AWSTemplateFormatVersion: "2010-09-09" Description: Deploys Calico operator CRDs and components (qs-1r6eslplj) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Calico for EKS Parameters: - KubeClusterName ParameterLabels: KubeClusterName: default: EKS cluster name Parameters: KubeClusterName: Type: String Description: Name of the EKS cluster in which to deploy Calico. Resources: ##################################################################################### # operator.tigera.io/v1 CRDs ##################################################################################### InstallationCRD: Type: "Custom::KubeManifest" Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: installations.operator.tigera.io spec: group: operator.tigera.io names: kind: Installation listKind: InstallationList plural: installations singular: installation scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: Installation configures an installation of Calico or Calico Enterprise. At most one instance of this resource is supported. It must be named "default". The Installation API installs core networking and network policy components, and provides general install-time configuration. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Specification of the desired state for the Calico or Calico Enterprise installation. properties: calicoNetwork: description: CalicoNetwork specifies configuration options for Calico provided pod networking. properties: hostPorts: description: 'HostPorts configures whether or not Calico will support Kubernetes HostPorts. Default: Enabled' enum: - Enabled - Disabled type: string ipPools: description: IPPools contains a list of IP pools to use for allocating pod IP addresses. At most one IP pool may be specified. If omitted, a single pool will be configured when needed. items: properties: blockSize: description: 'BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from the main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' format: int32 type: integer cidr: description: CIDR contains the address range for the IP Pool in classless inter-domain routing format. type: string encapsulation: description: 'Encapsulation specifies the encapsulation type that will be used with the IP Pool. Default: IPIP' enum: - IPIPCrossSubnet - IPIP - VXLAN - VXLANCrossSubnet - None type: string natOutgoing: description: 'NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic. Default: Enabled' enum: - Enabled - Disabled type: string nodeSelector: description: 'NodeSelector specifies the node selector that will be set for the IP Pool. Default: ''all()''' type: string required: - cidr type: object type: array mtu: description: 'MTU specifies the maximum transmission unit to use for pods on the Calico network. Default: 1410' format: int32 type: integer multiInterfaceMode: description: 'MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations. Default: None' enum: - None - Multus type: string nodeAddressAutodetectionV4: description: NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified, will use default auto-detection settings to acquire an IPv4 address for each node. properties: canReach: description: CanReach enables IP auto-detection based on which source address on the node is used to reach the specified IP or domain. type: string firstFound: description: FirstFound uses default interface matching parameters to select an interface, performing best-effort filtering based on well-known interface names. type: boolean interface: description: Interface enables IP auto-detection based on interfaces that match the given regex. type: string skipInterface: description: SkipInterface enables IP auto-detection based on interfaces that do not match the given regex. type: string type: object nodeAddressAutodetectionV6: description: NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv4 addresses. If not specified, IPv6 addresses will not be auto-detected. properties: canReach: description: CanReach enables IP auto-detection based on which source address on the node is used to reach the specified IP or domain. type: string firstFound: description: FirstFound uses default interface matching parameters to select an interface, performing best-effort filtering based on well-known interface names. type: boolean interface: description: Interface enables IP auto-detection based on interfaces that match the given regex. type: string skipInterface: description: SkipInterface enables IP auto-detection based on interfaces that do not match the given regex. type: string type: object type: object clusterManagementType: description: 'How the cluster is managed. Valid values for this field are: Standalone, Management, Managed. Standalone clusters are fully self-contained installations of Calico Enterprise. Management clusters provide a single view to manage any number of Managed clusters, which are a lighter weight installation. This option is applicable only when variant is TigeraSecureEnterprise. Default: Standalone' enum: - Standalone - Management - Managed type: string componentResources: description: ComponentResources can be used to customize the resource requirements for each component. items: description: The ComponentResource struct associates a ResourceRequirements with a component by name properties: componentName: description: ComponentName CRD enum enum: - Node - Typha - KubeControllers type: string resourceRequirements: description: ResourceRequirements describes the compute resource requirements. properties: limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object required: - componentName - resourceRequirements type: object type: array controlPlaneNodeSelector: additionalProperties: type: string description: ControlPlaneNodeSelector is used to select control plane nodes on which to run specific Calico components. This currently only applies to kube-controllers and the apiserver. type: object flexVolumePath: description: FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled by default. If set to 'None', FlexVolume will be disabled. The default is based on the kubernetesProvider. type: string imagePath: description: "ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, the default for each image will be used. \n Image format: `//:` \n This option allows configuring the `` portion of the above format." type: string imagePullSecrets: description: ImagePullSecrets is an array of references to container registry pull secrets to use. These are applied to all images to be pulled. items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object type: array kubernetesProvider: description: KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. If the specified value is empty, the Operator will attempt to automatically determine the current provider. If the specified value is not empty, the Operator will still attempt auto-detection, but will additionally compare the auto-detected value to the specified value to confirm they match. enum: - EKS - GKE - AKS - OpenShift - DockerEnterprise type: string nodeMetricsPort: description: NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then prometheus metrics may still be configured through FelixConfiguration. format: int32 type: integer nodeUpdateStrategy: description: NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable field. properties: rollingUpdate: description: 'Rolling update config params. Present only if type = "RollingUpdate". --- TODO: Update this to follow our convention for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. See https://github.com/kubernetes/kubernetes/issues/35345' properties: maxUnavailable: anyOf: - type: integer - type: string description: 'The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0. Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.' x-kubernetes-int-or-string: true type: object type: description: Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. type: string type: object registry: description: "Registry is the default Docker registry used for component Docker images. If specified, all images will be pulled from this registry. If not specified then the default registries will be used. \n Image format: `//:` \n This option allows configuring the `` portion of the above format." type: string variant: description: 'Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico' enum: - Calico - TigeraSecureEnterprise type: string type: object status: description: Most recently observed state for the Calico or Calico Enterprise installation. properties: variant: description: Variant is the most recently observed installed variant - one of Calico or TigeraSecureEnterprise enum: - Calico - TigeraSecureEnterprise type: string type: object type: object served: true storage: true subresources: status: {} TigeraStatusCRD: Type: "Custom::KubeManifest" Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: tigerastatuses.operator.tigera.io spec: group: operator.tigera.io names: kind: TigeraStatus listKind: TigeraStatusList plural: tigerastatuses singular: tigerastatus scope: Cluster versions: - additionalPrinterColumns: - description: Whether the component running and stable. jsonPath: .status.conditions[?(@.type=='Available')].status name: Available type: string - description: Whether the component is processing changes. jsonPath: .status.conditions[?(@.type=='Progressing')].status name: Progressing type: string - description: Whether the component is degraded. jsonPath: .status.conditions[?(@.type=='Degraded')].status name: Degraded type: string - description: The time the component's Available status last changed. jsonPath: .status.conditions[?(@.type=='Available')].lastTransitionTime name: Since type: date name: v1 schema: openAPIV3Schema: description: TigeraStatus represents the most recently observed status for Calico or a Calico Enterprise functional area. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: type: object status: description: TigeraStatusStatus defines the observed state of TigeraStatus properties: conditions: description: Conditions represents the latest observed set of conditions for this component. A component may be one or more of Available, Progressing, or Degraded. items: description: TigeraStatusCondition represents a condition attached to a particular component. properties: lastTransitionTime: description: The timestamp representing the start time for the current status. format: date-time type: string message: description: Optionally, a detailed message providing additional context. type: string reason: description: A brief reason explaining the condition. type: string status: description: The status of the condition. May be True, False, or Unknown. type: string type: description: The type of condition. May be Available, Progressing, or Degraded. type: string required: - lastTransitionTime - status - type type: object type: array required: - conditions type: object type: object served: true storage: true subresources: status: {} ##################################################################################### # Resources which install the operator ##################################################################################### TigeraOperatorClusterRole: Type: "Custom::KubeManifest" Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tigera-operator rules: - apiGroups: - "" resources: - namespaces - pods - podtemplates - services - endpoints - events - configmaps - secrets - serviceaccounts verbs: - '*' - apiGroups: - "" resources: - nodes verbs: # Need to update node labels when migrating nodes. - 'get' - 'patch' - 'list' # We need this for Typha autoscaling - 'watch' - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - rolebindings - roles verbs: - '*' - apiGroups: - apps resources: - deployments - daemonsets - statefulsets verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - '*' - apiGroups: - apps resourceNames: - tigera-operator resources: - deployments/finalizers verbs: - update - apiGroups: - operator.tigera.io resources: - '*' verbs: - '*' - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - '*' - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: - get - create - apiGroups: - policy resources: - poddisruptionbudgets verbs: - '*' # Add the appropriate pod security policy permissions - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - tigera-operator verbs: - use - apiGroups: - policy resources: - podsecuritypolicies verbs: - get - list - watch - create - update # Permissions below this point are required for TSEE only. - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - '*' - apiGroups: - "batch" resources: - jobs - cronjobs verbs: - '*' - apiGroups: - projectcalico.org resources: - globalreporttypes - licensekeys - globalalerttemplates verbs: - '*' - apiGroups: - elasticsearch.k8s.elastic.co resources: - elasticsearches verbs: - '*' - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - '*' - apiGroups: - kibana.k8s.elastic.co resources: - kibanas verbs: - '*' - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - '*' TigeraOperatorNamespace: Type: "Custom::KubeManifest" Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: apiVersion: v1 kind: Namespace metadata: name: tigera-operator labels: name: tigera-operator TigeraOperatorServiceAccount: Type: "Custom::KubeManifest" DependsOn: TigeraOperatorNamespace Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: apiVersion: v1 kind: ServiceAccount metadata: name: tigera-operator namespace: tigera-operator TigeraOperatorClusterRoleBinding: Type: "Custom::KubeManifest" Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tigera-operator subjects: - kind: ServiceAccount name: tigera-operator namespace: tigera-operator roleRef: kind: ClusterRole name: tigera-operator apiGroup: rbac.authorization.k8s.io TigeraOperatorDeployment: Type: "Custom::KubeManifest" DependsOn: TigeraOperatorNamespace Properties: ServiceToken: !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${KubeClusterName}" ClusterName: !Ref KubeClusterName Manifest: apiVersion: apps/v1 kind: Deployment metadata: name: tigera-operator namespace: tigera-operator labels: k8s-app: tigera-operator spec: replicas: 1 selector: matchLabels: name: tigera-operator template: metadata: labels: name: tigera-operator k8s-app: tigera-operator spec: tolerations: - effect: NoExecute operator: Exists - effect: NoSchedule operator: Exists serviceAccountName: tigera-operator hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator image: quay.io/tigera/operator:v1.10.5 imagePullPolicy: IfNotPresent command: - operator env: - name: WATCH_NAMESPACE value: "" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION value: v1.10.5