Add core addon packages (#524)

* add metrics-server package

* add metrics-server package

* add pinniped package

* fix installed package version for pinniped and metrics-server

* add addons manager

* add vsphere-csi and vsphere-cpi packages

* get rid of ImageInfo in templates

* add kapp-controller package

* add packages to repo

* add CNI packages

* update antrea and calico packages to remove ImageInfo

* update kapp-controller package

* update metrics-server package

* Sync metrics-server manifest from upstream

* update core package READMEs

* remove pinniped package

* address comments

* update package url in repo

* update csi package

* Update kapp-controller package to deploy kapp-controller deployment after kapp-controller configmap

* Change all package versions to vmware0

* Change kapp-controller version back to v0.19.0-vmware0

* Fix lint errors
Co-authored-by: Shyaam Nagarajan <nagarajans@vmware.com>
Co-authored-by: Nicholas Seemiller <seemiller@gmail.com>

.gitignore

@@ -15,6 +15,7 @@ cayman_trigger.txt
 artifacts
 artifacts-admin
 bin
+addons/repos/generated
 
 # Architecture specific extensions/prefixes
 *.[568vq]

addons/packages/antrea/README.md

+# antrea Package
+
+This package provides networking and network security solution for containers using [antrea](https://antrea.io/).
+
+## Components
+
+## Configuration
+
+The following configuration values can be set to customize the antrea installation.
+
+### Global
+
+| Value | Required/Optional | Description |
+|-------|-------------------|-------------|
+| `namespace` | Optional | The namespace in which to deploy antrea. |
+| `infraProvider` | Required | The cloud provider in use. One of: `aws`, `azure`, `vsphere`, `docker`. |
+
+### antrea Configuration
+
+| Value | Required/Optional | Description |
+|-------|-------------------|-------------|
+| `antrea.config.serviceCIDR` | Optional | The service CIDR to use. Default: `10.96.0.0/12` |
+| `antrea.config.trafficEncapMode` | Optional | The traffic encapsulation mode. Default: `encap` |
+| `antrea.config.noSNAT` | Optional | Boolean flag to enable/disable SNAT. Default: `false`. |
+| `antrea.config.defaultMTU` | Optional | MTU to use. Default: `null` (Antrea will autodetect). |
+| `antrea.config.featureGates.AntreaProxy` | Optional | Boolean flag to enable/disable antrea proxy. Default: `false`. |
+| `antrea.config.featureGates.AntreaPolicy` | Optional | Boolean flag to enable/disable antrea policy. Default: `true`. |
+| `antrea.config.featureGates.AntreaTraceFlow` | Optional | Boolean flag to enable/disable antrea traceflow. Default: `false`. |
+| `antrea.config.featureGates.FlowExporter`| Optional | Boolean flag to enable/disable flow exporter. Default: `false`. |
+| `antrea.config.featureGates.NetworkPolicyStats` | Optional | Boolean flag to enable/disable network policy stats. Default: `false`. |
+
+## Usage Example
+
+To learn more about how to use antrea refer to [antrea documentation](https://antrea.io/docs/v0.11.3/)

addons/packages/antrea/bundle/.imgpkg/bundle.yaml

+apiVersion: imgpkg.carvel.dev/v1alpha1
+kind: Bundle
+metadata:
+  name: antrea
+authors:
+- name: Shyaam Nagarajan 
+  email: nagarajans@vmware.com
+websites:
+- url: antrea.io

addons/packages/antrea/bundle/.imgpkg/images.yml

+---
+apiVersion: imgpkg.carvel.dev/v1alpha1
+images:
+- annotations:
+    kbld.carvel.dev/id: antrea/antrea-ubuntu:v0.11.3
+  image: index.docker.io/antrea/antrea-ubuntu@sha256:d787325f56604fcc1e68422c9c0a0303cafc6bb04a667e9a3f274c0044625141
+kind: ImagesLock

addons/packages/antrea/bundle/config/kapp-config.yaml

+apiVersion: kapp.k14s.io/v1alpha1
+kind: Config
+rebaseRules:
+- path: [data]
+  type: copy
+  sources: [existing, new]
+  resourceMatchers:
+  - kindNamespaceNameMatcher: {kind: ConfigMap, namespace: kube-system, name: antrea-ca}

addons/packages/antrea/bundle/config/overlay/antrea_overlay.yaml

+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:yaml", "yaml")
+#@ load("/values.star", "values")
+
+#@ def antrea_agent_conf():
+
+#! FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+#! Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
+#! It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
+#! Service traffic.
+  AntreaProxy: #@ values.antrea.config.featureGates.AntreaProxy
+
+#! Enable traceflow which provides packet tracing feature to diagnose network issue.
+  Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow
+
+#! Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
+#! to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
+#! feature that supports priorities, rule actions and externalEntities in the future.
+  AntreaPolicy: #@ values.antrea.config.featureGates.AntreaPolicy
+
+#! Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
+#! agent to a configured collector.
+  FlowExporter: #@ values.antrea.config.featureGates.FlowExporter
+
+#! Enable collecting and exposing NetworkPolicy statistics.
+  NetworkPolicyStats: #@ values.antrea.config.featureGates.NetworkPolicyStats
+
+#! Name of the OpenVSwitch bridge antrea-agent will create and use.
+#! Make sure it doesn't conflict with your existing OpenVSwitch bridges.
+#!ovsBridge: br-int
+
+#! Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
+#! - system
+#! - netdev
+#! 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
+#! OVS in userspace mode. Userspace mode requires the tun device driver to be available.
+#@ if values.infraProvider == "docker":
+ovsDatapathType: netdev
+#@ end
+
+#! Name of the interface antrea-agent will create and use for host <--> pod communication.
+#! Make sure it doesn't conflict with your existing interfaces.
+#!hostGateway: antrea-gw0
+
+#! Determines how traffic is encapsulated. It has the following options:
+#! encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
+#!                    traffic is SNAT'd.
+#! noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
+#!                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
+#!                    supporting Pod traffic across IP subnets.
+#! hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
+#! networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
+#!                    IPAM and connectivity to the primary CNI.
+#!
+trafficEncapMode: #@ values.antrea.config.trafficEncapMode
+
+#! Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
+#! This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
+#! mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
+#! the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
+#! performs SNAT and this option will be ignored; for other modes it must be set to false.
+noSNAT: #@ values.antrea.config.noSNAT
+
+#! Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
+#! - geneve (default)
+#! - vxlan
+#! - gre
+#! - stt
+#!tunnelType: geneve
+
+#! Default MTU to use for the host gateway interface and the network interface of each Pod.
+#! If omitted, antrea-agent will discover the MTU of the Node's primary interface and
+#! also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
+#@ if/end values.antrea.config.defaultMTU:
+defaultMTU: #@ values.antrea.config.defaultMTU
+
+#! Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported
+#! for the GRE tunnel type.
+#!enableIPSecTunnel: false
+
+#! ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
+#! set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
+#! AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
+#!serviceCIDR: 10.96.0.0/12
+serviceCIDR: #@ values.antrea.config.serviceCIDR
+
+#! ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
+#! cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
+#! --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
+#! No default value for this field.
+#!serviceCIDRv6:
+
+#! The port for the antrea-agent APIServer to serve on.
+#! Note that if it's set to another value, the `containerPort` of the `api` port of the
+#! `antrea-agent` container must be set to the same value.
+#!apiPort: 10350
+
+#! Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+#!enablePrometheusMetrics: true
+
+#! Provide flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp. This also enables
+#! the flow exporter that sends IPFIX flow records of conntrack flows on OVS bridge. If no L4 transport proto is given,
+#! we consider tcp as default.
+#!flowCollectorAddr: ""
+
+#! Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+#! Flow poll interval should be greater than or equal to 1s (one second).
+#! Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+#!flowPollInterval: "5s"
+
+#! Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+#! the flow collector.
+#! Flow export frequency should be greater than or equal to 1.
+#!flowExportFrequency: 12
+
+#@ end
+
+
+#@ def antrea_controller_conf():
+
+#! FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+#! Enable traceflow which provides packet tracing feature to diagnose network issue.
+  Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow
+
+#! Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
+#! to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
+#! feature that supports priorities, rule actions and externalEntities in the future.
+  AntreaPolicy: #@ values.antrea.config.featureGates.AntreaPolicy
+
+#! Enable collecting and exposing NetworkPolicy statistics.
+  NetworkPolicyStats: #@ values.antrea.config.featureGates.NetworkPolicyStats
+
+#! The port for the antrea-controller APIServer to serve on.
+#! Note that if it's set to another value, the `containerPort` of the `api` port of the
+#! `antrea-controller` container must be set to the same value.
+#!apiPort: 10349
+
+#! Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+#!enablePrometheusMetrics: true
+
+#! Indicates whether to use auto-generated self-signed TLS certificate.
+#! If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+#!   ca.crt: <CA certificate>
+#!   tls.crt: <TLS certificate>
+#!   tls.key: <TLS private key>
+#! And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+#! antrea-controller container.
+selfSignedCert: true
+#! enterpriseAntrea: true
+
+#@ end
+
+#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "antrea-config-b59fc7d2b4"}})
+---
+kind: ConfigMap
+metadata:
+  name: antrea-config-b59fc7d2b4
+data:
+  antrea-agent.conf: #@ yaml.encode(antrea_agent_conf())
+  antrea-controller.conf: #@ yaml.encode(antrea_controller_conf())
+
+#@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name": "antrea-controller"}})
+---
+kind: Deployment
+metadata:
+  name: antrea-controller
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+
+
+#@overlay/match by=overlay.subset({"kind":"DaemonSet","metadata":{"name": "antrea-agent"}})
+---
+kind: DaemonSet
+metadata:
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+spec:
+  template:
+    spec:
+      containers:
+        #@ if values.infraProvider == "docker":
+        #@overlay/match by=overlay.subset({"name":"antrea-ovs"})
+        - command:
+          #@overlay/match by=overlay.subset("start_ovs")
+          #@overlay/replace
+            - start_ovs_netdev
+
+        #@overlay/match by=overlay.subset({"name":"antrea-ovs"})
+        - volumeMounts:
+          #@overlay/append
+            - mountPath: /dev/net/tun
+              name: dev-tun
+        #@ end
+
+      initContainers:
+        #@ if values.infraProvider == "docker":
+        #@overlay/match by=overlay.subset({"name":"install-cni"})
+        - command:
+          #@overlay/match by=overlay.subset("install_cni")
+          #@overlay/replace
+            - install_cni_kind
+        #@ end
+      volumes:
+      #@ if values.infraProvider == "docker":
+      #@overlay/append
+        - hostPath:
+            path: /dev/net/tun
+            type: CharDevice
+          name: dev-tun
+      #@ end

addons/packages/antrea/bundle/config/values.star

+load("@ytt:data", "data")
+load("@ytt:assert", "assert")
+
+def validate_antrea():
+  data.values.infraProvider or assert.fail("Infrastructure provider should be provided")
+end
+
+#export
+values = data.values
+
+# validate
+validate_antrea()

addons/packages/antrea/bundle/config/values.yaml

+#@data/values
+---
+
+namespace: kube-system
+infraProvider: vsphere
+antrea:
+  config:
+    serviceCIDR: 10.96.0.0/12
+    trafficEncapMode: encap
+    noSNAT: false
+    #! Setting defaultMTU to null since antrea-agent will discover the MTU of the Node's primary interface and
+    #! also adjust MTU to accommodate for tunnel encapsulation overhead.
+    defaultMTU: null
+    featureGates:
+      AntreaProxy: false
+      AntreaPolicy: true
+      AntreaTraceflow: false
+      FlowExporter: false
+      NetworkPolicyStats: false

addons/packages/antrea/bundle/vendir.lock.yml

+apiVersion: vendir.k14s.io/v1alpha1
+directories:
+- contents:
+  - manual: {}
+    path: antrea.yaml
+  path: config/upstream
+kind: LockConfig

addons/packages/antrea/bundle/vendir.yml

+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+minimumRequiredVersion: 0.12.0
+directories:
+- path: config/upstream
+  contents:
+  - path: antrea.yaml 
+    manual: {}

addons/packages/antrea/clusterrolebinding.yaml

+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: antrea
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: antrea-extension-sa
+    namespace: tanzu-extensions

addons/packages/antrea/installedpackage.yaml

+# This InstalledPackage resource is used for testing purposes.
+# Namely it's for manual installation when tooling such as the
+# tanzu CLI is not in play.
+---
+apiVersion: install.package.carvel.dev/v1alpha1
+kind: InstalledPackage
+metadata:
+  name: antrea-sample
+  namespace: tanzu-extensions
+spec:
+  serviceAccountName: antrea-extension-sa
+  packageRef:
+    publicName: antrea.tce.vmware.com
+    versionSelection:
+      constraints: "0.11.3-vmware0" 
+      prereleases: {}

addons/packages/antrea/serviceaccount.yaml

+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: antrea-extension-sa
+  namespace: tanzu-extensions

addons/packages/calico/README.md

+# calico Package
+
+This package provides networking and network security solution for containers using [calico](https://www.projectcalico.org/).
+
+## Components
+
+## Configuration
+
+The following configuration values can be set to customize the calico installation.
+
+### Global
+
+| Value | Required/Optional | Description |
+|-------|-------------------|-------------|
+| `namespace` | Optional | The namespace in which to deploy calico. |
+| `infraProvider` | Required | The cloud provider in use. One of: `aws`, `azure`, `vsphere`, `docker`. |
+
+### calico Configuration
+
+| Value | Required/Optional | Description |
+|-------|-------------------|-------------|
+| `calico.config.clusterCIDR` | Optional | The pod network CIDR. Default value is `192.168.0.0/16`. |
+| `calico.config.vethMTU` | Optional | MTU size. Default is `1440`. |
+
+## Usage Example
+
+To learn more about how to use calico refer to [calico documentation](https://docs.projectcalico.org/about/about-calico)

addons/packages/calico/bundle/.imgpkg/bundle.yaml

+apiVersion: imgpkg.carvel.dev/v1alpha1
+kind: Bundle
+metadata:
+  name: calico
+authors:
+- name: Shyaam Nagarajan 
+  email: nagarajans@vmware.com
+websites:
+- url: projectcalico.org

addons/packages/calico/bundle/.imgpkg/images.yml

+---
+apiVersion: imgpkg.carvel.dev/v1alpha1
+images:
+- annotations:
+    kbld.carvel.dev/id: docker.io/calico/cni:v3.11.3
+  image: index.docker.io/calico/cni@sha256:29a4a6b90a2e840e763625306e81357405ebfc9ee7c69c3fbe6519f2c427e42f
+- annotations:
+    kbld.carvel.dev/id: docker.io/calico/kube-controllers:v3.11.3
+  image: index.docker.io/calico/kube-controllers@sha256:b09c8ee972762ce77d12b132692bac82bc1ecd9ca1e3ff8b01699db10159f080
+- annotations:
+    kbld.carvel.dev/id: docker.io/calico/node:v3.11.3
+  image: index.docker.io/calico/node@sha256:319813e29578c1eb9401a426ae6d8549f3b8963ae97ccff0d8aea57b8406ec8d
+- annotations:
+    kbld.carvel.dev/id: docker.io/calico/pod2daemon-flexvol:v3.11.3
+  image: index.docker.io/calico/pod2daemon-flexvol@sha256:a26d85e1233fb7dd9e63826f88ac9cb32cfd5dd0b0963e201e4ad9d6eb979088
+kind: ImagesLock

addons/packages/calico/bundle/config/overlay/calico_overlay.yaml

+#@ load("@ytt:overlay", "overlay")
+#@ load("/values.star", "values")
+
+#@ def startswith(index, left, right):
+#@  return left.startswith(right)
+#@ end
+
+#@overlay/match by=overlay.subset({"kind":"DaemonSet"})
+---
+kind: DaemonSet
+metadata:
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+spec:
+  template:
+    spec:
+      containers:
+        #@overlay/match by=overlay.subset({"name":"calico-node"})
+        - name: calico-node
+          env:
+            #@overlay/match by=overlay.subset({"name":"CALICO_IPV4POOL_CIDR"})
+            - value: #@ values.calico.config.clusterCIDR
+#@ if values.infraProvider == "azure":
+            #@overlay/match by=overlay.subset({"name":"CALICO_IPV4POOL_IPIP"})
+            #@overlay/merge
+            - name: CALICO_IPV4POOL_VXLAN
+              value: Always
+            #@overlay/match by=overlay.subset({"name":"FELIX_IPINIPMTU"})
+            #@overlay/remove
+            - name: FELIX_IPINIPMTU
+          livenessProbe:
+            exec:
+              command:
+                #@overlay/remove
+                #@overlay/match by=startswith
+                - -bird-live
+          readinessProbe:
+            exec:
+              command:
+                #@overlay/remove
+                #@overlay/match by=startswith
+                - -bird-ready
+#@ end
+
+#@overlay/match by=overlay.subset({"kind":"Deployment"})
+---
+kind: Deployment
+metadata:
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+
+#@overlay/match by=overlay.subset({"kind":"ConfigMap"})
+---
+data:
+  #@ if/end values.infraProvider == "azure":
+  calico_backend: "vxlan"
+  veth_mtu: #@ values.calico.config.vethMTU

addons/packages/calico/bundle/config/upstream/calico.yaml

+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: calico-config
+  namespace: kube-system
+data:
+  typha_service_name: none
+  calico_backend: bird
+  veth_mtu: "1440"
+  cni_network_config: |-
+    {
+      "name": "k8s-pod-network",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "calico",
+          "log_level": "info",
+          "datastore_type": "kubernetes",
+          "nodename": "__KUBERNETES_NODE_NAME__",
+          "mtu": __CNI_MTU__,
+          "ipam": {
+              "type": "calico-ipam"
+          },
+          "policy": {
+              "type": "k8s"
+          },
+          "kubernetes": {
+              "kubeconfig": "__KUBECONFIG_FILEPATH__"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {"portMappings": true}
+        }
+      ]
+    }
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: felixconfigurations.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: FelixConfiguration
+    plural: felixconfigurations
+    singular: felixconfiguration
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamblocks.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPAMBlock
+    plural: ipamblocks
+    singular: ipamblock
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: blockaffinities.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: BlockAffinity
+    plural: blockaffinities
+    singular: blockaffinity
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamhandles.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPAMHandle
+    plural: ipamhandles
+    singular: ipamhandle
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamconfigs.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPAMConfig
+    plural: ipamconfigs
+    singular: ipamconfig
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: bgppeers.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: BGPPeer
+    plural: bgppeers
+    singular: bgppeer
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: bgpconfigurations.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: BGPConfiguration
+    plural: bgpconfigurations
+    singular: bgpconfiguration
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ippools.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPPool
+    plural: ippools
+    singular: ippool
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: hostendpoints.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: HostEndpoint
+    plural: hostendpoints
+    singular: hostendpoint
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterinformations.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: ClusterInformation
+    plural: clusterinformations
+    singular: clusterinformation
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworkpolicies.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: GlobalNetworkPolicy
+    plural: globalnetworkpolicies
+    singular: globalnetworkpolicy
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworksets.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: GlobalNetworkSet
+    plural: globalnetworksets
+    singular: globalnetworkset
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicies.crd.projectcalico.org
+spec:
+  scope: Namespaced
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: NetworkPolicy
+    plural: networkpolicies
+    singular: networkpolicy
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: networksets.crd.projectcalico.org
+spec:
+  scope: Namespaced
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: NetworkSet
+    plural: networksets
+    singular: networkset
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-kube-controllers
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - watch
+  - list
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - ippools
+  verbs:
+  - list
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - blockaffinities
+  - ipamblocks
+  - ipamhandles
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - clusterinformations
+  verbs:
+  - get
+  - create
+  - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-kube-controllers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+  name: calico-kube-controllers
+  namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-node
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - services
+  verbs:
+  - watch
+  - list
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - watch
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - namespaces
+  - serviceaccounts
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - patch
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - globalfelixconfigs
+  - felixconfigurations
+  - bgppeers
+  - globalbgpconfigs
+  - bgpconfigurations
+  - ippools
+  - ipamblocks
+  - globalnetworkpolicies
+  - globalnetworksets
+  - networkpolicies
+  - networksets
+  - clusterinformations
+  - hostendpoints
+  - blockaffinities
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - ippools
+  - felixconfigurations
+  - clusterinformations
+  verbs:
+  - create
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - bgpconfigurations
+  - bgppeers
+  verbs:
+  - create
+  - update
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - blockaffinities
+  - ipamblocks
+  - ipamhandles
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - ipamconfigs
+  verbs:
+  - get
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - blockaffinities
+  verbs:
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: ServiceAccount
+  name: calico-node
+  namespace: kube-system
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: calico-node
+  namespace: kube-system
+  labels:
+    k8s-app: calico-node
+spec:
+  selector:
+    matchLabels:
+      k8s-app: calico-node
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: calico-node
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      hostNetwork: true
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      serviceAccountName: calico-node
+      terminationGracePeriodSeconds: 0
+      priorityClassName: system-node-critical
+      initContainers:
+      - name: upgrade-ipam
+        image: docker.io/calico/cni:v3.11.3
+        command:
+        - /opt/cni/bin/calico-ipam
+        - -upgrade
+        env:
+        - name: KUBERNETES_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: CALICO_NETWORKING_BACKEND
+          valueFrom:
+            configMapKeyRef:
+              name: calico-config
+              key: calico_backend
+        volumeMounts:
+        - mountPath: /var/lib/cni/networks
+          name: host-local-net-dir
+        - mountPath: /host/opt/cni/bin
+          name: cni-bin-dir
+        securityContext:
+          privileged: true
+      - name: install-cni
+        image: docker.io/calico/cni:v3.11.3
+        command:
+        - /install-cni.sh
+        env:
+        - name: CNI_CONF_NAME
+          value: 10-calico.conflist
+        - name: CNI_NETWORK_CONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: calico-config
+              key: cni_network_config
+        - name: KUBERNETES_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: CNI_MTU
+          valueFrom:
+            configMapKeyRef:
+              name: calico-config
+              key: veth_mtu
+        - name: SLEEP
+          value: "false"
+        volumeMounts:
+        - mountPath: /host/opt/cni/bin
+          name: cni-bin-dir
+        - mountPath: /host/etc/cni/net.d
+          name: cni-net-dir
+        securityContext:
+          privileged: true
+      - name: flexvol-driver
+        image: docker.io/calico/pod2daemon-flexvol:v3.11.3
+        volumeMounts:
+        - name: flexvol-driver-host
+          mountPath: /host/driver
+        securityContext:
+          privileged: true
+      containers:
+      - name: calico-node
+        image: docker.io/calico/node:v3.11.3
+        env:
+        - name: DATASTORE_TYPE
+          value: kubernetes
+        - name: WAIT_FOR_DATASTORE
+          value: "true"
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: CALICO_NETWORKING_BACKEND
+          valueFrom:
+            configMapKeyRef:
+              name: calico-config
+              key: calico_backend
+        - name: CLUSTER_TYPE
+          value: k8s,bgp
+        - name: IP
+          value: autodetect
+        - name: CALICO_IPV4POOL_IPIP
+          value: Always
+        - name: FELIX_IPINIPMTU
+          valueFrom:
+            configMapKeyRef:
+              name: calico-config
+              key: veth_mtu
+        - name: CALICO_IPV4POOL_CIDR
+          value: "192.168.0.0/16"
+        - name: CALICO_DISABLE_FILE_LOGGING
+          value: "true"
+        - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+          value: ACCEPT
+        - name: FELIX_IPV6SUPPORT
+          value: "false"
+        - name: FELIX_LOGSEVERITYSCREEN
+          value: info
+        - name: FELIX_HEALTHENABLED
+          value: "true"
+        securityContext:
+          privileged: true
+        resources:
+          requests:
+            cpu: 250m
+        livenessProbe:
+          exec:
+            command:
+            - /bin/calico-node
+            - -felix-live
+            - -bird-live
+          periodSeconds: 10
+          initialDelaySeconds: 10
+          failureThreshold: 6
+        readinessProbe:
+          exec:
+            command:
+            - /bin/calico-node
+            - -felix-ready
+            - -bird-ready
+          periodSeconds: 10
+        volumeMounts:
+        - mountPath: /lib/modules
+          name: lib-modules
+          readOnly: true
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
+          readOnly: false
+        - mountPath: /var/run/calico
+          name: var-run-calico
+          readOnly: false
+        - mountPath: /var/lib/calico
+          name: var-lib-calico
+          readOnly: false
+        - name: policysync
+          mountPath: /var/run/nodeagent
+      volumes:
+      - name: lib-modules
+        hostPath:
+          path: /lib/modules
+      - name: var-run-calico
+        hostPath:
+          path: /var/run/calico
+      - name: var-lib-calico
+        hostPath:
+          path: /var/lib/calico
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+      - name: cni-bin-dir
+        hostPath:
+          path: /opt/cni/bin
+      - name: cni-net-dir
+        hostPath:
+          path: /etc/cni/net.d
+      - name: host-local-net-dir
+        hostPath:
+          path: /var/lib/cni/networks
+      - name: policysync
+        hostPath:
+          type: DirectoryOrCreate
+          path: /var/run/nodeagent
+      - name: flexvol-driver-host
+        hostPath:
+          type: DirectoryOrCreate
+          path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-node
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+  labels:
+    k8s-app: calico-kube-controllers
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: calico-kube-controllers
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      name: calico-kube-controllers
+      namespace: kube-system
+      labels:
+        k8s-app: calico-kube-controllers
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      serviceAccountName: calico-kube-controllers
+      priorityClassName: system-cluster-critical
+      containers:
+      - name: calico-kube-controllers
+        image: docker.io/calico/kube-controllers:v3.11.3
+        env:
+        - name: ENABLED_CONTROLLERS
+          value: node
+        - name: DATASTORE_TYPE
+          value: kubernetes
+        readinessProbe:
+          exec:
+            command:
+            - /usr/bin/check-status
+            - -r
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+

addons/packages/calico/bundle/config/values.star

+load("@ytt:data", "data")
+load("@ytt:assert", "assert")
+
+def validate_calico():
+  data.values.infraProvider or assert.fail("Infrastructure provider should be provided")
+end
+
+#export
+values = data.values
+
+# validate
+validate_calico()