apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: kube-router
    tier: node
  name: kube-router
  namespace: kube-system
spec:
  minReadySeconds: 3
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  selector:
    matchLabels:
      k8s-app: kube-router
      tier: node
  template:
    metadata:
      labels:
        k8s-app: kube-router
        tier: node
      annotations:
{% if kube_router_enable_metrics %}
        prometheus.io/path: {{ kube_router_metrics_path }}
        prometheus.io/port: "{{ kube_router_metrics_port }}"
        prometheus.io/scrape: "true"
{% endif %}
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: kube-router
      containers:
      - name: kube-router
        image: {{ kube_router_image_repo }}:{{ kube_router_image_tag }}
        imagePullPolicy: {{ k8s_image_pull_policy }}
        args:
        - --run-router={{ kube_router_run_router | bool }}
        - --run-firewall={{ kube_router_run_firewall | bool }}
        - --run-service-proxy={{ kube_router_run_service_proxy | bool }}
        - --kubeconfig=/var/lib/kube-router/kubeconfig
        - --bgp-graceful-restart=true
{% if kube_router_advertise_cluster_ip %}
        - --advertise-cluster-ip
{% endif %}
{% if kube_router_advertise_external_ip %}
        - --advertise-external-ip
{% endif %}
{% if kube_router_advertise_loadbalancer_ip %}
        - --advertise-loadbalancer-ip
{% endif %}
{% if kube_router_peer_router_asns %}
        - --peer-router-asns={{ kube_router_peer_router_asns }}
{% endif %}
{% if kube_router_peer_router_ips %}
        - --peer-router-ips={{ kube_router_peer_router_ips }}
{% endif %}
{% if kube_router_peer_router_ports %}
        - --peer-router-ports={{ kube_router_peer_router_ports }}
{% endif %}
{% if kube_router_enable_metrics %}
        - --metrics-path={{ kube_router_metrics_path }}
        - --metrics-port={{ kube_router_metrics_port }}
{% endif %}
{% if kube_router_enable_dsr %}
{% if container_manager == "docker" %}
        - --runtime-endpoint=unix:///var/run/docker.sock
{% endif %}
{% if container_manager == "containerd" %}
{% endif %}
        - --runtime-endpoint=unix:///run/containerd/containerd.sock
{% endif %}
{% for arg in kube_router_extra_args %}
        - "{{ arg }}"
{% endfor %}
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: KUBE_ROUTER_CNI_CONF_FILE
          value: /etc/cni/net.d/10-kuberouter.conflist
        livenessProbe:
          httpGet:
            path: /healthz
            port: 20244
          initialDelaySeconds: 10
          periodSeconds: 3
        resources:
          requests:
            cpu: 250m
            memory: 250Mi
        securityContext:
          privileged: true
        volumeMounts:
{% if kube_router_enable_dsr %}
{% if container_manager == "docker" %}
        - name: docker-socket
          mountPath: /var/run/docker.sock
          readOnly: true
{% endif %}
{% if container_manager == "containerd" %}
        - name: containerd-socket
          mountPath: /run/containerd/containerd.sock
          readOnly: true
{% endif %}
{% endif %}
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
        - name: cni-conf-dir
          mountPath: /etc/cni/net.d
        - name: kubeconfig
          mountPath: /var/lib/kube-router
          readOnly: true
        - name: xtables-lock
          mountPath: /run/xtables.lock
          readOnly: false
{% if kube_router_enable_metrics %}
        ports:
        - containerPort: {{ kube_router_metrics_port }}
          hostPort: {{ kube_router_metrics_port }}
          name: metrics
          protocol: TCP
{% endif %}
      hostNetwork: true
      dnsPolicy: {{ kube_router_dns_policy }}
{% if kube_router_enable_dsr %}
      hostIPC: true
      hostPID: true
{% endif %}
      tolerations:
      - operator: Exists
      volumes:
{% if kube_router_enable_dsr %}
{% if container_manager == "docker" %}
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock
          type: Socket
{% endif %}
{% if container_manager == "containerd" %}
      - name: containerd-socket
        hostPath:
          path: /run/containerd/containerd.sock
          type: Socket
{% endif %}
{% endif %}
      - name: lib-modules
        hostPath:
          path: /lib/modules
      - name: cni-conf-dir
        hostPath:
          path: /etc/cni/net.d
      - name: kubeconfig
        hostPath:
          path: /var/lib/kube-router
      - name: xtables-lock
        hostPath:
          path: /run/xtables.lock
          type: FileOrCreate

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-router
  namespace: kube-system

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-router
  namespace: kube-system
rules:
  - apiGroups:
    - ""
    resources:
      - namespaces
      - pods
      - services
      - nodes
      - endpoints
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - "networking.k8s.io"
    resources:
      - networkpolicies
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - extensions
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-router
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-router
subjects:
- kind: ServiceAccount
  name: kube-router
  namespace: kube-system