USHIFT-4342: Add flannel resource as optional CNI

Makefile

@@ -29,6 +29,7 @@ PATCH := $(shell echo $(SOURCE_GIT_TAG) | awk -F'[._~-]' '{print $$3}')
 
 SRC_ROOT :=$(shell pwd)
 
+WITH_FLANNEL ?= 0
 OUTPUT_DIR :=_output
 RPM_BUILD_DIR :=$(OUTPUT_DIR)/rpmbuild
 ISO_DIR :=$(OUTPUT_DIR)/image-builder
@@ -286,6 +287,7 @@ rpm:
 	SOURCE_GIT_TAG=${SOURCE_GIT_TAG} \
 	SOURCE_GIT_COMMIT=${SOURCE_GIT_COMMIT} \
 	SOURCE_GIT_TREE_STATE=${SOURCE_GIT_TREE_STATE} \
+	WITH_FLANNEL=${WITH_FLANNEL} \
 	./packaging/rpm/make-rpm.sh rpm local
 .PHONY: rpm
 
@@ -295,6 +297,7 @@ srpm:
 	SOURCE_GIT_TAG=${SOURCE_GIT_TAG} \
 	SOURCE_GIT_COMMIT=${SOURCE_GIT_COMMIT} \
 	SOURCE_GIT_TREE_STATE=${SOURCE_GIT_TREE_STATE} \
+	WITH_FLANNEL=${WITH_FLANNEL} \
 	./packaging/rpm/make-rpm.sh srpm local
 .PHONY: srpm
 

assets/optional/flannel/00-namespace.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-flannel
+  labels:
+    name: kube-flannel
+    openshift.io/run-level: "0"
+    openshift.io/cluster-monitoring: "true"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  annotations:
+    openshift.io/node-selector: ""
+    openshift.io/description: "flannel Kubernetes components"
+    workload.openshift.io/allowed: "management"

assets/optional/flannel/01-service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flannel
+  namespace: kube-flannel

assets/optional/flannel/02-cluster-role.yaml

@@ -0,0 +1,116 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flannel
+rules:
+  - apiGroups: [""]
+    resources:
+      - namespaces
+      - nodes
+      - pods
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+      - update
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+      - delete
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+  - apiGroups: [""]
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ["", "events.k8s.io"]
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups: ["security.openshift.io"]
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+    resourceNames:
+      - privileged
+  - apiGroups: [""]
+    resources:
+      - "nodes/status"
+    verbs:
+      - patch
+      - update
+  - apiGroups: ["k8s.ovn.org"]
+    resources:
+      - egressfirewalls
+      - egressips
+      - egressqoses
+      - adminpolicybasedexternalroutes
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - k8s.ovn.org
+    resources:
+      - adminpolicybasedexternalroutes/status
+    verbs: [ "update"]
+  - apiGroups: ["cloud.network.openshift.io"]
+    resources:
+      - cloudprivateipconfigs
+    verbs:
+      - create
+      - patch
+      - update
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ['authentication.k8s.io']
+    resources: ['tokenreviews']
+    verbs: ['create']
+  - apiGroups: ['authorization.k8s.io']
+    resources: ['subjectaccessreviews']
+    verbs: ['create']

assets/optional/flannel/03-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+  - kind: ServiceAccount
+    name: flannel
+    namespace: kube-flannel

assets/optional/flannel/04-configmap.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+data:
+  cni-conf.json: |
+    {
+      "name": "ovn-kubernetes",
+      "cniVersion": "0.4.0",
+      "plugins": [
+        {
+          "type": "flannel",
+          "delegate": {
+            "hairpinMode": true,
+            "isDefaultGateway": true
+          }
+        },
+        {
+          "type": "portmap",
+          "capabilities": {
+            "portMappings": true
+          }
+        }
+      ]
+    }
+  net-conf.json: |
+    {
+      "Network": "10.42.0.0/24",
+      "EnableNFTables": false,
+      "Backend": {
+        "Type": "vxlan"
+      }
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    app: flannel
+    k8s-app: flannel
+    tier: node
+  name: kube-flannel-cfg
+  namespace: kube-flannel

assets/optional/flannel/05-daemonset.yaml

@@ -0,0 +1,117 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: flannel
+    k8s-app: flannel
+    tier: node
+  name: kube-flannel-ds
+  namespace: kube-flannel
+spec:
+  selector:
+    matchLabels:
+      app: flannel
+      k8s-app: flannel
+  template:
+    metadata:
+      labels:
+        app: flannel
+        k8s-app: flannel
+        tier: node
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+      containers:
+        - args:
+            - --ip-masq
+            - --kube-subnet-mgr
+          command:
+            - /opt/bin/flanneld
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: EVENT_QUEUE_DEPTH
+              value: "5000"
+          image: flannel
+          imagePullPolicy: IfNotPresent
+          name: kube-flannel
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_RAW
+            privileged: false
+          volumeMounts:
+            - mountPath: /run/flannel
+              name: run
+            - mountPath: /etc/kube-flannel/
+              name: flannel-cfg
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+      hostNetwork: true
+      initContainers:
+        - args:
+            - -f
+            - /flannel
+            - /usr/libexec/cni
+          command:
+            - cp
+          image: flannel-plugin
+          imagePullPolicy: IfNotPresent
+          name: install-cni-plugin
+          volumeMounts:
+            - mountPath: /usr/libexec/cni
+              name: cni-plugin
+        - args:
+            - -f
+            - /etc/kube-flannel/cni-conf.json
+            - /etc/cni/net.d/10-flannel.conflist
+          command:
+            - cp
+          image: flannel
+          imagePullPolicy: IfNotPresent
+          name: install-cni
+          volumeMounts:
+            - mountPath: /etc/cni/net.d
+              name: cni
+            - mountPath: /etc/kube-flannel/
+              name: flannel-cfg
+      priorityClassName: system-node-critical
+      serviceAccountName: flannel
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - hostPath:
+            path: /run/flannel
+          name: run
+        - hostPath:
+            path: /usr/libexec/cni
+          name: cni-plugin
+        - hostPath:
+            path: /etc/cni/net.d
+          name: cni
+        - configMap:
+            name: kube-flannel-cfg
+          name: flannel-cfg
+        - hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+          name: xtables-lock

assets/optional/flannel/kustomization.aarch64.yaml

@@ -0,0 +1,8 @@
+
+images:
+  - name: flannel
+    newName: docker.io/flannel/flannel
+    digest: sha256:16fc8a9bc02163d9c02056ec6ac649d47f6f9a5e3adb5c1f2e93b547dba1315f
+  - name: flannel-plugin
+    newName: docker.io/flannel/flannel-cni-plugin
+    digest: sha256:2a6ed38c6f14402aec3433ca0613a3a0e54993d3fa59124687dd94cb39fb59cb

assets/optional/flannel/kustomization.x86_64.yaml

@@ -0,0 +1,8 @@
+
+images:
+  - name: flannel
+    newName: docker.io/flannel/flannel
+    digest: sha256:9e0e9170ed1f82029ccc4cf20fb20f6325456ab7a00f0544dc23275f11f8bb1c
+  - name: flannel-plugin
+    newName: docker.io/flannel/flannel-cni-plugin
+    digest: sha256:6e700d30d2c9316b4f54f9d0b1423a2d15290bf082f5d1fbd87f9f25173a374c

assets/optional/flannel/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - 00-namespace.yaml
+  - 01-service-account.yaml
+  - 02-cluster-role.yaml
+  - 03-cluster-role-binding.yaml
+  - 04-configmap.yaml
+  - 05-daemonset.yaml

assets/optional/flannel/release-flannel-aarch64.json

@@ -0,0 +1,9 @@
+{
+  "release": {
+    "base": "4.18.0-0.nightly-arm64-2024-08-29-120159"
+  },
+  "images": {
+    "flannel": "docker.io/flannel/flannel@sha256:16fc8a9bc02163d9c02056ec6ac649d47f6f9a5e3adb5c1f2e93b547dba1315f",
+    "flannel-plugin": "docker.io/flannel/flannel-cni-plugin@sha256:2a6ed38c6f14402aec3433ca0613a3a0e54993d3fa59124687dd94cb39fb59cb"
+  }
+}

assets/optional/flannel/release-flannel-x86_64.json

@@ -0,0 +1,9 @@
+{
+  "release": {
+    "base": "4.18.0-0.nightly-2024-08-29-020346"
+  },
+  "images": {
+    "flannel": "docker.io/flannel/flannel@sha256:9e0e9170ed1f82029ccc4cf20fb20f6325456ab7a00f0544dc23275f11f8bb1c",
+    "flannel-plugin": "docker.io/flannel/flannel-cni-plugin@sha256:6e700d30d2c9316b4f54f9d0b1423a2d15290bf082f5d1fbd87f9f25173a374c"
+  }
+}