Add cnf for firewall with network of sriov

[multicloud/k8s.git] / starlingx / demo / firewall-sriov / templates / deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "firewall.fullname" . }}
  labels:
    release: {{ .Release.Name }}
    app: {{ include "firewall.name" . }}
    chart: {{ .Chart.Name }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      app: {{ include "firewall.name" . }}
      release: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: {{ include "firewall.name" . }}
        release: {{ .Release.Name }}
      annotations:
        k8s.v1.cni.cncf.io/networks: '[
          { "name": "sriov-device-{{ .Values.global.unprotectedNetName }}",
            "interface": "veth12" },
          { "name": "sriov-device-{{ .Values.global.protectedNetName }}",
            "interface": "veth21" }
          ]'
    spec:
      containers:
      - name: {{ .Chart.Name }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        tty: true
        stdin: true
        env:
        - name: unprotectedNetCidr
          value: "{{.Values.global.unprotectedNetCidr}}"
        - name: unprotectedNetGwIp
          value: "{{.Values.global.unprotectedNetGwIp}}"
        - name: protectedNetCidr
          value: "{{.Values.global.protectedNetCidr}}"
        - name: protectedNetGwIp
          value: "{{.Values.global.protectedNetGwIp}}"
        - name: dcaeCollectorIp
          value: "{{.Values.global.dcaeCollectorIp}}"
        - name: dcaeCollectorPort
          value: "{{.Values.global.dcaeCollectorPort}}"
        - name: unprotectedNetProviderDriver
          value: "{{.Values.global.unprotectedNetProviderDriver}}"
        - name: protectedNetProviderDriver
          value: "{{.Values.global.protectedNetProviderDriver}}"
        command: ["/bin/bash", "/opt/vfw_start.sh"]
        securityContext:
            privileged: true
            capabilities:
                add:
                - CAP_SYS_ADMIN
        volumeMounts:
          - mountPath: /hugepages
            name: hugepage
          - name: lib-modules
            mountPath: /lib/modules
          - name: src
            mountPath: /usr/src
          - name: scripts
            mountPath: /opt
        resources:
          requests:
            cpu: {{ .Values.resources.cpu }}
            memory: {{ .Values.resources.memory }}
            hugepages-2Mi: {{ .Values.resources.hugepage }}
            {{- if eq .Values.global.protectedNetProviderName .Values.global.unprotectedNetProviderName }}
            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '2'
            {{- else }}
            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1'
            intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1'
            {{ end }}
          limits:
            cpu: {{ .Values.resources.cpu }}
            memory: {{ .Values.resources.memory }}
            hugepages-2Mi: {{ .Values.resources.hugepage }}
            {{- if eq .Values.global.protectedNetProviderName .Values.global.unprotectedNetProviderName }}
            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '2'
            {{- else }}
            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1'
            intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1'
            {{ end }}
      volumes:
        - name: hugepage
          emptyDir:
            medium: HugePages
        - name: lib-modules
          hostPath:
            path: /lib/modules
        - name: src
          hostPath:
            path: /usr/src
        - name: scripts
          configMap:
            name: {{ .Chart.Name }}-scripts-configmap
      imagePullSecrets:
      - name: admin-registry-secret