For CNI - Plugin Calico, this field defaults to Calico. * For CNI - Plugin GKE, this field defaults to HostLocal. * For CNI - Plugin AzureVNET, this field defaults to AzureVNET. * For - CNI Plugin AmazonVPC, this field defaults to AmazonVPC. - \n The IPAM plugin is installed and configured only if the - CNI plugin is set to Calico, for all other values of the - CNI plugin the plugin binaries and CNI config is a dependency - that is expected to be installed separately. \n Default: - Calico" - enum: - - Calico - - HostLocal - - AmazonVPC - - AzureVNET - type: string - required: - - type + Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to the + object's annotations provided the key does not already exist + in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and values that + may match replicaset and service selectors. Each of these + key/value pairs are added to the object's labels provided + the key does not already exist in the object's labels. + type: object type: object - type: + spec: description: - "Specifies the CNI plugin that will be used in the - Calico or Calico Enterprise installation. * For KubernetesProvider - GKE, this field defaults to GKE. * For KubernetesProvider AKS, - this field defaults to AzureVNET. * For KubernetesProvider EKS, - this field defaults to AmazonVPC. * If aws-node daemonset exists - in kube-system when the Installation resource is created, this - field defaults to AmazonVPC. * For all other cases this field - defaults to Calico. \n For the value Calico, the CNI plugin - binaries and CNI config will be installed as part of deployment, - for all other values the CNI plugin binaries and CNI config - is a dependency that is expected to be installed separately. - \n Default: Calico" - enum: - - Calico - - GKE - - AmazonVPC - - AzureVNET - type: string - required: - - type - type: object - componentResources: - description: - Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, - and KubeControllersDeployment. ComponentResources can be used to - customize the resource requirements for each component. Node, Typha, - and KubeControllers are supported for installations. - items: - description: - Deprecated. Please use component resource config fields - in Installation.Spec instead. The ComponentResource struct associates - a ResourceRequirements with a component by name - properties: - componentName: - description: ComponentName is an enum which identifies the component - enum: - - Node - - Typha - - KubeControllers - type: string - resourceRequirements: - description: - ResourceRequirements allows customization of limits - and requests for compute resources such as cpu and memory. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. More info: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - type: object - required: - - componentName - - resourceRequirements - type: object - type: array - controlPlaneNodeSelector: - additionalProperties: - type: string - description: - ControlPlaneNodeSelector is used to select control plane - nodes on which to run Calico components. This is globally applied - to all resources created by the operator excluding daemonsets. - type: object - controlPlaneReplicas: - description: - ControlPlaneReplicas defines how many replicas of the - control plane core components will be deployed. This field applies - to all control plane components that support High Availability. - Defaults to 2. - format: int32 - type: integer - controlPlaneTolerations: - description: - ControlPlaneTolerations specify tolerations which are - then globally applied to all resources created by the operator. - items: - description: - The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . - properties: - effect: - description: - Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: - Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. - type: string - operator: - description: - Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - csiNodeDriverDaemonSet: - description: - CSINodeDriverDaemonSet configures the csi-node-driver - DaemonSet. - properties: - metadata: - description: - Metadata is a subset of a Kubernetes object's metadata - that is added to the DaemonSet. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations is a map of arbitrary non-identifying - metadata. Each of these key/value pairs are added to the - object's annotations provided the key does not already exist - in the object's annotations. - type: object - labels: - additionalProperties: - type: string - description: - Labels is a map of string keys and values that - may match replicaset and service selectors. Each of these - key/value pairs are added to the object's labels provided - the key does not already exist in the object's labels. - type: object - type: object - spec: - description: - Spec is the specification of the csi-node-driver + Spec is the specification of the calico-windows-upgrade DaemonSet. properties: minReadySeconds: description: MinReadySeconds is the minimum number of seconds - for which a newly created DaemonSet pod should be ready + for which a newly created Deployment pod should be ready without any of its container crashing, for it to be considered available. If specified, this overrides any minReadySeconds - value that may be set on the csi-node-driver DaemonSet. - If omitted, the csi-node-driver DaemonSet will use its default - value for minReadySeconds. + value that may be set on the calico-windows-upgrade DaemonSet. + If omitted, the calico-windows-upgrade DaemonSet will use + its default value for minReadySeconds. format: int32 maximum: 2147483647 minimum: 0 type: integer template: description: - Template describes the csi-node-driver DaemonSet - pod that will be created. + Template describes the calico-windows-upgrade + DaemonSet pod that will be created. properties: metadata: description: @@ -4727,17 +4733,20 @@ spec: type: object type: object spec: - description: Spec is the csi-node-driver DaemonSet's PodSpec. + description: + Spec is the calico-windows-upgrade DaemonSet's + PodSpec. properties: affinity: description: "Affinity is a group of affinity scheduling - rules for the csi-node-driver pods. If specified, + rules for the calico-windows-upgrade pods. If specified, this overrides any affinity that may be set on the - csi-node-driver DaemonSet. If omitted, the csi-node-driver - DaemonSet will use its default value for affinity. - WARNING: Please note that this field will override - the default csi-node-driver DaemonSet affinity." + calico-windows-upgrade DaemonSet. If omitted, the + calico-windows-upgrade DaemonSet will use its default + value for affinity. WARNING: Please note that this + field will override the default calico-windows-upgrade + DaemonSet affinity." properties: nodeAffinity: description: @@ -5879,34 +5888,64 @@ spec: type: object containers: description: - Containers is a list of csi-node-driver + Containers is a list of calico-windows-upgrade containers. If specified, this overrides the specified - csi-node-driver DaemonSet containers. If omitted, - the csi-node-driver DaemonSet will use its default - values for its containers. + calico-windows-upgrade DaemonSet containers. If + omitted, the calico-windows-upgrade DaemonSet will + use its default values for its containers. items: description: - CSINodeDriverDaemonSetContainer is - a csi-node-driver DaemonSet container. + CalicoWindowsUpgradeDaemonSetContainer + is a calico-windows-upgrade DaemonSet container. properties: name: description: Name is an enum which identifies - the csi-node-driver DaemonSet container by - name. + the calico-windows-upgrade DaemonSet container + by name. enum: - - csi-node-driver + - calico-windows-upgrade type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, this - overrides the named csi-node-driver DaemonSet - container's resources. If omitted, the csi-node-driver - DaemonSet will use its default value for this - container's resources. + overrides the named calico-windows-upgrade + DaemonSet container's resources. If omitted, + the calico-windows-upgrade DaemonSet will + use its default value for this container's + resources. properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5943,29 +5982,29 @@ spec: additionalProperties: type: string description: - "NodeSelector is the csi-node-driver + "NodeSelector is the calico-windows-upgrade pod's scheduling constraints. If specified, each - of the key/value pairs are added to the csi-node-driver + of the key/value pairs are added to the calico-windows-upgrade DaemonSet nodeSelector provided the key does not already exist in the object's nodeSelector. If - omitted, the csi-node-driver DaemonSet will use - its default value for nodeSelector. WARNING: Please - note that this field will modify the default csi-node-driver - DaemonSet nodeSelector." + omitted, the calico-windows-upgrade DaemonSet will + use its default value for nodeSelector. WARNING: + Please note that this field will modify the default + calico-windows-upgrade DaemonSet nodeSelector." type: object tolerations: description: - "Tolerations is the csi-node-driver pod's - tolerations. If specified, this overrides any tolerations - that may be set on the csi-node-driver DaemonSet. - If omitted, the csi-node-driver DaemonSet will use - its default value for tolerations. WARNING: Please - note that this field will override the default csi-node-driver - DaemonSet tolerations." - items: - description: - The pod this Toleration is attached - to tolerates any taint that matches the triple + "Tolerations is the calico-windows-upgrade + pod's tolerations. If specified, this overrides + any tolerations that may be set on the calico-windows-upgrade + DaemonSet. If omitted, the calico-windows-upgrade + DaemonSet will use its default value for tolerations. + WARNING: Please note that this field will override + the default calico-windows-upgrade DaemonSet tolerations." + items: + description: + The pod this Toleration is attached + to tolerates any taint that matches the triple using the matching operator . properties: @@ -6017,468 +6056,265 @@ spec: type: object type: object type: object - fipsMode: - description: - "FIPSMode uses images and features only that are using - FIPS 140-2 validated cryptographic modules and standards. Default: - Disabled" - enum: - - Enabled - - Disabled - type: string - flexVolumePath: - description: - FlexVolumePath optionally specifies a custom path for - FlexVolume. If not specified, FlexVolume will be enabled by default. - If set to 'None', FlexVolume will be disabled. The default is based - on the kubernetesProvider. - type: string - imagePath: - description: - "ImagePath allows for the path part of an image to be - specified. If specified then the specified value will be used as - the image path for each image. If not specified or empty, the default - for each image will be used. A special case value, UseDefault, is - supported to explicitly specify the default image path will be used - for each image. \n Image format: `/:` - \n This option allows configuring the `` portion of the - above format." - type: string - imagePrefix: - description: - "ImagePrefix allows for the prefix part of an image to - be specified. If specified then the given value will be used as - a prefix on each image. If not specified or empty, no prefix will - be used. A special case value, UseDefault, is supported to explicitly - specify the default image prefix will be used for each image. \n - Image format: `/:` - \n This option allows configuring the `` portion of - the above format." - type: string - imagePullSecrets: - description: - ImagePullSecrets is an array of references to container - registry pull secrets to use. These are applied to all images to - be pulled. - items: - description: - LocalObjectReference contains enough information to - let you locate the referenced object inside the same namespace. - properties: - name: - description: - "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?" - type: string - type: object - x-kubernetes-map-type: atomic - type: array - kubeletVolumePluginPath: - description: - "KubeletVolumePluginPath optionally specifies enablement - of Calico CSI plugin. If not specified, CSI will be enabled by default. - If set to 'None', CSI will be disabled. Default: /var/lib/kubelet" - type: string - kubernetesProvider: + certificateManagement: description: - KubernetesProvider specifies a particular provider of - the Kubernetes platform and enables provider-specific configuration. - If the specified value is empty, the Operator will attempt to automatically - determine the current provider. If the specified value is not empty, - the Operator will still attempt auto-detection, but will additionally - compare the auto-detected value to the specified value to confirm - they match. - enum: - - "" - - EKS - - GKE - - AKS - - OpenShift - - DockerEnterprise - - RKE2 - type: string - logging: - description: Logging Configuration for Components + CertificateManagement configures pods to submit a CertificateSigningRequest + to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. + This feature requires that you bring your own CSR signing and approval + process, otherwise pods will be stuck during initialization. properties: - cni: - description: Customized logging specification for calico-cni plugin - properties: - logFileMaxAgeDays: - description: "Default: 30 (days)" - format: int32 - type: integer - logFileMaxCount: - description: "Default: 10" - format: int32 - type: integer - logFileMaxSize: - anyOf: - - type: integer - - type: string - description: "Default: 100Mi" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - logSeverity: - description: "Default: Info" - enum: - - Error - - Warning - - Debug - - Info - type: string - type: object + caCert: + description: + Certificate of the authority that signs the CertificateSigningRequests + in PEM format. + format: byte + type: string + keyAlgorithm: + description: + "Specify the algorithm used by pods to generate a + key pair that is associated with the X.509 certificate request. + Default: RSAWithSize2048" + enum: + - "" + - RSAWithSize2048 + - RSAWithSize4096 + - RSAWithSize8192 + - ECDSAWithCurve256 + - ECDSAWithCurve384 + - ECDSAWithCurve521 + type: string + signatureAlgorithm: + description: + "Specify the algorithm used for the signature of + the X.509 certificate request. Default: SHA256WithRSA" + enum: + - "" + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + type: string + signerName: + description: + "When a CSR is issued to the certificates.k8s.io + API, the signerName is added to the request in order to accommodate + for clusters with multiple signers. Must be formatted as: `/`." + type: string + required: + - caCert + - signerName type: object - nodeMetricsPort: - description: - NodeMetricsPort specifies which port calico/node serves - prometheus metrics on. By default, metrics are not enabled. If specified, - this overrides any FelixConfiguration resources which may exist. - If omitted, then prometheus metrics may still be configured through - FelixConfiguration. - format: int32 - type: integer - nodeUpdateStrategy: - description: - NodeUpdateStrategy can be used to customize the desired - update strategy, such as the MaxUnavailable field. + cni: + description: CNI specifies the CNI that will be used by this installation. properties: - rollingUpdate: + ipam: description: - 'Rolling update config params. Present only if type - = "RollingUpdate". --- TODO: Update this to follow our convention - for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345' + IPAM specifies the pod IP address management that + will be used in the Calico or Calico Enterprise installation. properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: - "The maximum number of nodes with an existing - available DaemonSet pod that can have an updated DaemonSet - pod during during an update. Value can be an absolute number - (ex: 5) or a percentage of desired pods (ex: 10%). This - can not be 0 if MaxUnavailable is 0. Absolute number is - calculated from percentage by rounding up to a minimum of - 1. Default value is 0. Example: when this is set to 30%, - at most 30% of the total number of nodes that should be - running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked - as deleted. The update starts by launching new pods on 30% - of nodes. Once an updated pod is available (Ready for at - least minReadySeconds) the old DaemonSet pod on that node - is marked deleted. If the old pod becomes unavailable for - any reason (Ready transitions to false, is evicted, or is - drained) an updated pod is immediatedly created on that - node without considering surge limits. Allowing surge implies - the possibility that the resources consumed by the daemonset - on any given node can double if the readiness check fails, - and so resource intensive daemonsets should take into account - that they may cause evictions during disruption." - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string + type: description: - "The maximum number of DaemonSet pods that can - be unavailable during the update. Value can be an absolute - number (ex: 5) or a percentage of total number of DaemonSet - pods at the start of the update (ex: 10%). Absolute number - is calculated from percentage by rounding up. This cannot - be 0 if MaxSurge is 0 Default value is 1. Example: when - this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. - The update starts by stopping at most 30% of those DaemonSet - pods and then brings up new DaemonSet pods in their place. - Once the new pods are available, it then proceeds onto other - DaemonSet pods, thus ensuring that at least 70% of original - number of DaemonSet pods are available at all times during - the update." - x-kubernetes-int-or-string: true + "Specifies the IPAM plugin that will be used + in the Calico or Calico Enterprise installation. * For CNI + Plugin Calico, this field defaults to Calico. * For CNI + Plugin GKE, this field defaults to HostLocal. * For CNI + Plugin AzureVNET, this field defaults to AzureVNET. * For + CNI Plugin AmazonVPC, this field defaults to AmazonVPC. + \n The IPAM plugin is installed and configured only if the + CNI plugin is set to Calico, for all other values of the + CNI plugin the plugin binaries and CNI config is a dependency + that is expected to be installed separately. \n Default: + Calico" + enum: + - Calico + - HostLocal + - AmazonVPC + - AzureVNET + type: string + required: + - type type: object type: description: - Type of daemon set update. Can be "RollingUpdate" - or "OnDelete". Default is RollingUpdate. + "Specifies the CNI plugin that will be used in the + Calico or Calico Enterprise installation. * For KubernetesProvider + GKE, this field defaults to GKE. * For KubernetesProvider AKS, + this field defaults to AzureVNET. * For KubernetesProvider EKS, + this field defaults to AmazonVPC. * If aws-node daemonset exists + in kube-system when the Installation resource is created, this + field defaults to AmazonVPC. * For all other cases this field + defaults to Calico. \n For the value Calico, the CNI plugin + binaries and CNI config will be installed as part of deployment, + for all other values the CNI plugin binaries and CNI config + is a dependency that is expected to be installed separately. + \n Default: Calico" + enum: + - Calico + - GKE + - AmazonVPC + - AzureVNET type: string + required: + - type type: object - nonPrivileged: + componentResources: description: - NonPrivileged configures Calico to be run in non-privileged - containers as non-root users where possible. - type: string - registry: + Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, + and KubeControllersDeployment. ComponentResources can be used to + customize the resource requirements for each component. Node, Typha, + and KubeControllers are supported for installations. + items: + description: + Deprecated. Please use component resource config fields + in Installation.Spec instead. The ComponentResource struct associates + a ResourceRequirements with a component by name + properties: + componentName: + description: ComponentName is an enum which identifies the component + enum: + - Node + - Typha + - KubeControllers + type: string + resourceRequirements: + description: + ResourceRequirements allows customization of limits + and requests for compute resources such as cpu and memory. + properties: + claims: + description: + "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only + be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + type: object + required: + - componentName + - resourceRequirements + type: object + type: array + controlPlaneNodeSelector: + additionalProperties: + type: string description: - "Registry is the default Docker registry used for component - Docker images. If specified then the given value must end with a - slash character (`/`) and all images will be pulled from this registry. - If not specified then the default registries will be used. A special - case value, UseDefault, is supported to explicitly specify the default - registries will be used. \n Image format: `/:` - \n This option allows configuring the `` portion of the - above format." - type: string - typhaAffinity: + ControlPlaneNodeSelector is used to select control plane + nodes on which to run Calico components. This is globally applied + to all resources created by the operator excluding daemonsets. + type: object + controlPlaneReplicas: description: - Deprecated. Please use Installation.Spec.TyphaDeployment - instead. TyphaAffinity allows configuration of node affinity characteristics - for Typha pods. + ControlPlaneReplicas defines how many replicas of the + control plane core components will be deployed. This field applies + to all control plane components that support High Availability. + Defaults to 2. + format: int32 + type: integer + controlPlaneTolerations: + description: + ControlPlaneTolerations specify tolerations which are + then globally applied to all resources created by the operator. + items: + description: + The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: + Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: + Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: + Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: + TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: + Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + csiNodeDriverDaemonSet: + description: + CSINodeDriverDaemonSet configures the csi-node-driver + DaemonSet. properties: - nodeAffinity: + metadata: description: - NodeAffinity describes node affinity scheduling rules - for typha. + Metadata is a subset of a Kubernetes object's metadata + that is added to the DaemonSet. properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: - The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. - items: - description: - An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects (i.e. - is also a no-op). - properties: - preference: - description: - A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of node selector requirements - by node's labels. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node selector requirements - by node's fields. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: - Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: - "WARNING: Please note that if the affinity requirements - specified by this field are not met at scheduling time, - the pod will NOT be scheduled onto the node. There is no - fallback to another affinity rules with this setting. This - may cause networking disruption or even catastrophic failure! - PreferredDuringSchedulingIgnoredDuringExecution should be - used for affinity unless there is a specific well understood - reason to use RequiredDuringSchedulingIgnoredDuringExecution - and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution - will always have sufficient nodes to satisfy the requirement. - NOTE: RequiredDuringSchedulingIgnoredDuringExecution is - set by default for AKS nodes, to avoid scheduling Typhas - on virtual-nodes. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to an update), the system may or may not try to - eventually evict the pod from its node." - properties: - nodeSelectorTerms: - description: - Required. A list of node selector terms. - The terms are ORed. - items: - description: - A null or empty node selector term matches - no objects. The requirements of them are ANDed. The - TopologySelectorTerm type implements a subset of the - NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of node selector requirements - by node's labels. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node selector requirements - by node's fields. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - type: object - typhaDeployment: - description: - TyphaDeployment configures the typha Deployment. If used - in conjunction with the deprecated ComponentResources or TyphaAffinity, - then these overrides take precedence. - properties: - metadata: - description: - Metadata is a subset of a Kubernetes object's metadata - that is added to the Deployment. - properties: - annotations: - additionalProperties: - type: string + annotations: + additionalProperties: + type: string description: Annotations is a map of arbitrary non-identifying metadata. Each of these key/value pairs are added to the @@ -6496,75 +6332,27 @@ spec: type: object type: object spec: - description: Spec is the specification of the typha Deployment. + description: + Spec is the specification of the csi-node-driver + DaemonSet. properties: minReadySeconds: description: MinReadySeconds is the minimum number of seconds - for which a newly created Deployment pod should be ready + for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. If specified, this overrides any minReadySeconds - value that may be set on the typha Deployment. If omitted, - the typha Deployment will use its default value for minReadySeconds. + value that may be set on the csi-node-driver DaemonSet. + If omitted, the csi-node-driver DaemonSet will use its default + value for minReadySeconds. format: int32 maximum: 2147483647 minimum: 0 type: integer - strategy: - description: - The deployment strategy to use to replace existing - pods with new ones. - properties: - rollingUpdate: - description: - Rolling update config params. Present only - if DeploymentStrategyType = RollingUpdate. to be. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: - "The maximum number of pods that can - be scheduled above the desired number of pods. Value - can be an absolute number (ex: 5) or a percentage - of desired pods (ex: 10%). This can not be 0 if - MaxUnavailable is 0. Absolute number is calculated - from percentage by rounding up. Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet - can be scaled up immediately when the rolling update - starts, such that the total number of old and new - pods do not exceed 130% of desired pods. Once old - pods have been killed, new ReplicaSet can be scaled - up further, ensuring that total number of pods running - at any time during the update is at most 130% of - desired pods." - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: - "The maximum number of pods that can - be unavailable during the update. Value can be an - absolute number (ex: 5) or a percentage of desired - pods (ex: 10%). Absolute number is calculated from - percentage by rounding down. This can not be 0 if - MaxSurge is 0. Defaults to 25%. Example: when this - is set to 30%, the old ReplicaSet can be scaled - down to 70% of desired pods immediately when the - rolling update starts. Once new pods are ready, - old ReplicaSet can be scaled down further, followed - by scaling up the new ReplicaSet, ensuring that - the total number of pods available at all times - during the update is at least 70% of desired pods." - x-kubernetes-int-or-string: true - type: object - type: object template: description: - Template describes the typha Deployment pod that - will be created. + Template describes the csi-node-driver DaemonSet + pod that will be created. properties: metadata: description: @@ -6592,19 +6380,17 @@ spec: type: object type: object spec: - description: Spec is the typha Deployment's PodSpec. + description: Spec is the csi-node-driver DaemonSet's PodSpec. properties: affinity: description: "Affinity is a group of affinity scheduling - rules for the typha pods. If specified, this overrides - any affinity that may be set on the typha Deployment. - If omitted, the typha Deployment will use its default - value for affinity. If used in conjunction with - the deprecated TyphaAffinity, then this value takes - precedence. WARNING: Please note that this field - will override the default calico-typha Deployment - affinity." + rules for the csi-node-driver pods. If specified, + this overrides any affinity that may be set on the + csi-node-driver DaemonSet. If omitted, the csi-node-driver + DaemonSet will use its default value for affinity. + WARNING: Please note that this field will override + the default csi-node-driver DaemonSet affinity." properties: nodeAffinity: description: @@ -7746,97 +7532,63 @@ spec: type: object containers: description: - Containers is a list of typha containers. - If specified, this overrides the specified typha - Deployment containers. If omitted, the typha Deployment - will use its default values for its containers. + Containers is a list of csi-node-driver + containers. If specified, this overrides the specified + csi-node-driver DaemonSet containers. If omitted, + the csi-node-driver DaemonSet will use its default + values for its containers. items: description: - TyphaDeploymentContainer is a typha - Deployment container. + CSINodeDriverDaemonSetContainer is + a csi-node-driver DaemonSet container. properties: name: description: Name is an enum which identifies - the typha Deployment container by name. + the csi-node-driver DaemonSet container by + name. enum: - - calico-typha + - csi-node-driver type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, this - overrides the named typha Deployment container's - resources. If omitted, the typha Deployment - will use its default value for this container's - resources. If used in conjunction with the - deprecated ComponentResources, then this value - takes precedence. + overrides the named csi-node-driver DaemonSet + container's resources. If omitted, the csi-node-driver + DaemonSet will use its default value for this + container's resources. properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Limits describes the maximum - amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true + claims: description: - "Requests describes the minimum - amount of compute resources required. - If Requests is omitted for a container, - it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - type: object - required: - - name - type: object - type: array - initContainers: - description: - InitContainers is a list of typha init - containers. If specified, this overrides the specified - typha Deployment init containers. If omitted, the - typha Deployment will use its default values for - its init containers. - items: - description: - TyphaDeploymentInitContainer is a typha - Deployment init container. - properties: - name: - description: - Name is an enum which identifies - the typha Deployment init container by name. - enum: - - typha-certs-key-cert-provisioner - type: string - resources: - description: - Resources allows customization - of limits and requests for compute resources - such as cpu and memory. If specified, this - overrides the named typha Deployment init - container's resources. If omitted, the typha - Deployment will use its default value for - this init container's resources. If used in - conjunction with the deprecated ComponentResources, - then this value takes precedence. - properties: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -7873,40 +7625,25 @@ spec: additionalProperties: type: string description: - "NodeSelector is the calico-typha pod's - scheduling constraints. If specified, each of the - key/value pairs are added to the calico-typha Deployment - nodeSelector provided the key does not already exist - in the object's nodeSelector. If omitted, the calico-typha - Deployment will use its default value for nodeSelector. - WARNING: Please note that this field will modify - the default calico-typha Deployment nodeSelector." + "NodeSelector is the csi-node-driver + pod's scheduling constraints. If specified, each + of the key/value pairs are added to the csi-node-driver + DaemonSet nodeSelector provided the key does not + already exist in the object's nodeSelector. If + omitted, the csi-node-driver DaemonSet will use + its default value for nodeSelector. WARNING: Please + note that this field will modify the default csi-node-driver + DaemonSet nodeSelector." type: object - terminationGracePeriodSeconds: - description: - Optional duration in seconds the pod - needs to terminate gracefully. May be decreased - in delete request. Value must be non-negative integer. - The value zero indicates stop immediately via the - kill signal (no opportunity to shut down). If this - value is nil, the default grace period will be used - instead. The grace period is the duration in seconds - after the processes running in the pod are sent - a termination signal and the time when the processes - are forcibly halted with a kill signal. Set this - value longer than the expected cleanup time for - your process. Defaults to 30 seconds. - format: int64 - type: integer tolerations: description: - "Tolerations is the typha pod's tolerations. - If specified, this overrides any tolerations that - may be set on the typha Deployment. If omitted, - the typha Deployment will use its default value - for tolerations. WARNING: Please note that this - field will override the default calico-typha Deployment - tolerations." + "Tolerations is the csi-node-driver pod's + tolerations. If specified, this overrides any tolerations + that may be set on the csi-node-driver DaemonSet. + If omitted, the csi-node-driver DaemonSet will use + its default value for tolerations. WARNING: Please + note that this field will override the default csi-node-driver + DaemonSet tolerations." items: description: The pod this Toleration is attached @@ -7958,387 +7695,4154 @@ spec: type: string type: object type: array - topologySpreadConstraints: - description: - TopologySpreadConstraints describes how - a group of pods ought to spread across topology - domains. Scheduler will schedule pods in a way which - abides by the constraints. All topologySpreadConstraints - are ANDed. - items: - description: - TopologySpreadConstraint specifies - how to spread matching pods among the given topology. - properties: - labelSelector: - description: - LabelSelector is used to find matching - pods. Pods that match this label selector - are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: - matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: - A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: - key is the label key - that the selector applies to. - type: string - operator: - description: - operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: - MatchLabelKeys is a set of pod - label keys to select the pods over which spreading - will be calculated. The keys are used to lookup - values from the incoming pod labels, those - key-value labels are ANDed with labelSelector - to select the group of existing pods over - which spreading will be calculated for the - incoming pod. Keys that don't exist in the - incoming pod labels will be ignored. A null - or empty list means only match against labelSelector. - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: - "MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. The global minimum is - the minimum number of matching pods in an - eligible domain or zero if the number of eligible - domains is less than MinDomains. For example, - in a 3-zone cluster, MaxSkew is set to 1, - and pods with the same labelSelector spread - as 2/2/1: In this case, the global minimum - is 1. | zone1 | zone2 | zone3 | | P P | P - P | P | - if MaxSkew is 1, incoming pod - can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make - the ActualSkew(3-1) on zone1(zone2) violate - MaxSkew(1). - if MaxSkew is 2, incoming pod - can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It's a required field. Default - value is 1 and 0 is not allowed." - format: int32 - type: integer - minDomains: - description: - "MinDomains indicates a minimum - number of eligible domains. When the number - of eligible domains with matching topology - keys is less than minDomains, Pod Topology - Spread treats \"global minimum\" as 0, and - then the calculation of Skew is performed. - And when the number of eligible domains with - matching topology keys equals or greater than - minDomains, this value has no effect on scheduling. - As a result, when the number of eligible domains - is less than minDomains, scheduler won't schedule - more than maxSkew Pods to those domains. If - value is nil, the constraint behaves as if - MinDomains is equal to 1. Valid values are - integers greater than 0. When value is not - nil, WhenUnsatisfiable must be DoNotSchedule. - \n For example, in a 3-zone cluster, MaxSkew - is set to 2, MinDomains is set to 5 and pods - with the same labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | | P P | P P | - \ P P | The number of domains is less than - 5(MinDomains), so \"global minimum\" is treated - as 0. In this situation, new pod with the - same labelSelector cannot be scheduled, because - computed skew will be 3(3 - 0) if new Pod - is scheduled to any of the three zones, it - will violate MaxSkew. \n This is a beta field - and requires the MinDomainsInPodTopologySpread - feature gate to be enabled (enabled by default)." - format: int32 - type: integer - nodeAffinityPolicy: - description: - "NodeAffinityPolicy indicates how - we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. - Options are: - Honor: only nodes matching - nodeAffinity/nodeSelector are included in - the calculations. - Ignore: nodeAffinity/nodeSelector - are ignored. All nodes are included in the - calculations. \n If this value is nil, the - behavior is equivalent to the Honor policy. - This is a alpha-level feature enabled by the - NodeInclusionPolicyInPodTopologySpread feature - flag." - type: string - nodeTaintsPolicy: - description: - "NodeTaintsPolicy indicates how - we will treat node taints when calculating - pod topology spread skew. Options are: - Honor: - nodes without taints, along with tainted nodes - for which the incoming pod has a toleration, - are included. - Ignore: node taints are ignored. - All nodes are included. \n If this value is - nil, the behavior is equivalent to the Ignore - policy. This is a alpha-level feature enabled - by the NodeInclusionPolicyInPodTopologySpread - feature flag." - type: string - topologyKey: - description: - TopologyKey is the key of node - labels. Nodes that have a label with this - key and identical values are considered to - be in the same topology. We consider each - as a "bucket", and try to put - balanced number of pods into each bucket. - We define a domain as a particular instance - of a topology. Also, we define an eligible - domain as a domain whose nodes meet the requirements - of nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", - each Node is a domain of that topology. And, - if TopologyKey is "topology.kubernetes.io/zone", - each zone is a domain of that topology. It's - a required field. - type: string - whenUnsatisfiable: - description: - 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy - the spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule - the pod in any location, but giving higher - precedence to topologies that would help reduce - the skew. A constraint is considered "Unsatisfiable" - for an incoming pod if and only if every possible - node assignment for that pod would violate - "MaxSkew" on some topology. For example, in - a 3-zone cluster, MaxSkew is set to 1, and - pods with the same labelSelector spread as - 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, - incoming pod can only be scheduled to zone2(zone3) - to become 3/2/1(3/1/2) as ActualSkew(2-1) - on zone2(zone3) satisfies MaxSkew(1). In other - words, the cluster can still be imbalanced, - but scheduler won''t make it *more* imbalanced. - It''s a required field.' - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array type: object type: object type: object type: object - typhaMetricsPort: - description: - TyphaMetricsPort specifies which port calico/typha serves - prometheus metrics on. By default, metrics are not enabled. - format: int32 - type: integer - variant: + fipsMode: description: - "Variant is the product to install - one of Calico or - TigeraSecureEnterprise Default: Calico" + "FIPSMode uses images and features only that are using + FIPS 140-2 validated cryptographic modules and standards. Default: + Disabled" enum: - - Calico - - TigeraSecureEnterprise + - Enabled + - Disabled type: string - type: object - status: - description: - Most recently observed state for the Calico or Calico Enterprise - installation. - properties: - calicoVersion: + flexVolumePath: description: - CalicoVersion shows the current running version of calico. - CalicoVersion along with Variant is needed to know the exact version - deployed. + FlexVolumePath optionally specifies a custom path for + FlexVolume. If not specified, FlexVolume will be enabled by default. + If set to 'None', FlexVolume will be disabled. The default is based + on the kubernetesProvider. type: string - computed: + imagePath: description: - Computed is the final installation including overlaid - resources. + "ImagePath allows for the path part of an image to be + specified. If specified then the specified value will be used as + the image path for each image. If not specified or empty, the default + for each image will be used. A special case value, UseDefault, is + supported to explicitly specify the default image path will be used + for each image. \n Image format: `/:` + \n This option allows configuring the `` portion of the + above format." + type: string + imagePrefix: + description: + "ImagePrefix allows for the prefix part of an image to + be specified. If specified then the given value will be used as + a prefix on each image. If not specified or empty, no prefix will + be used. A special case value, UseDefault, is supported to explicitly + specify the default image prefix will be used for each image. \n + Image format: `/:` + \n This option allows configuring the `` portion of + the above format." + type: string + imagePullSecrets: + description: + ImagePullSecrets is an array of references to container + registry pull secrets to use. These are applied to all images to + be pulled. + items: + description: + LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + x-kubernetes-map-type: atomic + type: array + kubeletVolumePluginPath: + description: + "KubeletVolumePluginPath optionally specifies enablement + of Calico CSI plugin. If not specified, CSI will be enabled by default. + If set to 'None', CSI will be disabled. Default: /var/lib/kubelet" + type: string + kubernetesProvider: + description: + KubernetesProvider specifies a particular provider of + the Kubernetes platform and enables provider-specific configuration. + If the specified value is empty, the Operator will attempt to automatically + determine the current provider. If the specified value is not empty, + the Operator will still attempt auto-detection, but will additionally + compare the auto-detected value to the specified value to confirm + they match. + enum: + - "" + - EKS + - GKE + - AKS + - OpenShift + - DockerEnterprise + - RKE2 + type: string + logging: + description: Logging Configuration for Components properties: - calicoKubeControllersDeployment: + cni: + description: Customized logging specification for calico-cni plugin + properties: + logFileMaxAgeDays: + description: "Default: 30 (days)" + format: int32 + type: integer + logFileMaxCount: + description: "Default: 10" + format: int32 + type: integer + logFileMaxSize: + anyOf: + - type: integer + - type: string + description: "Default: 100Mi" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + logSeverity: + description: "Default: Info" + enum: + - Error + - Warning + - Debug + - Info + type: string + type: object + type: object + nodeMetricsPort: + description: + NodeMetricsPort specifies which port calico/node serves + prometheus metrics on. By default, metrics are not enabled. If specified, + this overrides any FelixConfiguration resources which may exist. + If omitted, then prometheus metrics may still be configured through + FelixConfiguration. + format: int32 + type: integer + nodeUpdateStrategy: + description: + NodeUpdateStrategy can be used to customize the desired + update strategy, such as the MaxUnavailable field. + properties: + rollingUpdate: description: - CalicoKubeControllersDeployment configures the calico-kube-controllers - Deployment. If used in conjunction with the deprecated ComponentResources, - then these overrides take precedence. + 'Rolling update config params. Present only if type + = "RollingUpdate". --- TODO: Update this to follow our convention + for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345' properties: - metadata: - description: - Metadata is a subset of a Kubernetes object's - metadata that is added to the Deployment. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations is a map of arbitrary non-identifying - metadata. Each of these key/value pairs are added to - the object's annotations provided the key does not already - exist in the object's annotations. - type: object - labels: - additionalProperties: - type: string - description: - Labels is a map of string keys and values - that may match replicaset and service selectors. Each - of these key/value pairs are added to the object's labels - provided the key does not already exist in the object's - labels. - type: object - type: object - spec: + maxSurge: + anyOf: + - type: integer + - type: string description: - Spec is the specification of the calico-kube-controllers - Deployment. - properties: - minReadySeconds: - description: - MinReadySeconds is the minimum number of - seconds for which a newly created Deployment pod should - be ready without any of its container crashing, for - it to be considered available. If specified, this overrides - any minReadySeconds value that may be set on the calico-kube-controllers - Deployment. If omitted, the calico-kube-controllers - Deployment will use its default value for minReadySeconds. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - template: - description: - Template describes the calico-kube-controllers - Deployment pod that will be created. - properties: - metadata: - description: - Metadata is a subset of a Kubernetes - object's metadata that is added to the pod's metadata. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations is a map of arbitrary - non-identifying metadata. Each of these key/value - pairs are added to the object's annotations - provided the key does not already exist in the - object's annotations. - type: object - labels: - additionalProperties: - type: string + "The maximum number of nodes with an existing + available DaemonSet pod that can have an updated DaemonSet + pod during during an update. Value can be an absolute number + (ex: 5) or a percentage of desired pods (ex: 10%). This + can not be 0 if MaxUnavailable is 0. Absolute number is + calculated from percentage by rounding up to a minimum of + 1. Default value is 0. Example: when this is set to 30%, + at most 30% of the total number of nodes that should be + running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked + as deleted. The update starts by launching new pods on 30% + of nodes. Once an updated pod is available (Ready for at + least minReadySeconds) the old DaemonSet pod on that node + is marked deleted. If the old pod becomes unavailable for + any reason (Ready transitions to false, is evicted, or is + drained) an updated pod is immediatedly created on that + node without considering surge limits. Allowing surge implies + the possibility that the resources consumed by the daemonset + on any given node can double if the readiness check fails, + and so resource intensive daemonsets should take into account + that they may cause evictions during disruption." + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: + "The maximum number of DaemonSet pods that can + be unavailable during the update. Value can be an absolute + number (ex: 5) or a percentage of total number of DaemonSet + pods at the start of the update (ex: 10%). Absolute number + is calculated from percentage by rounding up. This cannot + be 0 if MaxSurge is 0 Default value is 1. Example: when + this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. + The update starts by stopping at most 30% of those DaemonSet + pods and then brings up new DaemonSet pods in their place. + Once the new pods are available, it then proceeds onto other + DaemonSet pods, thus ensuring that at least 70% of original + number of DaemonSet pods are available at all times during + the update." + x-kubernetes-int-or-string: true + type: object + type: + description: + Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + nonPrivileged: + description: + NonPrivileged configures Calico to be run in non-privileged + containers as non-root users where possible. + type: string + registry: + description: + "Registry is the default Docker registry used for component + Docker images. If specified then the given value must end with a + slash character (`/`) and all images will be pulled from this registry. + If not specified then the default registries will be used. A special + case value, UseDefault, is supported to explicitly specify the default + registries will be used. \n Image format: `/:` + \n This option allows configuring the `` portion of the + above format." + type: string + serviceCIDRs: + description: + Kubernetes Service CIDRs. Specifying this is required + when using Calico for Windows. + items: + type: string + type: array + typhaAffinity: + description: + Deprecated. Please use Installation.Spec.TyphaDeployment + instead. TyphaAffinity allows configuration of node affinity characteristics + for Typha pods. + properties: + nodeAffinity: + description: + NodeAffinity describes node affinity scheduling rules + for typha. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. + items: + description: + An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: + A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: + A list of node selector requirements + by node's labels. + items: description: - Labels is a map of string keys and - values that may match replicaset and service - selectors. Each of these key/value pairs are - added to the object's labels provided the key - does not already exist in the object's labels. + A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: + An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator type: object - type: object - spec: - description: - Spec is the calico-kube-controllers Deployment's - PodSpec. - properties: - affinity: + type: array + matchFields: + description: + A list of node selector requirements + by node's fields. + items: description: - "Affinity is a group of affinity - scheduling rules for the calico-kube-controllers - pods. If specified, this overrides any affinity - that may be set on the calico-kube-controllers - Deployment. If omitted, the calico-kube-controllers - Deployment will use its default value for affinity. - WARNING: Please note that this field will override - the default calico-kube-controllers Deployment - affinity." + A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: - nodeAffinity: + key: description: - Describes node affinity scheduling - rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: + An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: + Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + "WARNING: Please note that if the affinity requirements + specified by this field are not met at scheduling time, + the pod will NOT be scheduled onto the node. There is no + fallback to another affinity rules with this setting. This + may cause networking disruption or even catastrophic failure! + PreferredDuringSchedulingIgnoredDuringExecution should be + used for affinity unless there is a specific well understood + reason to use RequiredDuringSchedulingIgnoredDuringExecution + and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution + will always have sufficient nodes to satisfy the requirement. + NOTE: RequiredDuringSchedulingIgnoredDuringExecution is + set by default for AKS nodes, to avoid scheduling Typhas + on virtual-nodes. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node." + properties: + nodeSelectorTerms: + description: + Required. A list of node selector terms. + The terms are ORed. + items: + description: + A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: + A list of node selector requirements + by node's labels. + items: + description: + A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: + An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector requirements + by node's fields. + items: + description: + A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: + An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + type: object + typhaDeployment: + description: + TyphaDeployment configures the typha Deployment. If used + in conjunction with the deprecated ComponentResources or TyphaAffinity, + then these overrides take precedence. + properties: + metadata: + description: + Metadata is a subset of a Kubernetes object's metadata + that is added to the Deployment. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to the + object's annotations provided the key does not already exist + in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and values that + may match replicaset and service selectors. Each of these + key/value pairs are added to the object's labels provided + the key does not already exist in the object's labels. + type: object + type: object + spec: + description: Spec is the specification of the typha Deployment. + properties: + minReadySeconds: + description: + MinReadySeconds is the minimum number of seconds + for which a newly created Deployment pod should be ready + without any of its container crashing, for it to be considered + available. If specified, this overrides any minReadySeconds + value that may be set on the typha Deployment. If omitted, + the typha Deployment will use its default value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + strategy: + description: + The deployment strategy to use to replace existing + pods with new ones. + properties: + rollingUpdate: + description: + Rolling update config params. Present only + if DeploymentStrategyType = RollingUpdate. to be. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: + "The maximum number of pods that can + be scheduled above the desired number of pods. Value + can be an absolute number (ex: 5) or a percentage + of desired pods (ex: 10%). This can not be 0 if + MaxUnavailable is 0. Absolute number is calculated + from percentage by rounding up. Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet + can be scaled up immediately when the rolling update + starts, such that the total number of old and new + pods do not exceed 130% of desired pods. Once old + pods have been killed, new ReplicaSet can be scaled + up further, ensuring that total number of pods running + at any time during the update is at most 130% of + desired pods." + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: + "The maximum number of pods that can + be unavailable during the update. Value can be an + absolute number (ex: 5) or a percentage of desired + pods (ex: 10%). Absolute number is calculated from + percentage by rounding down. This can not be 0 if + MaxSurge is 0. Defaults to 25%. Example: when this + is set to 30%, the old ReplicaSet can be scaled + down to 70% of desired pods immediately when the + rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that + the total number of pods available at all times + during the update is at least 70% of desired pods." + x-kubernetes-int-or-string: true + type: object + type: object + template: + description: + Template describes the typha Deployment pod that + will be created. + properties: + metadata: + description: + Metadata is a subset of a Kubernetes object's + metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added + to the object's annotations provided the key does + not already exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and values + that may match replicaset and service selectors. + Each of these key/value pairs are added to the object's + labels provided the key does not already exist in + the object's labels. + type: object + type: object + spec: + description: Spec is the typha Deployment's PodSpec. + properties: + affinity: + description: + "Affinity is a group of affinity scheduling + rules for the typha pods. If specified, this overrides + any affinity that may be set on the typha Deployment. + If omitted, the typha Deployment will use its default + value for affinity. If used in conjunction with + the deprecated TyphaAffinity, then this value takes + precedence. WARNING: Please note that this field + will override the default calico-typha Deployment + affinity." + properties: + nodeAffinity: + description: + Describes node affinity scheduling + rules for the pod. + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this field, + but it may choose a node that violates one + or more of the expressions. The node that + is most preferred is the one with the greatest + sum of weights, i.e. for each node that + meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum + by iterating through the elements of this + field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the + most preferred. + items: + description: + An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: + A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: + A list of node selector + requirements by node's labels. + items: + description: + A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: + The label key + that the selector applies + to. + type: string + operator: + description: + Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector + requirements by node's fields. + items: + description: + A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: + The label key + that the selector applies + to. + type: string + operator: + description: + Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: + Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + ? requiredDuringSchedulingIgnoredDuringExecution + : description: + If the affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto + the node. If the affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: + Required. A list of node + selector terms. The terms are ORed. + items: + description: + A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: + A list of node selector + requirements by node's labels. + items: + description: + A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: + The label key + that the selector applies + to. + type: string + operator: + description: + Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector + requirements by node's fields. + items: + description: + A node selector requirement + is a selector that contains + values, a key, and an operator + that relates the key and values. + properties: + key: + description: + The label key + that the selector applies + to. + type: string + operator: + description: + Represents a + key's relationship to a + set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string + values. If the operator + is In or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the values + array must be empty. If + the operator is Gt or Lt, + the values array must have + a single element, which + will be interpreted as an + integer. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: + Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same node, + zone, etc. as some other pod(s)). + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this field, + but it may choose a node that violates one + or more of the expressions. The node that + is most preferred is the one with the greatest + sum of weights, i.e. for each node that + meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum + by iterating through the elements of this + field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest + sum are the most preferred. + items: + description: + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: + A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + ? requiredDuringSchedulingIgnoredDuringExecution + : description: + If the affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto + the node. If the affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod + label update), the system may or may not + try to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all + terms must be satisfied. + items: + description: + Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not + co-located (anti-affinity) with, where + co-located is defined as running on a + node whose value of the label with key + matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: + A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: + matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: + A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: + key is the label + key that the selector applies + to. + type: string + operator: + description: + operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: + matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: + A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: + key is the label + key that the selector applies + to. + type: string + operator: + description: + operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with the + greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: + The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: + A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + ? requiredDuringSchedulingIgnoredDuringExecution + : description: + If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system may + or may not try to eventually evict the pod + from its node. When there are multiple elements, + the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all + terms must be satisfied. + items: + description: + Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not + co-located (anti-affinity) with, where + co-located is defined as running on a + node whose value of the label with key + matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: + A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: + matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: + A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: + key is the label + key that the selector applies + to. + type: string + operator: + description: + operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: + matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: + A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: + key is the label + key that the selector applies + to. + type: string + operator: + description: + operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + description: + Containers is a list of typha containers. + If specified, this overrides the specified typha + Deployment containers. If omitted, the typha Deployment + will use its default values for its containers. + items: + description: + TyphaDeploymentContainer is a typha + Deployment container. + properties: + name: + description: + Name is an enum which identifies + the typha Deployment container by name. + enum: + - calico-typha + type: string + resources: + description: + Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, this + overrides the named typha Deployment container's + resources. If omitted, the typha Deployment + will use its default value for this container's + resources. If used in conjunction with the + deprecated ComponentResources, then this value + takes precedence. + properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum + amount of compute resources required. + If Requests is omitted for a container, + it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + type: object + required: + - name + type: object + type: array + initContainers: + description: + InitContainers is a list of typha init + containers. If specified, this overrides the specified + typha Deployment init containers. If omitted, the + typha Deployment will use its default values for + its init containers. + items: + description: + TyphaDeploymentInitContainer is a typha + Deployment init container. + properties: + name: + description: + Name is an enum which identifies + the typha Deployment init container by name. + enum: + - typha-certs-key-cert-provisioner + type: string + resources: + description: + Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, this + overrides the named typha Deployment init + container's resources. If omitted, the typha + Deployment will use its default value for + this init container's resources. If used in + conjunction with the deprecated ComponentResources, + then this value takes precedence. + properties: + claims: + description: + "Claims lists the names of + resources, defined in spec.resourceClaims, + that are used by this container. \n This + is an alpha field and requires enabling + the DynamicResourceAllocation feature + gate. \n This field is immutable. It can + only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum + amount of compute resources required. + If Requests is omitted for a container, + it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: + "NodeSelector is the calico-typha pod's + scheduling constraints. If specified, each of the + key/value pairs are added to the calico-typha Deployment + nodeSelector provided the key does not already exist + in the object's nodeSelector. If omitted, the calico-typha + Deployment will use its default value for nodeSelector. + WARNING: Please note that this field will modify + the default calico-typha Deployment nodeSelector." + type: object + terminationGracePeriodSeconds: + description: + Optional duration in seconds the pod + needs to terminate gracefully. May be decreased + in delete request. Value must be non-negative integer. + The value zero indicates stop immediately via the + kill signal (no opportunity to shut down). If this + value is nil, the default grace period will be used + instead. The grace period is the duration in seconds + after the processes running in the pod are sent + a termination signal and the time when the processes + are forcibly halted with a kill signal. Set this + value longer than the expected cleanup time for + your process. Defaults to 30 seconds. + format: int64 + type: integer + tolerations: + description: + "Tolerations is the typha pod's tolerations. + If specified, this overrides any tolerations that + may be set on the typha Deployment. If omitted, + the typha Deployment will use its default value + for tolerations. WARNING: Please note that this + field will override the default calico-typha Deployment + tolerations." + items: + description: + The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: + Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: + Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values + and all keys. + type: string + operator: + description: + Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: + TolerationSeconds represents the + period of time the toleration (which must + be of effect NoExecute, otherwise this field + is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint + forever (do not evict). Zero and negative + values will be treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: + Value is the taint value the toleration + matches to. If the operator is Exists, the + value should be empty, otherwise just a regular + string. + type: string + type: object + type: array + topologySpreadConstraints: + description: + TopologySpreadConstraints describes how + a group of pods ought to spread across topology + domains. Scheduler will schedule pods in a way which + abides by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: + TopologySpreadConstraint specifies + how to spread matching pods among the given topology. + properties: + labelSelector: + description: + LabelSelector is used to find matching + pods. Pods that match this label selector + are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: + matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: + A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: + key is the label key + that the selector applies to. + type: string + operator: + description: + operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: + MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: + "MaxSkew describes the degree to + which pods may be unevenly distributed. When + `whenUnsatisfiable=DoNotSchedule`, it is the + maximum permitted difference between the number + of matching pods in the target topology and + the global minimum. The global minimum is + the minimum number of matching pods in an + eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, + in a 3-zone cluster, MaxSkew is set to 1, + and pods with the same labelSelector spread + as 2/2/1: In this case, the global minimum + is 1. | zone1 | zone2 | zone3 | | P P | P + P | P | - if MaxSkew is 1, incoming pod + can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make + the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod + can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It's a required field. Default + value is 1 and 0 is not allowed." + format: int32 + type: integer + minDomains: + description: + "MinDomains indicates a minimum + number of eligible domains. When the number + of eligible domains with matching topology + keys is less than minDomains, Pod Topology + Spread treats \"global minimum\" as 0, and + then the calculation of Skew is performed. + And when the number of eligible domains with + matching topology keys equals or greater than + minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains + is less than minDomains, scheduler won't schedule + more than maxSkew Pods to those domains. If + value is nil, the constraint behaves as if + MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not + nil, WhenUnsatisfiable must be DoNotSchedule. + \n For example, in a 3-zone cluster, MaxSkew + is set to 2, MinDomains is set to 5 and pods + with the same labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | | P P | P P | + \ P P | The number of domains is less than + 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the + same labelSelector cannot be scheduled, because + computed skew will be 3(3 - 0) if new Pod + is scheduled to any of the three zones, it + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: + "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: + "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a beta-level feature default + enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: + TopologyKey is the key of node + labels. Nodes that have a label with this + key and identical values are considered to + be in the same topology. We consider each + as a "bucket", and try to put + balanced number of pods into each bucket. + We define a domain as a particular instance + of a topology. Also, we define an eligible + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, + if TopologyKey is "topology.kubernetes.io/zone", + each zone is a domain of that topology. It's + a required field. + type: string + whenUnsatisfiable: + description: + 'WhenUnsatisfiable indicates how + to deal with a pod if it doesn''t satisfy + the spread constraint. - DoNotSchedule (default) + tells the scheduler not to schedule it. - + ScheduleAnyway tells the scheduler to schedule + the pod in any location, but giving higher + precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate + "MaxSkew" on some topology. For example, in + a 3-zone cluster, MaxSkew is set to 1, and + pods with the same labelSelector spread as + 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) + on zone2(zone3) satisfies MaxSkew(1). In other + words, the cluster can still be imbalanced, + but scheduler won''t make it *more* imbalanced. + It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + type: object + type: object + type: object + typhaMetricsPort: + description: + TyphaMetricsPort specifies which port calico/typha serves + prometheus metrics on. By default, metrics are not enabled. + format: int32 + type: integer + variant: + description: + "Variant is the product to install - one of Calico or + TigeraSecureEnterprise Default: Calico" + enum: + - Calico + - TigeraSecureEnterprise + type: string + windowsNodes: + description: Windows Configuration + properties: + cniBinDir: + description: + CNIBinDir is the path to the CNI binaries directory + on Windows, it must match what is used as 'bin_dir' under [plugins] + [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".cni] + on the containerd 'config.toml' file on the Windows nodes. + type: string + cniConfigDir: + description: + CNIConfigDir is the path to the CNI configuration + directory on Windows, it must match what is used as 'conf_dir' + under [plugins] [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".cni] + on the containerd 'config.toml' file on the Windows nodes. + type: string + cniLogDir: + description: + CNILogDir is the path to the Calico CNI logs directory + on Windows. + type: string + vxlanAdapter: + description: + VXLANAdapter is the Network Adapter used for VXLAN, + leave blank for primary NIC + type: string + vxlanMACPrefix: + description: + VXLANMACPrefix is the prefix used when generating + MAC addresses for virtual NICs + pattern: ^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$ + type: string + type: object + type: object + status: + description: + Most recently observed state for the Calico or Calico Enterprise + installation. + properties: + calicoVersion: + description: + CalicoVersion shows the current running version of calico. + CalicoVersion along with Variant is needed to know the exact version + deployed. + type: string + computed: + description: + Computed is the final installation including overlaid + resources. + properties: + calicoKubeControllersDeployment: + description: + CalicoKubeControllersDeployment configures the calico-kube-controllers + Deployment. If used in conjunction with the deprecated ComponentResources, + then these overrides take precedence. + properties: + metadata: + description: + Metadata is a subset of a Kubernetes object's + metadata that is added to the Deployment. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to + the object's annotations provided the key does not already + exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and values + that may match replicaset and service selectors. Each + of these key/value pairs are added to the object's labels + provided the key does not already exist in the object's + labels. + type: object + type: object + spec: + description: + Spec is the specification of the calico-kube-controllers + Deployment. + properties: + minReadySeconds: + description: + MinReadySeconds is the minimum number of + seconds for which a newly created Deployment pod should + be ready without any of its container crashing, for + it to be considered available. If specified, this overrides + any minReadySeconds value that may be set on the calico-kube-controllers + Deployment. If omitted, the calico-kube-controllers + Deployment will use its default value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + template: + description: + Template describes the calico-kube-controllers + Deployment pod that will be created. + properties: + metadata: + description: + Metadata is a subset of a Kubernetes + object's metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations is a map of arbitrary + non-identifying metadata. Each of these key/value + pairs are added to the object's annotations + provided the key does not already exist in the + object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and + values that may match replicaset and service + selectors. Each of these key/value pairs are + added to the object's labels provided the key + does not already exist in the object's labels. + type: object + type: object + spec: + description: + Spec is the calico-kube-controllers Deployment's + PodSpec. + properties: + affinity: + description: + "Affinity is a group of affinity + scheduling rules for the calico-kube-controllers + pods. If specified, this overrides any affinity + that may be set on the calico-kube-controllers + Deployment. If omitted, the calico-kube-controllers + Deployment will use its default value for affinity. + WARNING: Please note that this field will override + the default calico-kube-controllers Deployment + affinity." + properties: + nodeAffinity: + description: + Describes node affinity scheduling + rules for the pod. + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: + An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: + A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: + A list of node + selector requirements by node's + labels. + items: + description: + A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + The label + key that the selector + applies to. + type: string + operator: + description: + Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node + selector requirements by node's + fields. + items: + description: + A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + The label + key that the selector + applies to. + type: string + operator: + description: + Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: + Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + ? requiredDuringSchedulingIgnoredDuringExecution + : description: + If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: + Required. A list of node + selector terms. The terms are ORed. + items: + description: + A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: + A list of node + selector requirements by node's + labels. + items: + description: + A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + The label + key that the selector + applies to. + type: string + operator: + description: + Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node + selector requirements by node's + fields. + items: + description: + A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + The label + key that the selector + applies to. + type: string + operator: + description: + Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: + Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: + The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: + A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: + key is + the label key that + the selector applies + to. + type: string + operator: + description: + operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + ? additionalProperties + : type: string + description: + matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over + the set of namespaces that + the term applies to. The term + is applied to the union of + the namespaces selected by + this field and the ones listed + in the namespaces field. null + selector and null or empty + namespaces list means "this + pod's namespace". An empty + selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: + key is + the label key that + the selector applies + to. + type: string + operator: + description: + operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + ? additionalProperties + : type: string + description: + matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied to + the union of the namespaces + listed in this field and the + ones selected by namespaceSelector. + null or empty namespaces list + and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + ? requiredDuringSchedulingIgnoredDuringExecution + : description: + If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: + Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: + A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: + Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: + The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: + A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: + key is + the label key that + the selector applies + to. + type: string + operator: + description: + operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + ? additionalProperties + : type: string + description: + matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over + the set of namespaces that + the term applies to. The term + is applied to the union of + the namespaces selected by + this field and the ones listed + in the namespaces field. null + selector and null or empty + namespaces list means "this + pod's namespace". An empty + selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: + key is + the label key that + the selector applies + to. + type: string + operator: + description: + operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + ? additionalProperties + : type: string + description: + matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied to + the union of the namespaces + listed in this field and the + ones selected by namespaceSelector. + null or empty namespaces list + and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + ? requiredDuringSchedulingIgnoredDuringExecution + : description: + If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: + Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: + A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: + A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: + matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: + A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: + key is the + label key that the selector + applies to. + type: string + operator: + description: + operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: + namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: + This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + description: + Containers is a list of calico-kube-controllers + containers. If specified, this overrides the + specified calico-kube-controllers Deployment + containers. If omitted, the calico-kube-controllers + Deployment will use its default values for its + containers. + items: + description: + CalicoKubeControllersDeploymentContainer + is a calico-kube-controllers Deployment container. + properties: + name: + description: + Name is an enum which identifies + the calico-kube-controllers Deployment + container by name. + enum: + - calico-kube-controllers + type: string + resources: + description: + Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, + this overrides the named calico-kube-controllers + Deployment container's resources. If omitted, + the calico-kube-controllers Deployment + will use its default value for this container's + resources. If used in conjunction with + the deprecated ComponentResources, then + this value takes precedence. + properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: + "NodeSelector is the calico-kube-controllers + pod's scheduling constraints. If specified, + each of the key/value pairs are added to the + calico-kube-controllers Deployment nodeSelector + provided the key does not already exist in the + object's nodeSelector. If used in conjunction + with ControlPlaneNodeSelector, that nodeSelector + is set on the calico-kube-controllers Deployment + and each of this field's key/value pairs are + added to the calico-kube-controllers Deployment + nodeSelector provided the key does not already + exist in the object's nodeSelector. If omitted, + the calico-kube-controllers Deployment will + use its default value for nodeSelector. WARNING: + Please note that this field will modify the + default calico-kube-controllers Deployment nodeSelector." + type: object + tolerations: + description: + "Tolerations is the calico-kube-controllers + pod's tolerations. If specified, this overrides + any tolerations that may be set on the calico-kube-controllers + Deployment. If omitted, the calico-kube-controllers + Deployment will use its default value for tolerations. + WARNING: Please note that this field will override + the default calico-kube-controllers Deployment + tolerations." + items: + description: + The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: + Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: + Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: + Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: + TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: + Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + type: object + type: object + calicoNetwork: + description: + CalicoNetwork specifies networking configuration + options for Calico. + properties: + bgp: + description: + BGP configures whether or not to enable Calico's + BGP capabilities. + enum: + - Enabled + - Disabled + type: string + containerIPForwarding: + description: + "ContainerIPForwarding configures whether ip + forwarding will be enabled for containers in the CNI configuration. + Default: Disabled" + enum: + - Enabled + - Disabled + type: string + hostPorts: + description: + "HostPorts configures whether or not Calico will + support Kubernetes HostPorts. Valid only when using the + Calico CNI plugin. Default: Enabled" + enum: + - Enabled + - Disabled + type: string + ipPools: + description: + IPPools contains a list of IP pools to create + if none exist. At most one IP pool of each address family + may be specified. If omitted, a single pool will be configured + if needed. + items: + properties: + blockSize: + description: + "BlockSize specifies the CIDR prefex length + to use when allocating per-node IP blocks from the + main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)" + format: int32 + type: integer + cidr: + description: + CIDR contains the address range for the + IP Pool in classless inter-domain routing format. + type: string + disableBGPExport: + default: false + description: + "DisableBGPExport specifies whether routes + from this IP pool's CIDR are exported over BGP. Default: + false" + type: boolean + encapsulation: + description: + "Encapsulation specifies the encapsulation + type that will be used with the IP Pool. Default: + IPIP" + enum: + - IPIPCrossSubnet + - IPIP + - VXLAN + - VXLANCrossSubnet + - None + type: string + natOutgoing: + description: + "NATOutgoing specifies if NAT will be enabled + or disabled for outgoing traffic. Default: Enabled" + enum: + - Enabled + - Disabled + type: string + nodeSelector: + description: + "NodeSelector specifies the node selector + that will be set for the IP Pool. Default: 'all()'" + type: string + required: + - cidr + type: object + type: array + linuxDataplane: + description: + "LinuxDataplane is used to select the dataplane + used for Linux nodes. In particular, it causes the operator + to add required mounts and environment variables for the + particular dataplane. If not specified, iptables mode is + used. Default: Iptables" + enum: + - Iptables + - BPF + - VPP + type: string + mtu: + description: + MTU specifies the maximum transmission unit to + use on the pod network. If not specified, Calico will perform + MTU auto-detection based on the cluster network. + format: int32 + type: integer + multiInterfaceMode: + description: + "MultiInterfaceMode configures what will configure + multiple interface per pod. Only valid for Calico Enterprise + installations using the Calico CNI plugin. Default: None" + enum: + - None + - Multus + type: string + nodeAddressAutodetectionV4: + description: + NodeAddressAutodetectionV4 specifies an approach + to automatically detect node IPv4 addresses. If not specified, + will use default auto-detection settings to acquire an IPv4 + address for each node. + properties: + canReach: + description: + CanReach enables IP auto-detection based + on which source address on the node is used to reach + the specified IP or domain. + type: string + cidrs: + description: + CIDRS enables IP auto-detection based on + which addresses on the nodes are within one of the provided + CIDRs. + items: + type: string + type: array + firstFound: + description: + FirstFound uses default interface matching + parameters to select an interface, performing best-effort + filtering based on well-known interface names. + type: boolean + interface: + description: + Interface enables IP auto-detection based + on interfaces that match the given regex. + type: string + kubernetes: + description: + Kubernetes configures Calico to detect node + addresses based on the Kubernetes API. + enum: + - NodeInternalIP + type: string + skipInterface: + description: + SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + nodeAddressAutodetectionV6: + description: + NodeAddressAutodetectionV6 specifies an approach + to automatically detect node IPv6 addresses. If not specified, + IPv6 addresses will not be auto-detected. + properties: + canReach: + description: + CanReach enables IP auto-detection based + on which source address on the node is used to reach + the specified IP or domain. + type: string + cidrs: + description: + CIDRS enables IP auto-detection based on + which addresses on the nodes are within one of the provided + CIDRs. + items: + type: string + type: array + firstFound: + description: + FirstFound uses default interface matching + parameters to select an interface, performing best-effort + filtering based on well-known interface names. + type: boolean + interface: + description: + Interface enables IP auto-detection based + on interfaces that match the given regex. + type: string + kubernetes: + description: + Kubernetes configures Calico to detect node + addresses based on the Kubernetes API. + enum: + - NodeInternalIP + type: string + skipInterface: + description: + SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + windowsDataplane: + description: + "WindowsDataplane is used to select the dataplane + used for Windows nodes. In particular, it causes the operator + to add required mounts and environment variables for the + particular dataplane. If not specified, it is disabled and + the operator will not render the Calico Windows nodes daemonset. + Default: Disabled" + enum: + - HNS + - Disabled + type: string + type: object + calicoNodeDaemonSet: + description: + CalicoNodeDaemonSet configures the calico-node DaemonSet. + If used in conjunction with the deprecated ComponentResources, + then these overrides take precedence. + properties: + metadata: + description: + Metadata is a subset of a Kubernetes object's + metadata that is added to the DaemonSet. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations is a map of arbitrary non-identifying + metadata. Each of these key/value pairs are added to + the object's annotations provided the key does not already + exist in the object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and values + that may match replicaset and service selectors. Each + of these key/value pairs are added to the object's labels + provided the key does not already exist in the object's + labels. + type: object + type: object + spec: + description: + Spec is the specification of the calico-node + DaemonSet. + properties: + minReadySeconds: + description: + MinReadySeconds is the minimum number of + seconds for which a newly created DaemonSet pod should + be ready without any of its container crashing, for + it to be considered available. If specified, this overrides + any minReadySeconds value that may be set on the calico-node + DaemonSet. If omitted, the calico-node DaemonSet will + use its default value for minReadySeconds. + format: int32 + maximum: 2147483647 + minimum: 0 + type: integer + template: + description: + Template describes the calico-node DaemonSet + pod that will be created. + properties: + metadata: + description: + Metadata is a subset of a Kubernetes + object's metadata that is added to the pod's metadata. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations is a map of arbitrary + non-identifying metadata. Each of these key/value + pairs are added to the object's annotations + provided the key does not already exist in the + object's annotations. + type: object + labels: + additionalProperties: + type: string + description: + Labels is a map of string keys and + values that may match replicaset and service + selectors. Each of these key/value pairs are + added to the object's labels provided the key + does not already exist in the object's labels. + type: object + type: object + spec: + description: Spec is the calico-node DaemonSet's PodSpec. + properties: + affinity: + description: + "Affinity is a group of affinity + scheduling rules for the calico-node pods. If + specified, this overrides any affinity that + may be set on the calico-node DaemonSet. If + omitted, the calico-node DaemonSet will use + its default value for affinity. WARNING: Please + note that this field will override the default + calico-node DaemonSet affinity." + properties: + nodeAffinity: + description: + Describes node affinity scheduling + rules for the pod. + properties: + ? preferredDuringSchedulingIgnoredDuringExecution + : description: + The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. items: description: An empty preferred scheduling @@ -9546,38 +13050,66 @@ spec: type: object containers: description: - Containers is a list of calico-kube-controllers + Containers is a list of calico-node containers. If specified, this overrides the - specified calico-kube-controllers Deployment - containers. If omitted, the calico-kube-controllers - Deployment will use its default values for its - containers. + specified calico-node DaemonSet containers. + If omitted, the calico-node DaemonSet will use + its default values for its containers. items: description: - CalicoKubeControllersDeploymentContainer - is a calico-kube-controllers Deployment container. + CalicoNodeDaemonSetContainer is + a calico-node DaemonSet container. properties: name: description: Name is an enum which identifies - the calico-kube-controllers Deployment - container by name. + the calico-node DaemonSet container by + name. enum: - - calico-kube-controllers + - calico-node type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, - this overrides the named calico-kube-controllers - Deployment container's resources. If omitted, - the calico-kube-controllers Deployment - will use its default value for this container's - resources. If used in conjunction with - the deprecated ComponentResources, then - this value takes precedence. + this overrides the named calico-node DaemonSet + container's resources. If omitted, the + calico-node DaemonSet will use its default + value for this container's resources. + If used in conjunction with the deprecated + ComponentResources, then this value takes + precedence. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -9611,304 +13143,190 @@ spec: - name type: object type: array - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is the calico-kube-controllers - pod's scheduling constraints. If specified, - each of the key/value pairs are added to the - calico-kube-controllers Deployment nodeSelector - provided the key does not already exist in the - object's nodeSelector. If used in conjunction - with ControlPlaneNodeSelector, that nodeSelector - is set on the calico-kube-controllers Deployment - and each of this field's key/value pairs are - added to the calico-kube-controllers Deployment - nodeSelector provided the key does not already - exist in the object's nodeSelector. If omitted, - the calico-kube-controllers Deployment will - use its default value for nodeSelector. WARNING: - Please note that this field will modify the - default calico-kube-controllers Deployment nodeSelector." - type: object - tolerations: + initContainers: description: - "Tolerations is the calico-kube-controllers - pod's tolerations. If specified, this overrides - any tolerations that may be set on the calico-kube-controllers - Deployment. If omitted, the calico-kube-controllers - Deployment will use its default value for tolerations. - WARNING: Please note that this field will override - the default calico-kube-controllers Deployment - tolerations." + InitContainers is a list of calico-node + init containers. If specified, this overrides + the specified calico-node DaemonSet init containers. + If omitted, the calico-node DaemonSet will use + its default values for its init containers. items: description: - The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . + CalicoNodeDaemonSetInitContainer + is a calico-node DaemonSet init container. properties: - effect: - description: - Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. + name: + description: + Name is an enum which identifies + the calico-node DaemonSet init container + by name. + enum: + - install-cni + - hostpath-init + - flexvol-driver + - mount-bpffs + - node-certs-key-cert-provisioner + - calico-node-prometheus-server-tls-key-cert-provisioner type: string - type: object - type: array - type: object - type: object - type: object - type: object - calicoNetwork: - description: - CalicoNetwork specifies networking configuration - options for Calico. - properties: - bgp: - description: - BGP configures whether or not to enable Calico's - BGP capabilities. - enum: - - Enabled - - Disabled - type: string - containerIPForwarding: - description: - "ContainerIPForwarding configures whether ip - forwarding will be enabled for containers in the CNI configuration. - Default: Disabled" - enum: - - Enabled - - Disabled - type: string - hostPorts: - description: - "HostPorts configures whether or not Calico will - support Kubernetes HostPorts. Valid only when using the - Calico CNI plugin. Default: Enabled" - enum: - - Enabled - - Disabled - type: string - ipPools: - description: - IPPools contains a list of IP pools to create - if none exist. At most one IP pool of each address family - may be specified. If omitted, a single pool will be configured - if needed. - items: - properties: - blockSize: - description: - "BlockSize specifies the CIDR prefex length - to use when allocating per-node IP blocks from the - main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)" - format: int32 - type: integer - cidr: - description: - CIDR contains the address range for the - IP Pool in classless inter-domain routing format. - type: string - disableBGPExport: - default: false - description: - "DisableBGPExport specifies whether routes - from this IP pool's CIDR are exported over BGP. Default: - false" - type: boolean - encapsulation: - description: - "Encapsulation specifies the encapsulation - type that will be used with the IP Pool. Default: - IPIP" - enum: - - IPIPCrossSubnet - - IPIP - - VXLAN - - VXLANCrossSubnet - - None - type: string - natOutgoing: - description: - "NATOutgoing specifies if NAT will be enabled - or disabled for outgoing traffic. Default: Enabled" - enum: - - Enabled - - Disabled - type: string - nodeSelector: - description: - "NodeSelector specifies the node selector - that will be set for the IP Pool. Default: 'all()'" - type: string - required: - - cidr - type: object - type: array - linuxDataplane: - description: - "LinuxDataplane is used to select the dataplane - used for Linux nodes. In particular, it causes the operator - to add required mounts and environment variables for the - particular dataplane. If not specified, iptables mode is - used. Default: Iptables" - enum: - - Iptables - - BPF - - VPP - type: string - mtu: - description: - MTU specifies the maximum transmission unit to - use on the pod network. If not specified, Calico will perform - MTU auto-detection based on the cluster network. - format: int32 - type: integer - multiInterfaceMode: - description: - "MultiInterfaceMode configures what will configure - multiple interface per pod. Only valid for Calico Enterprise - installations using the Calico CNI plugin. Default: None" - enum: - - None - - Multus - type: string - nodeAddressAutodetectionV4: - description: - NodeAddressAutodetectionV4 specifies an approach - to automatically detect node IPv4 addresses. If not specified, - will use default auto-detection settings to acquire an IPv4 - address for each node. - properties: - canReach: - description: - CanReach enables IP auto-detection based - on which source address on the node is used to reach - the specified IP or domain. - type: string - cidrs: - description: - CIDRS enables IP auto-detection based on - which addresses on the nodes are within one of the provided - CIDRs. - items: - type: string - type: array - firstFound: - description: - FirstFound uses default interface matching - parameters to select an interface, performing best-effort - filtering based on well-known interface names. - type: boolean - interface: - description: - Interface enables IP auto-detection based - on interfaces that match the given regex. - type: string - kubernetes: - description: - Kubernetes configures Calico to detect node - addresses based on the Kubernetes API. - enum: - - NodeInternalIP - type: string - skipInterface: - description: - SkipInterface enables IP auto-detection based - on interfaces that do not match the given regex. - type: string - type: object - nodeAddressAutodetectionV6: - description: - NodeAddressAutodetectionV6 specifies an approach - to automatically detect node IPv6 addresses. If not specified, - IPv6 addresses will not be auto-detected. - properties: - canReach: - description: - CanReach enables IP auto-detection based - on which source address on the node is used to reach - the specified IP or domain. - type: string - cidrs: - description: - CIDRS enables IP auto-detection based on - which addresses on the nodes are within one of the provided - CIDRs. - items: - type: string - type: array - firstFound: - description: - FirstFound uses default interface matching - parameters to select an interface, performing best-effort - filtering based on well-known interface names. - type: boolean - interface: - description: - Interface enables IP auto-detection based - on interfaces that match the given regex. - type: string - kubernetes: - description: - Kubernetes configures Calico to detect node - addresses based on the Kubernetes API. - enum: - - NodeInternalIP - type: string - skipInterface: - description: - SkipInterface enables IP auto-detection based - on interfaces that do not match the given regex. - type: string + resources: + description: + Resources allows customization + of limits and requests for compute resources + such as cpu and memory. If specified, + this overrides the named calico-node DaemonSet + init container's resources. If omitted, + the calico-node DaemonSet will use its + default value for this container's resources. + If used in conjunction with the deprecated + ComponentResources, then this value takes + precedence. + properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + type: object + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: + "NodeSelector is the calico-node + pod's scheduling constraints. If specified, + each of the key/value pairs are added to the + calico-node DaemonSet nodeSelector provided + the key does not already exist in the object's + nodeSelector. If omitted, the calico-node DaemonSet + will use its default value for nodeSelector. + WARNING: Please note that this field will modify + the default calico-node DaemonSet nodeSelector." + type: object + tolerations: + description: + "Tolerations is the calico-node pod's + tolerations. If specified, this overrides any + tolerations that may be set on the calico-node + DaemonSet. If omitted, the calico-node DaemonSet + will use its default value for tolerations. + WARNING: Please note that this field will override + the default calico-node DaemonSet tolerations." + items: + description: + The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: + Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: + Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: + Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: + TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: + Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object type: object type: object - calicoNodeDaemonSet: + calicoNodeWindowsDaemonSet: description: - CalicoNodeDaemonSet configures the calico-node DaemonSet. - If used in conjunction with the deprecated ComponentResources, - then these overrides take precedence. + CalicoNodeWindowsDaemonSet configures the calico-node-windows + DaemonSet. properties: metadata: description: @@ -9937,7 +13355,7 @@ spec: type: object spec: description: - Spec is the specification of the calico-node + Spec is the specification of the calico-node-windows DaemonSet. properties: minReadySeconds: @@ -9946,17 +13364,17 @@ spec: seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. If specified, this overrides - any minReadySeconds value that may be set on the calico-node - DaemonSet. If omitted, the calico-node DaemonSet will - use its default value for minReadySeconds. + any minReadySeconds value that may be set on the calico-node-windows + DaemonSet. If omitted, the calico-node-windows DaemonSet + will use its default value for minReadySeconds. format: int32 maximum: 2147483647 minimum: 0 type: integer template: description: - Template describes the calico-node DaemonSet - pod that will be created. + Template describes the calico-node-windows + DaemonSet pod that will be created. properties: metadata: description: @@ -9985,18 +13403,20 @@ spec: type: object type: object spec: - description: Spec is the calico-node DaemonSet's PodSpec. + description: + Spec is the calico-node-windows DaemonSet's + PodSpec. properties: affinity: description: "Affinity is a group of affinity - scheduling rules for the calico-node pods. If - specified, this overrides any affinity that - may be set on the calico-node DaemonSet. If - omitted, the calico-node DaemonSet will use - its default value for affinity. WARNING: Please - note that this field will override the default - calico-node DaemonSet affinity." + scheduling rules for the calico-node-windows + pods. If specified, this overrides any affinity + that may be set on the calico-node-windows DaemonSet. + If omitted, the calico-node-windows DaemonSet + will use its default value for affinity. WARNING: + Please note that this field will override the + default calico-node-windows DaemonSet affinity." properties: nodeAffinity: description: @@ -11228,37 +14648,66 @@ spec: type: object containers: description: - Containers is a list of calico-node + Containers is a list of calico-node-windows containers. If specified, this overrides the - specified calico-node DaemonSet containers. - If omitted, the calico-node DaemonSet will use - its default values for its containers. + specified calico-node-windows DaemonSet containers. + If omitted, the calico-node-windows DaemonSet + will use its default values for its containers. items: description: - CalicoNodeDaemonSetContainer is - a calico-node DaemonSet container. + CalicoNodeWindowsDaemonSetContainer + is a calico-node-windows DaemonSet container. properties: name: description: Name is an enum which identifies - the calico-node DaemonSet container by - name. + the calico-node-windows DaemonSet container + by name. enum: - - calico-node + - calico-node-windows type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, - this overrides the named calico-node DaemonSet - container's resources. If omitted, the - calico-node DaemonSet will use its default - value for this container's resources. - If used in conjunction with the deprecated - ComponentResources, then this value takes - precedence. + this overrides the named calico-node-windows + DaemonSet container's resources. If omitted, + the calico-node-windows DaemonSet will + use its default value for this container's + resources. If used in conjunction with + the deprecated ComponentResources, then + this value takes precedence. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -11294,42 +14743,72 @@ spec: type: array initContainers: description: - InitContainers is a list of calico-node + InitContainers is a list of calico-node-windows init containers. If specified, this overrides - the specified calico-node DaemonSet init containers. - If omitted, the calico-node DaemonSet will use - its default values for its init containers. + the specified calico-node-windows DaemonSet + init containers. If omitted, the calico-node-windows + DaemonSet will use its default values for its + init containers. items: description: - CalicoNodeDaemonSetInitContainer - is a calico-node DaemonSet init container. + CalicoNodeWindowsDaemonSetInitContainer + is a calico-node-windows DaemonSet init container. properties: name: description: Name is an enum which identifies - the calico-node DaemonSet init container - by name. + the calico-node-windows DaemonSet init + container by name. enum: - install-cni - hostpath-init - flexvol-driver - mount-bpffs - node-certs-key-cert-provisioner - - calico-node-prometheus-server-tls-key-cert-provisioner + - calico-node-windows-prometheus-server-tls-key-cert-provisioner type: string resources: description: Resources allows customization of limits and requests for compute resources such as cpu and memory. If specified, - this overrides the named calico-node DaemonSet - init container's resources. If omitted, - the calico-node DaemonSet will use its - default value for this container's resources. - If used in conjunction with the deprecated - ComponentResources, then this value takes - precedence. + this overrides the named calico-node-windows + DaemonSet init container's resources. + If omitted, the calico-node-windows DaemonSet + will use its default value for this container's + resources. If used in conjunction with + the deprecated ComponentResources, then + this value takes precedence. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -11367,25 +14846,25 @@ spec: additionalProperties: type: string description: - "NodeSelector is the calico-node + "NodeSelector is the calico-node-windows pod's scheduling constraints. If specified, each of the key/value pairs are added to the - calico-node DaemonSet nodeSelector provided + calico-node-windows DaemonSet nodeSelector provided the key does not already exist in the object's - nodeSelector. If omitted, the calico-node DaemonSet - will use its default value for nodeSelector. + nodeSelector. If omitted, the calico-node-windows + DaemonSet will use its default value for nodeSelector. WARNING: Please note that this field will modify - the default calico-node DaemonSet nodeSelector." + the default calico-node-windows DaemonSet nodeSelector." type: object tolerations: description: - "Tolerations is the calico-node pod's - tolerations. If specified, this overrides any - tolerations that may be set on the calico-node - DaemonSet. If omitted, the calico-node DaemonSet - will use its default value for tolerations. + "Tolerations is the calico-node-windows + pod's tolerations. If specified, this overrides + any tolerations that may be set on the calico-node-windows + DaemonSet. If omitted, the calico-node-windows + DaemonSet will use its default value for tolerations. WARNING: Please note that this field will override - the default calico-node DaemonSet tolerations." + the default calico-node-windows DaemonSet tolerations." items: description: The pod this Toleration is attached @@ -11445,8 +14924,9 @@ spec: type: object calicoWindowsUpgradeDaemonSet: description: - CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade - DaemonSet. + Deprecated. The CalicoWindowsUpgradeDaemonSet is + deprecated and will be removed from the API in the future. CalicoWindowsUpgradeDaemonSet + configures the calico-windows-upgrade DaemonSet. properties: metadata: description: @@ -12798,6 +16278,35 @@ spec: use its default value for this container's resources. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -13046,6 +16555,32 @@ spec: limits and requests for compute resources such as cpu and memory. properties: + claims: + description: + "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: + ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where + this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -14496,6 +18031,35 @@ spec: its default value for this container's resources. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -14819,6 +18383,13 @@ spec: \n This option allows configuring the `` portion of the above format." type: string + serviceCIDRs: + description: + Kubernetes Service CIDRs. Specifying this is required + when using Calico for Windows. + items: + type: string + type: array typhaAffinity: description: Deprecated. Please use Installation.Spec.TyphaDeployment @@ -16480,6 +20051,35 @@ spec: ComponentResources, then this value takes precedence. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -16546,6 +20146,35 @@ spec: ComponentResources, then this value takes precedence. properties: + claims: + description: + "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. \n + This is an alpha field and requires + enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: + ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: + Name must match the + name of one entry in pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -16844,8 +20473,8 @@ spec: are ignored. All nodes are included in the calculations. \n If this value is nil, the behavior is equivalent to the - Honor policy. This is a alpha-level feature - enabled by the NodeInclusionPolicyInPodTopologySpread + Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." type: string nodeTaintsPolicy: @@ -16859,7 +20488,7 @@ spec: node taints are ignored. All nodes are included. \n If this value is nil, the behavior is equivalent to the Ignore policy. - This is a alpha-level feature enabled + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." type: string @@ -16933,6 +20562,40 @@ spec: - Calico - TigeraSecureEnterprise type: string + windowsNodes: + description: Windows Configuration + properties: + cniBinDir: + description: + CNIBinDir is the path to the CNI binaries directory + on Windows, it must match what is used as 'bin_dir' under + [plugins] [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".cni] + on the containerd 'config.toml' file on the Windows nodes. + type: string + cniConfigDir: + description: + CNIConfigDir is the path to the CNI configuration + directory on Windows, it must match what is used as 'conf_dir' + under [plugins] [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".cni] + on the containerd 'config.toml' file on the Windows nodes. + type: string + cniLogDir: + description: + CNILogDir is the path to the Calico CNI logs + directory on Windows. + type: string + vxlanAdapter: + description: + VXLANAdapter is the Network Adapter used for + VXLAN, leave blank for primary NIC + type: string + vxlanMACPrefix: + description: + VXLANMACPrefix is the prefix used when generating + MAC addresses for virtual NICs + pattern: ^[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}$ + type: string + type: object type: object conditions: description: diff --git a/charts/tigera-operator/templates/_helpers.tpl b/charts/tigera-operator/templates/_helpers.tpl index 546c52f0..08f51c45 100644 --- a/charts/tigera-operator/templates/_helpers.tpl +++ b/charts/tigera-operator/templates/_helpers.tpl @@ -34,12 +34,10 @@ Create chart name and version as used by the chart label. Common labels */}} {{- define "tigera-operator.labels" -}} -helm.sh/chart: {{ include "tigera-operator.chart" . }} {{ include "tigera-operator.selectorLabels" . }} -{{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ include "tigera-operator.chart" . }} {{- with .Values.commonLabels }} {{ toYaml . }} {{- end }} diff --git a/charts/tigera-operator/templates/job-uninstall.yaml b/charts/tigera-operator/templates/job-uninstall.yaml new file mode 100644 index 00000000..98eecbe5 --- /dev/null +++ b/charts/tigera-operator/templates/job-uninstall.yaml @@ -0,0 +1,82 @@ +{{- if .Values.uninstall.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "tigera-operator.fullname" . }}-uninstall + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/name: {{ include "tigera-operator.name" . }}-uninstall + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "tigera-operator.chart" . }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: pre-delete + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +spec: + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "tigera-operator.name" . }}-uninstall + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "tigera-operator.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + hostNetwork: {{ .Values.hostNetwork }} + dnsPolicy: {{ .Values.dnsPolicy }} + containers: + - name: tigera-operator + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ include "tigera-operator.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - operator + args: ["-pre-delete"] + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + {{- $_ := include "tigera-operator.patchAffinity" $ }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/charts/tigera-operator/values.yaml b/charts/tigera-operator/values.yaml index ac3359a9..31d6655f 100644 --- a/charts/tigera-operator/values.yaml +++ b/charts/tigera-operator/values.yaml @@ -81,3 +81,6 @@ installation: apiServer: enabled: false spec: {} + +uninstall: + enabled: true