Use capzicommunity ACR cache references for calico/tigera images

Signed-off-by: Mark Rossett <[email protected]>

Author: marosset

Makefile

@@ -559,10 +559,9 @@ generate-e2e-templates: $(KUSTOMIZE) ## Generate Azure infrastructure templates
 	$(KUSTOMIZE) build $(AZURE_TEMPLATES)/v1beta1/cluster-template-aks --load-restrictor LoadRestrictionsNone > $(AZURE_TEMPLATES)/v1beta1/cluster-template-aks.yaml
 
 .PHONY: generate-addons
-generate-addons: fetch-calico-manifests ## Generate metric-server, calico, calico-ipv6, azure cni v1 addons.
-	$(KUSTOMIZE) build $(ADDONS_DIR)/metrics-server > $(ADDONS_DIR)/metrics-server/metrics-server.yaml
-	$(KUSTOMIZE) build $(ADDONS_DIR)/calico > $(ADDONS_DIR)/calico.yaml
+generate-addons: fetch-calico-manifests $(ENVSUBST)
 	$(KUSTOMIZE) build $(ADDONS_DIR)/metrics-server > $(ADDONS_DIR)/metrics-server/metrics-server.yaml
+	$(KUSTOMIZE) build $(ADDONS_DIR)/calico | $(ENVSUBST) > $(ADDONS_DIR)/calico.yaml
 	$(KUSTOMIZE) build $(ADDONS_DIR)/azure-cni-v1 > $(ADDONS_DIR)/azure-cni-v1.yaml
 
 .PHONY: generate-aso-crds
@@ -577,7 +576,6 @@ generate-aso-crds: $(YQ)
 		sed 's/\$$\$$/$$$$$$$$/g' \
 		> $(ASO_CRDS_PATH)
 
-# When updating this, make sure to also update the Windows image version in templates/addons/windows/calico.
 export CALICO_VERSION := v3.29.4
 # Where all downloaded Calico manifests are unpacked and stored.
 CALICO_RELEASES := $(ARTIFACTS)/calico

templates/addons/calico-dual-stack/values.yaml

@@ -17,7 +17,7 @@ installation:
       encapsulation: None
       natOutgoing: Enabled
       nodeSelector: all()
-  registry: quay.io
+  registry: capzcicommunity.azurecr.io
 # By default, tigera tolerates all NoSchedule taints. This breaks upgrades
 # when it continuously gets scheduled onto an out-of-date Node that is being
 # deleted. Tolerate only the NoSchedule taints that are expected.
@@ -33,6 +33,6 @@ tolerations:
 # Image and registry configuration for the tigera/operator pod.
 tigeraOperator:
   image: tigera/operator
-  registry: quay.io
+  registry: capzcicommunity.azurecr.io
 calicoctl:
-  image: quay.io/calico/ctl
+  image: capzcicommunity.azurecr.io/calico/ctl

templates/addons/calico-ipv6/values.yaml

@@ -12,7 +12,7 @@ installation:
       encapsulation: None
       natOutgoing: Enabled
       nodeSelector: all()
-  registry: quay.io
+  registry: capzcicommunity.azurecr.io
 # By default, tigera tolerates all NoSchedule taints. This breaks upgrades
 # when it continuously gets scheduled onto an out-of-date Node that is being
 # deleted. Tolerate only the NoSchedule taints that are expected.
@@ -28,6 +28,6 @@ tolerations:
 # Image and registry configuration for the tigera/operator pod.Add commentMore actions
 tigeraOperator:
   image: tigera/operator
-  registry: quay.io
+  registry: capzcicommunity.azurecr.io
 calicoctl:
-  image: quay.io/calico/ctl
+  image: capzcicommunity.azurecr.io/calico/ctl

templates/addons/calico.yaml

@@ -6063,7 +6063,7 @@ spec:
           value: node
         - name: DATASTORE_TYPE
           value: kubernetes
-        image: quay.io/calico/kube-controllers:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/kube-controllers:v3.29.4
         imagePullPolicy: IfNotPresent
         livenessProbe:
           exec:
@@ -6181,7 +6181,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: quay.io/calico/node:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/node:v3.29.4
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -6253,7 +6253,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: quay.io/calico/cni:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/cni:v3.29.4
         imagePullPolicy: IfNotPresent
         name: upgrade-ipam
         securityContext:
@@ -6288,7 +6288,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: quay.io/calico/cni:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/cni:v3.29.4
         imagePullPolicy: IfNotPresent
         name: install-cni
         securityContext:
@@ -6302,7 +6302,7 @@ spec:
         - calico-node
         - -init
         - -best-effort
-        image: quay.io/calico/node:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/node:v3.29.4
         imagePullPolicy: IfNotPresent
         name: mount-bpffs
         securityContext:

templates/addons/calico/kustomization.yaml

@@ -12,4 +12,4 @@ patches:
     name: calico-kube-controllers
     namespace: kube-system
 - path: patches/azure-mtu.yaml
-- path: patches/replace-docker-with-quay.yaml
+- path: patches/use-capz-acr.yaml

templates/addons/calico/patches/replace-docker-with-quay.yaml renamed to templates/addons/calico/patches/use-capz-acr.yaml

@@ -8,14 +8,14 @@ spec:
     spec:
       initContainers:
       - name: upgrade-ipam
-        image: quay.io/calico/cni:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/cni:${CALICO_VERSION}
       - name: install-cni
-        image: quay.io/calico/cni:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/cni:${CALICO_VERSION}
       - name: mount-bpffs
-        image: quay.io/calico/node:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/node:${CALICO_VERSION}
       containers:
       - name: calico-node
-        image: quay.io/calico/node:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/node:${CALICO_VERSION}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -27,4 +27,4 @@ spec:
     spec:
       containers:
       - name: calico-kube-controllers
-        image: quay.io/calico/kube-controllers:v3.29.4
+        image: capzcicommunity.azurecr.io/calico/kube-controllers:${CALICO_VERSION}

templates/addons/calico/values.yaml

@@ -10,13 +10,13 @@ installation:
     - cidr: 192.168.0.0/16
       encapsulation: VXLAN
     windowsDataplane: HNS
-  registry: quay.io
+  registry: capzcicommunity.azurecr.io
   # Image and registry configuration for the tigera/operator pod.
   tigeraOperator:
     image: tigera/operator
-    registry: quay.io
+    registry: capzcicommunity.azurecr.io
   calicoctl:
-    image: quay.io/calico/ctl
+    image: capzcicommunity.azurecr.io/calico/ctl
   serviceCIDRs: 
     - 10.96.0.0/12 # must match cluster service CIDR (this is the default)
 # By default, tigera tolerates all NoSchedule taints. This breaks upgrades

templates/addons/cluster-api-helm/calico-dual-stack.yaml

@@ -56,13 +56,13 @@ spec:
                       matchExpressions:
                       - key: node-role.kubernetes.io/control-plane
                         operator: Exists
-      registry: quay.io
-      # Image and registry configuration for the tigera/operator pod.
-      tigeraOperator:
-        image: tigera/operator
-        registry: quay.io
-      calicoctl:
-        image: quay.io/calico/ctl
+      registry: capzcicommunity.azurecr.io
+    # Image and registry configuration for the tigera/operator pod.
+    tigeraOperator:
+      image: tigera/operator
+      registry: capzcicommunity.azurecr.io
+    calicoctl:
+      image: capzcicommunity.azurecr.io/calico/ctl
     # By default, tigera tolerates all NoSchedule taints. This breaks upgrades
     # when it continuously gets scheduled onto an out-of-date Node that is being
     # deleted. Tolerate only the NoSchedule taints that are expected.

templates/addons/cluster-api-helm/calico-ipv6.yaml

@@ -51,13 +51,13 @@ spec:
                       matchExpressions:
                       - key: node-role.kubernetes.io/control-plane
                         operator: Exists
-      registry: quay.io
-      # Image and registry configuration for the tigera/operator pod.
-      tigeraOperator:
-        image: tigera/operator
-        registry: quay.io
-      calicoctl:
-        image: quay.io/calico/ctl
+      registry: capzcicommunity.azurecr.io
+    # Image and registry configuration for the tigera/operator pod.
+    tigeraOperator:
+      image: tigera/operator
+      registry: capzcicommunity.azurecr.io
+    calicoctl:
+      image: capzcicommunity.azurecr.io/calico/ctl
     # By default, tigera tolerates all NoSchedule taints. This breaks upgrades
     # when it continuously gets scheduled onto an out-of-date Node that is being
     # deleted. Tolerate only the NoSchedule taints that are expected.

templates/addons/cluster-api-helm/calico.yaml

@@ -49,15 +49,15 @@ spec:
                       matchExpressions:
                       - key: node-role.kubernetes.io/control-plane
                         operator: Exists
-      registry: quay.io
+      registry: capzcicommunity.azurecr.io
       serviceCIDRs:
         - 10.96.0.0/12 # must match cluster service CIDR (this is the default)
-      # Image and registry configuration for the tigera/operator pod
-      tigeraOperator:
-        image: tigera/operator
-        registry: quay.io
-      calicoctl:
-        image: quay.io/calico/ctl
+    # Image and registry configuration for the tigera/operator pod
+    tigeraOperator:
+      image: tigera/operator
+      registry: capzcicommunity.azurecr.io
+    calicoctl:
+      image: capzcicommunity.azurecr.io/calico/ctl
     # when kubernetesServiceEndpoint (required for windows) is added
     # DNS configuration is needed to look up the api server name properly
     # https://github.com/projectcalico/calico/issues/9536