---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: cilium
  namespace: {{ system_namespace }}
spec:
  template:
    metadata:
      labels:
        k8s-app: cilium
        kubernetes.io/cluster-service: "true"
      annotations:
        # This annotation plus the CriticalAddonsOnly toleration makes
        # cilium to be a critical pod in the cluster, which ensures cilium
        # gets priority scheduling.
        # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
        scheduler.alpha.kubernetes.io/critical-pod: ''
        scheduler.alpha.kubernetes.io/tolerations: >-
          [{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]
{% if cilium_enable_prometheus %}
        prometheus.io/scrape: "true"
        prometheus.io/port: "9090"
{% endif %}
    spec:
{% if rbac_enabled %}
      serviceAccountName: cilium
{% endif %}
      containers:
      - image: {{ cilium_image_repo }}:{{ cilium_image_tag }}
        imagePullPolicy: Always
        name: cilium-agent
        command: [ "cilium-agent" ]
        args:
          - "--debug=$(CILIUM_DEBUG)"
          - "-t"
          - "vxlan"
          - "--kvstore"
          - "etcd"
          - "--kvstore-opt"
          - "etcd.config=/var/lib/etcd-config/etcd.config"
          - "--disable-ipv4=$(DISABLE_IPV4)"
{% if cilium_enable_prometheus %}
        ports:
          - name: prometheus
            containerPort: 9090
{% endif %}
        lifecycle:
          postStart:
            exec:
              command:
                - "/cni-install.sh"
          preStop:
            exec:
              command:
                - "/cni-uninstall.sh"
        env:
          - name: "K8S_NODE_NAME"
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          - name: "CILIUM_DEBUG"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: debug
          - name: "DISABLE_IPV4"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: disable-ipv4
{% if cilium_enable_prometheus %}
          # Note: this variable is a no-op if not defined, and is used in the
          # prometheus examples.
          - name: "CILIUM_PROMETHEUS_SERVE_ADDR"
            valueFrom:
              configMapKeyRef:
                name: cilium-metrics-config
                optional: true
                key: prometheus-serve-addr
{% endif %}
        resources:
          limits:
            cpu: {{ cilium_cpu_limit }}
            memory: {{ cilium_memory_limit }}
          requests:
            cpu: {{ cilium_cpu_requests }}
            memory: {{ cilium_memory_requests }}
        livenessProbe:
          exec:
            command:
            - cilium
            - status
          # The initial delay for the liveness probe is intentionally large to
          # avoid an endless kill & restart cycle if in the event that the initial
          # bootstrapping takes longer than expected.
          initialDelaySeconds: 120
          failureThreshold: 10
          periodSeconds: 10
        readinessProbe:
          exec:
            command:
            - cilium
            - status
          initialDelaySeconds: 5
          periodSeconds: 5
        volumeMounts:
          - name: bpf-maps
            mountPath: /sys/fs/bpf
          - name: cilium-run
            mountPath: /var/run/cilium
          - name: cni-path
            mountPath: /host/opt/cni/bin
          - name: etc-cni-netd
            mountPath: /host/etc/cni/net.d
          - name: docker-socket
            mountPath: /var/run/docker.sock
            readOnly: true
          - name: etcd-config-path
            mountPath: /var/lib/etcd-config
            readOnly: true
          - name: cilium-certs
            mountPath: {{ cilium_cert_dir }}
            readOnly: true
        securityContext:
          capabilities:
            add:
              - "NET_ADMIN"
          privileged: true
      hostNetwork: true
      volumes:
          # To keep state between restarts / upgrades
        - name: cilium-run
          hostPath:
            path: /var/run/cilium
          # To keep state between restarts / upgrades
        - name: bpf-maps
          hostPath:
            path: /sys/fs/bpf
          # To read docker events from the node
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
          # To install cilium cni plugin in the host
        - name: cni-path
          hostPath:
            path: /opt/cni/bin
          # To install cilium cni configuration in the host
        - name: etc-cni-netd
          hostPath:
              path: /etc/cni/net.d
        - name: cilium-certs
          hostPath:
              path: {{ cilium_cert_dir }}
          # To read the etcd config stored in config maps
        - name: etcd-config-path
          configMap:
            name: cilium-config
            items:
            - key: etcd-config
              path: etcd.config
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      - effect: NoSchedule
        key: node.cloudprovider.kubernetes.io/uninitialized
        value: "true"
      # Mark cilium's pod as critical for rescheduling
      - key: CriticalAddonsOnly
        operator: "Exists"