Our current deploy strategy is:
- Deploy via debian packages (calicoctl, calico-cni)
- Deploy calico-node (as docker container, launched by systemd) via puppet (modules/calico/manifests/init.pp)
- Deploy calico-policy-controller via helmfile.d/admin (internal_charts/wmf-calico-policy-controller/)
With upcoming k8s and calico updates it would be nice to have this less scattered, like:
- Deploy via debian packages (calicoctl, calico-cni)
- Deploy CDRs, RBAC, calico-node, typha, calico-policy-controller via a helm chart and helmfile.d/admin
Unfortunately this is not easily possible with helm2 & tiller as there is a catch-22 in accessing the k8s API from tiller prior to having the policy-controller running. Also, deploying calico-node as daemonset would require us to run the pod privileged which we currently prohibit globally I suppose.