---
apiVersion: v1
kind: List
items:
  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: weave-net
      labels:
        name: weave-net
      namespace: kube-system
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: weave-net
      labels:
        name: weave-net
    rules:
      - apiGroups:
          - ''
        resources:
          - pods
          - namespaces
          - nodes
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - extensions
        resources:
          - networkpolicies
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - 'networking.k8s.io'
        resources:
          - networkpolicies
        verbs:
          - get
          - list
          - watch
      - apiGroups:
        - ''
        resources:
        - nodes/status
        verbs:
        - patch
        - update
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: weave-net
      labels:
        name: weave-net
    roleRef:
      kind: ClusterRole
      name: weave-net
      apiGroup: rbac.authorization.k8s.io
    subjects:
      - kind: ServiceAccount
        name: weave-net
        namespace: kube-system
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: weave-net
      namespace: kube-system
      labels:
        name: weave-net
    rules:
      - apiGroups:
          - ''
        resources:
          - configmaps
        resourceNames:
          - weave-net
        verbs:
          - get
          - update
      - apiGroups:
          - ''
        resources:
          - configmaps
        verbs:
          - create
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: weave-net
      namespace: kube-system
      labels:
        name: weave-net
    roleRef:
      kind: Role
      name: weave-net
      apiGroup: rbac.authorization.k8s.io
    subjects:
      - kind: ServiceAccount
        name: weave-net
        namespace: kube-system
  - apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: weave-net
      labels:
        name: weave-net
      namespace: kube-system
    spec:
      # Wait 5 seconds to let pod connect before rolling next pod
      selector:
        matchLabels:
          name: weave-net
      minReadySeconds: 5
      template:
        metadata:
          labels:
            name: weave-net
        spec:
          initContainers:
            - name: weave-init
              image: {{ weave_kube_image_repo }}:{{ weave_kube_image_tag }}
              imagePullPolicy: {{ k8s_image_pull_policy }}
              command:
                - /home/weave/init.sh
              env:
              securityContext:
                privileged: true
              volumeMounts:
                - name: cni-bin
                  mountPath: /host/opt
                - name: cni-bin2
                  mountPath: /host/home
                - name: cni-conf
                  mountPath: /host/etc
                - name: lib-modules
                  mountPath: /lib/modules
                - name: xtables-lock
                  mountPath: /run/xtables.lock
                  readOnly: false
          containers:
            - name: weave
              command:
                - /home/weave/launch.sh
              env:
                - name: INIT_CONTAINER
                  value: "true"
                - name: HOSTNAME
                  valueFrom:
                    fieldRef:
                      apiVersion: v1
                      fieldPath: spec.nodeName
                - name: WEAVE_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: weave-net
                      key: WEAVE_PASSWORD
                - name: CHECKPOINT_DISABLE
                  value: "{{ weave_checkpoint_disable | bool | int }}"
                - name: CONN_LIMIT
                  value: "{{ weave_conn_limit | int }}"
                - name: HAIRPIN_MODE
                  value: "{{ weave_hairpin_mode | bool | lower }}"
                - name: IPALLOC_RANGE
                  value: "{{ weave_ipalloc_range }}"
                - name: EXPECT_NPC
                  value: "{{ weave_expect_npc | bool | int }}"
{% if weave_kube_peers %}
                - name: KUBE_PEERS
                  value: "{{ weave_kube_peers }}"
{% endif %}
{% if weave_ipalloc_init %}
                - name: IPALLOC_INIT
                  value: "{{ weave_ipalloc_init }}"
{% endif %}
{% if weave_expose_ip %}
                - name: WEAVE_EXPOSE_IP
                  value: "{{ weave_expose_ip }}"
{% endif %}
{% if weave_metrics_addr %}
                - name: WEAVE_METRICS_ADDR
                  value: "{{ weave_metrics_addr }}"
{% endif %}
{% if weave_status_addr %}
                - name: WEAVE_STATUS_ADDR
                  value: "{{ weave_status_addr }}"
{% endif %}
{% if weave_iptables_backend %}
                - name: IPTABLES_BACKEND
                  value: "{{ weave_iptables_backend }}"
{% endif %}
                - name: WEAVE_MTU
                  value: "{{ weave_mtu | int }}"
                - name: NO_MASQ_LOCAL
                  value: "{{ weave_no_masq_local | bool | int }}"
{% if weave_extra_args %}
                - name: EXTRA_ARGS
                  value: "{{ weave_extra_args }}"
{% endif %}
              image: {{ weave_kube_image_repo }}:{{ weave_kube_image_tag }}
              imagePullPolicy: {{ k8s_image_pull_policy }}
              readinessProbe:
                httpGet:
                  host: 127.0.0.1
                  path: /status
                  port: 6784
              resources:
                requests:
                  cpu: 50m
              securityContext:
                privileged: true
              volumeMounts:
                - name: weavedb
                  mountPath: /weavedb
                - name: dbus
                  mountPath: /host/var/lib/dbus
                  readOnly: true
                - mountPath: /host/etc/machine-id
                  name: cni-machine-id
                  readOnly: true
                - name: xtables-lock
                  mountPath: /run/xtables.lock
                  readOnly: false
            - name: weave-npc
              env:
                - name: HOSTNAME
                  valueFrom:
                    fieldRef:
                      apiVersion: v1
                      fieldPath: spec.nodeName
{% if weave_npc_extra_args %}
                - name: EXTRA_ARGS
                  value: "{{ weave_npc_extra_args }}"
{% endif %}                       
              image: {{ weave_npc_image_repo }}:{{ weave_npc_image_tag }}
              imagePullPolicy: {{ k8s_image_pull_policy }}
              resources:
                requests:
                  cpu: 50m
              securityContext:
                privileged: true
              volumeMounts:
                - name: xtables-lock
                  mountPath: /run/xtables.lock
                  readOnly: false
          hostNetwork: true
          dnsPolicy: ClusterFirstWithHostNet
          hostPID: false
          restartPolicy: Always
          securityContext:
            seLinuxOptions: {}
          serviceAccountName: weave-net
          tolerations:
            - effect: NoSchedule
              operator: Exists
            - effect: NoExecute
              operator: Exists
          volumes:
            - name: weavedb
              hostPath:
                path: /var/lib/weave
            - name: cni-bin
              hostPath:
                path: /opt
            - name: cni-bin2
              hostPath:
                path: /home
            - name: cni-conf
              hostPath:
                path: /etc
            - name: cni-machine-id
              hostPath:
                path: /etc/machine-id
            - name: dbus
              hostPath:
                path: /var/lib/dbus
            - name: lib-modules
              hostPath:
                path: /lib/modules
            - name: xtables-lock
              hostPath:
                path: /run/xtables.lock
                type: FileOrCreate
          priorityClassName: system-node-critical
      updateStrategy:
        rollingUpdate:
          maxUnavailable: {{ serial | default('20%') }}
        type: RollingUpdate
  - apiVersion: v1
    kind: Secret
    metadata:
      name: weave-net
      namespace: kube-system
    data:
      WEAVE_PASSWORD: "{{ weave_password | default("") | b64encode }}"