{{define "handlerPrefix"}}{{with $prefix := .HandlerPrefix}}{{$prefix | printf "%s-"}}{{end -}}{{end}} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{template "handlerPrefix" .}}nmstate-metrics namespace: {{ .HandlerNamespace }} labels: prometheus.nmstate.io: "true" app: kubernetes-nmstate component: kubernetes-nmstate-metrics spec: replicas: 1 strategy: type: Recreate selector: matchLabels: name: {{template "handlerPrefix" .}}nmstate-metrics template: metadata: labels: prometheus.nmstate.io: "true" app: kubernetes-nmstate component: kubernetes-nmstate-metrics name: {{template "handlerPrefix" .}}nmstate-metrics annotations: description: kubernetes-nmstate-metrics dump nmstate metrics target.workload.openshift.io/management: | {"effect": "PreferredDuringScheduling"} spec: serviceAccountName: {{template "handlerPrefix" .}}nmstate-handler nodeSelector: {{ toYaml .InfraNodeSelector | nindent 8 }} tolerations: {{ toYaml .InfraTolerations | nindent 8 }} affinity: {{ toYaml .WebhookAffinity | nindent 8 }} topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: component: kubernetes-nmstate-metrics priorityClassName: system-cluster-critical containers: - name: nmstate-metrics args: - --zap-time-encoding=iso8601 # Replace this with the built image name image: {{ .HandlerImage }} imagePullPolicy: {{ .HandlerPullPolicy }} command: - manager resources: requests: cpu: "30m" memory: "20Mi" limits: cpu: "500m" memory: "1Gi" terminationMessagePolicy: FallbackToLogsOnError env: - name: WATCH_NAMESPACE value: "" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RUN_METRICS_MANAGER value: "" - name: OPERATOR_NAME value: "{{template "handlerPrefix" .}}nmstate" - name: ENABLE_PROFILER value: "False" - name: PROFILER_PORT value: "6060" - args: - --logtostderr - --secure-listen-address=:8443 - --upstream=http://127.0.0.1:8089 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL image: {{ .KubeRBACProxyImage }} imagePullPolicy: IfNotPresent name: kube-rbac-proxy ports: - containerPort: 8443 name: metrics protocol: TCP readinessProbe: tcpSocket: port: metrics initialDelaySeconds: 10 periodSeconds: 10 livenessProbe: tcpSocket: port: metrics initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 resources: requests: cpu: "10m" memory: "20Mi" limits: cpu: "500m" memory: "1Gi" terminationMessagePolicy: FallbackToLogsOnError --- apiVersion: apps/v1 kind: Deployment metadata: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} labels: app: kubernetes-nmstate component: kubernetes-nmstate-webhook spec: replicas: {{ .WebhookReplicas }} strategy: type: Recreate selector: matchLabels: name: {{template "handlerPrefix" .}}nmstate-webhook template: metadata: labels: app: kubernetes-nmstate component: kubernetes-nmstate-webhook name: {{template "handlerPrefix" .}}nmstate-webhook annotations: description: kubernetes-nmstate-webhook resets NNCP status target.workload.openshift.io/management: | {"effect": "PreferredDuringScheduling"} spec: serviceAccountName: {{template "handlerPrefix" .}}nmstate-handler nodeSelector: {{ toYaml .InfraNodeSelector | nindent 8 }} tolerations: {{ toYaml .InfraTolerations | nindent 8 }} affinity: {{ toYaml .WebhookAffinity | nindent 8 }} topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: component: kubernetes-nmstate-webhook priorityClassName: system-cluster-critical containers: - name: nmstate-webhook args: - --zap-time-encoding=iso8601 # Replace this with the built image name image: {{ .HandlerImage }} imagePullPolicy: {{ .HandlerPullPolicy }} command: - manager resources: requests: cpu: "30m" memory: "20Mi" limits: cpu: "500m" memory: "1Gi" terminationMessagePolicy: FallbackToLogsOnError env: - name: WATCH_NAMESPACE value: "" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RUN_WEBHOOK_SERVER value: "" - name: OPERATOR_NAME value: "{{template "handlerPrefix" .}}nmstate" - name: ENABLE_PROFILER value: "False" - name: PROFILER_PORT value: "6060" ports: - containerPort: 9443 name: webhook-server protocol: TCP readinessProbe: httpGet: path: /readyz port: webhook-server scheme: HTTPS httpHeaders: - name: Content-Type value: application/json initialDelaySeconds: 10 periodSeconds: 10 livenessProbe: httpGet: path: /readyz port: webhook-server scheme: HTTPS httpHeaders: - name: Content-Type value: application/json initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 volumeMounts: - name: tls-key-pair readOnly: true mountPath: /tmp/k8s-webhook-server/serving-certs/ volumes: - name: tls-key-pair secret: {{- if not .IsOpenShift }} secretName: {{template "handlerPrefix" .}}nmstate-webhook {{- else }} secretName: {{template "handlerPrefix" .}}openshift-nmstate-webhook {{- end }} {{- if not .IsOpenShift }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{template "handlerPrefix" .}}nmstate-cert-manager namespace: {{ .HandlerNamespace }} labels: app: kubernetes-nmstate component: kubernetes-nmstate-cert-manager spec: replicas: 1 strategy: type: Recreate selector: matchLabels: name: {{template "handlerPrefix" .}}nmstate-cert-manager template: metadata: labels: app: kubernetes-nmstate component: kubernetes-nmstate-cert-manager name: {{template "handlerPrefix" .}}nmstate-cert-manager annotations: description: kubernetes-nmstate-webhook rotate webhook certs target.workload.openshift.io/management: | {"effect": "PreferredDuringScheduling"} spec: serviceAccountName: {{template "handlerPrefix" .}}nmstate-handler nodeSelector: {{ toYaml .InfraNodeSelector | nindent 8 }} tolerations: {{ toYaml .InfraTolerations | nindent 8 }} affinity: {{ toYaml .WebhookAffinity | nindent 8 }} priorityClassName: system-cluster-critical containers: - name: nmstate-cert-manager args: - --zap-time-encoding=iso8601 # Replace this with the built image name image: {{ .HandlerImage }} imagePullPolicy: {{ .HandlerPullPolicy }} command: - manager resources: requests: cpu: "30m" memory: "30Mi" limits: cpu: "500m" memory: "1Gi" terminationMessagePolicy: FallbackToLogsOnError env: - name: WATCH_NAMESPACE value: "" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: COMPONENT valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/component'] - name: PART_OF valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/part-of'] - name: VERSION valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/version'] - name: MANAGED_BY valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/managed-by'] - name: RUN_CERT_MANAGER value: "" - name: OPERATOR_NAME value: "{{template "handlerPrefix" .}}nmstate" - name: ENABLE_PROFILER value: "False" - name: PROFILER_PORT value: "6060" - name: CA_ROTATE_INTERVAL value: {{ .SelfSignConfiguration.CARotateInterval }} - name: CA_OVERLAP_INTERVAL value: {{ .SelfSignConfiguration.CAOverlapInterval }} - name: CERT_ROTATE_INTERVAL value: {{ .SelfSignConfiguration.CertRotateInterval }} - name: CERT_OVERLAP_INTERVAL value: {{ .SelfSignConfiguration.CertOverlapInterval }} {{- end }} --- apiVersion: apps/v1 kind: DaemonSet metadata: name: {{template "handlerPrefix" .}}nmstate-handler namespace: {{ .HandlerNamespace }} labels: app: kubernetes-nmstate component: kubernetes-nmstate-handler spec: selector: matchLabels: name: {{template "handlerPrefix" .}}nmstate-handler updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 10% template: metadata: labels: app: kubernetes-nmstate component: kubernetes-nmstate-handler name: {{template "handlerPrefix" .}}nmstate-handler annotations: description: kubernetes-nmstate-handler configures and presents node networking, reconciling declerative NNCP and reports with NNS and NNCE target.workload.openshift.io/management: | {"effect": "PreferredDuringScheduling"} spec: # Needed to force vlan filtering config with iproute commands until # future nmstate/NM is in place. # https://github.com/nmstate/nmstate/pull/440 hostNetwork: true # Use Default to get node's DNS configuration [1] # [1] https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: Default serviceAccountName: {{template "handlerPrefix" .}}nmstate-handler nodeSelector: {{ toYaml .HandlerNodeSelector | nindent 8 }} tolerations: {{ toYaml .HandlerTolerations | nindent 8 }} affinity: {{ toYaml .HandlerAffinity | nindent 8 }} priorityClassName: system-node-critical containers: - name: nmstate-handler args: - --zap-time-encoding=iso8601 {{- if .LogLevelHandlerCommandArg }} - --v - "{{ .LogLevelHandlerCommandArg }}" {{- end }} # Replace this with the built image name image: {{ .HandlerImage }} imagePullPolicy: {{ .HandlerPullPolicy }} command: - manager resources: requests: cpu: "100m" memory: "100Mi" limits: cpu: "500m" memory: "1Gi" terminationMessagePolicy: FallbackToLogsOnError env: - name: WATCH_NAMESPACE value: "" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: COMPONENT valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/component'] - name: PART_OF valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/part-of'] - name: VERSION valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/version'] - name: MANAGED_BY valueFrom: fieldRef: fieldPath: metadata.labels['app.kubernetes.io/managed-by'] - name: OPERATOR_NAME value: "{{template "handlerPrefix" .}}nmstate" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: ENABLE_PROFILER value: "False" - name: PROFILER_PORT value: "6060" - name: NMSTATE_INSTANCE_NODE_LOCK_FILE value: "/var/k8s_nmstate/handler_lock" - name: PROBE_DNS_HOST value: "{{ .ProbeConfiguration.DNS.Host }}" - name: METRICS_BIND_ADDRESS value: "{{ .MetricsConfiguration.BindAddress }}" volumeMounts: - name: dbus-socket mountPath: /run/dbus/system_bus_socket - name: nmstate-lock mountPath: /var/k8s_nmstate - name: ovs-socket mountPath: /run/openvswitch securityContext: privileged: true readinessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 livenessProbe: exec: command: - bash - -c - "nmstatectl show {{ .HandlerReadinessProbeExtraArg }} 2>&1" initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 5 volumes: - name: dbus-socket hostPath: path: /run/dbus/system_bus_socket type: Socket - name: nmstate-lock hostPath: path: /var/k8s_nmstate - name: ovs-socket hostPath: path: /run/openvswitch --- apiVersion: v1 kind: Service metadata: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} annotations: service.beta.openshift.io/serving-cert-secret-name: {{template "handlerPrefix" .}}openshift-nmstate-webhook labels: app: kubernetes-nmstate spec: publishNotReadyAddresses: true ports: - port: 443 targetPort: 9443 selector: name: {{template "handlerPrefix" .}}nmstate-webhook --- apiVersion: v1 kind: Service metadata: name: {{template "handlerPrefix" .}}nmstate-monitor namespace: {{ .HandlerNamespace }} labels: prometheus.nmstate.io: "true" spec: ports: - name: metrics port: 8443 protocol: TCP targetPort: metrics selector: prometheus.nmstate.io: "true" sessionAffinity: None type: ClusterIP --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: {{template "handlerPrefix" .}}nmstate annotations: service.beta.openshift.io/inject-cabundle: "true" labels: app: kubernetes-nmstate webhooks: - name: nodenetworkconfigurationpolicies-mutate.nmstate.io admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None clientConfig: service: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} path: "/nodenetworkconfigurationpolicies-mutate" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["*"] apiVersions: ["v1alpha1","v1beta1","v1"] resources: ["nodenetworkconfigurationpolicies"] - name: nodenetworkconfigurationpolicies-status-mutate.nmstate.io admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None clientConfig: service: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} path: "/nodenetworkconfigurationpolicies-status-mutate" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["*"] apiVersions: ["v1alpha1","v1beta1","v1"] resources: ["nodenetworkconfigurationpolicies/status"] - name: nodenetworkconfigurationpolicies-timestamp-mutate.nmstate.io admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None clientConfig: service: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} path: "/nodenetworkconfigurationpolicies-timestamp-mutate" rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["*"] apiVersions: ["v1alpha1","v1beta1","v1"] resources: ["nodenetworkconfigurationpolicies", "nodenetworkconfigurationpolicies/status"] - name: nodenetworkconfigurationpolicies-update-validate.nmstate.io admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None clientConfig: service: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} path: "/nodenetworkconfigurationpolicies-update-validate" rules: - operations: ["UPDATE"] apiGroups: ["*"] apiVersions: ["v1alpha1","v1beta1","v1"] resources: ["nodenetworkconfigurationpolicies"] - name: nodenetworkconfigurationpolicies-create-validate.nmstate.io admissionReviewVersions: [ "v1", "v1beta1" ] sideEffects: None clientConfig: service: name: {{template "handlerPrefix" .}}nmstate-webhook namespace: {{ .HandlerNamespace }} path: "/nodenetworkconfigurationpolicies-create-validate" rules: - operations: ["CREATE"] apiGroups: ["*"] apiVersions: ["v1alpha1","v1beta1","v1"] resources: ["nodenetworkconfigurationpolicies"] --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: namespace: {{ .HandlerNamespace }} name: {{template "handlerPrefix" .}}nmstate-webhook spec: minAvailable: {{ .WebhookMinReplicas }} selector: matchLabels: name: {{template "handlerPrefix" .}}nmstate-webhook --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: openshift.io/cluster-monitoring: "" prometheus.nmstate.io: "true" name: controller-manager-metrics-monitor namespace: {{ .HandlerNamespace }} spec: endpoints: - scheme: https port: metrics bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: insecureSkipVerify: true metricRelabelings: - action: labeldrop regex: instance - action: labeldrop regex: job relabelings: - action: labeldrop regex: pod - action: labeldrop regex: container - action: labeldrop regex: endpoint namespaceSelector: matchNames: - {{ .HandlerNamespace }} selector: matchLabels: prometheus.nmstate.io: "true" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: prometheus-k8s namespace: {{ .HandlerNamespace }} rules: - apiGroups: - "" resources: - services - endpoints - pods verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: prometheus-k8s namespace: {{ .HandlerNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: prometheus-k8s subjects: - kind: ServiceAccount name: prometheus-k8s namespace: {{ .MonitoringNamespace }}