From 5a60d34e14249b69334fe95288517f6c961093e5 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Thu, 25 Nov 2021 17:40:12 -0800 Subject: [PATCH] Change sense of Cilium IPTablesRulesNoinstall in v1alpha3 --- pkg/apis/kops/networking.go | 6 +++--- pkg/apis/kops/v1alpha2/conversion.go | 6 ++++++ pkg/apis/kops/v1alpha2/networking.go | 2 +- pkg/apis/kops/v1alpha2/zz_generated.conversion.go | 4 ++-- pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/v1alpha3/networking.go | 6 +++--- pkg/apis/kops/v1alpha3/zz_generated.conversion.go | 4 ++-- pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/validation/validation.go | 4 ++-- pkg/apis/kops/validation/validation_test.go | 4 ++-- pkg/apis/kops/zz_generated.deepcopy.go | 5 +++++ tests/integration/conversion/cilium/v1alpha2.yaml | 1 + tests/integration/conversion/cilium/v1alpha3.yaml | 1 + .../addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template | 2 +- .../addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template | 2 +- .../networking.cilium.io/k8s-1.16-v1.10.yaml.template | 2 +- 16 files changed, 41 insertions(+), 18 deletions(-) diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 9641ec1691..c2314fb262 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -387,9 +387,9 @@ type CiliumNetworkingSpec struct { // "kubernetes" will use addersing based on node pod CIDR. // Default: "kubernetes". IPAM string `json:"ipam,omitempty"` - // IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy. - // Default: false - IPTablesRulesNoinstall bool `json:"IPTablesRulesNoinstall,omitempty"` + // InstallIptablesRules enables installing the base IPTables rules used for masquerading and kube-proxy. + // Default: true + InstallIptablesRules *bool `json:"installIptablesRules,omitempty"` // AutoDirectNodeRoutes adds automatic L2 routing between nodes. // Default: false AutoDirectNodeRoutes bool `json:"autoDirectNodeRoutes,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/conversion.go b/pkg/apis/kops/v1alpha2/conversion.go index b63f2da07c..914efd676c 100644 --- a/pkg/apis/kops/v1alpha2/conversion.go +++ b/pkg/apis/kops/v1alpha2/conversion.go @@ -48,6 +48,9 @@ func Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *Cili if err := autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in, out, s); err != nil { return err } + if in.InstallIptablesRules != nil { + out.InstallIptablesRules = values.Bool(!*in.InstallIptablesRules) + } if in.Masquerade != nil { out.Masquerade = values.Bool(!*in.Masquerade) } @@ -58,6 +61,9 @@ func Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops if err := autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in, out, s); err != nil { return err } + if in.InstallIptablesRules != nil { + out.InstallIptablesRules = values.Bool(!*in.InstallIptablesRules) + } if in.Masquerade != nil { out.Masquerade = values.Bool(!*in.Masquerade) } diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 23ffeac078..33d508afc8 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -538,7 +538,7 @@ type CiliumNetworkingSpec struct { IPAM string `json:"ipam,omitempty"` // IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy. // Default: false - IPTablesRulesNoinstall bool `json:"IPTablesRulesNoinstall,omitempty"` + InstallIptablesRules *bool `json:"IPTablesRulesNoinstall,omitempty"` // AutoDirectNodeRoutes adds automatic L2 routing between nodes. // Default: false AutoDirectNodeRoutes bool `json:"autoDirectNodeRoutes,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 4507ad5699..9aa1ec76c8 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1924,7 +1924,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller // INFO: in.ContainerRuntimeLabels opted out of conversion generation out.IPAM = in.IPAM - out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall + out.InstallIptablesRules = in.InstallIptablesRules out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes out.EnableHostReachableServices = in.EnableHostReachableServices out.EnableNodePort = in.EnableNodePort @@ -1984,7 +1984,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * out.ToFQDNsDNSRejectResponseCode = in.ToFQDNsDNSRejectResponseCode out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller out.IPAM = in.IPAM - out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall + out.InstallIptablesRules = in.InstallIptablesRules out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes out.EnableHostReachableServices = in.EnableHostReachableServices out.EnableNodePort = in.EnableNodePort diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index a6d2dac507..aaa1880511 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -604,6 +604,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { (*out)[key] = val } } + if in.InstallIptablesRules != nil { + in, out := &in.InstallIptablesRules, &out.InstallIptablesRules + *out = new(bool) + **out = **in + } if in.EnableRemoteNodeIdentity != nil { in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity *out = new(bool) diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index 6cc7af3b32..456aa869a7 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -371,9 +371,9 @@ type CiliumNetworkingSpec struct { // "kubernetes" will use addersing based on node pod CIDR. // Default: "kubernetes". IPAM string `json:"ipam,omitempty"` - // IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy. - // Default: false - IPTablesRulesNoinstall bool `json:"IPTablesRulesNoinstall,omitempty"` + // InstallIptablesRules enables installing the base IPTables rules used for masquerading and kube-proxy. + // Default: true + InstallIptablesRules *bool `json:"installIptablesRules,omitempty"` // AutoDirectNodeRoutes adds automatic L2 routing between nodes. // Default: false AutoDirectNodeRoutes bool `json:"autoDirectNodeRoutes,omitempty"` diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index af1dc73753..f05048753a 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -1835,7 +1835,7 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.ToFQDNsDNSRejectResponseCode = in.ToFQDNsDNSRejectResponseCode out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller out.IPAM = in.IPAM - out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall + out.InstallIptablesRules = in.InstallIptablesRules out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes out.EnableHostReachableServices = in.EnableHostReachableServices out.EnableNodePort = in.EnableNodePort @@ -1895,7 +1895,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in * out.ToFQDNsDNSRejectResponseCode = in.ToFQDNsDNSRejectResponseCode out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller out.IPAM = in.IPAM - out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall + out.InstallIptablesRules = in.InstallIptablesRules out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes out.EnableHostReachableServices = in.EnableHostReachableServices out.EnableNodePort = in.EnableNodePort diff --git a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go index bfc7b5bcde..1497dd7414 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go @@ -566,6 +566,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { (*out)[key] = val } } + if in.InstallIptablesRules != nil { + in, out := &in.InstallIptablesRules, &out.InstallIptablesRules + *out = new(bool) + **out = **in + } if in.EnableRemoteNodeIdentity != nil { in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity *out = new(bool) diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index f8c76cc747..145ec6ae9e 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -922,8 +922,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe } } - if fi.BoolValue(v.EnableL7Proxy) && v.IPTablesRulesNoinstall { - allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed.")) + if fi.BoolValue(v.EnableL7Proxy) && v.InstallIptablesRules != nil && !*v.InstallIptablesRules { + allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires installIptablesRules.")) } if v.IPAM != "" { diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index 8d2b3ab158..6cab200213 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -855,8 +855,8 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - EnableL7Proxy: fi.Bool(true), - IPTablesRulesNoinstall: true, + EnableL7Proxy: fi.Bool(true), + InstallIptablesRules: fi.Bool(false), }, Spec: kops.ClusterSpec{ CloudProvider: "aws", diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 1d63f9e24f..37b8b7052f 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -642,6 +642,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { (*out)[key] = val } } + if in.InstallIptablesRules != nil { + in, out := &in.InstallIptablesRules, &out.InstallIptablesRules + *out = new(bool) + **out = **in + } if in.EnableRemoteNodeIdentity != nil { in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity *out = new(bool) diff --git a/tests/integration/conversion/cilium/v1alpha2.yaml b/tests/integration/conversion/cilium/v1alpha2.yaml index 985e98055a..255ac9415a 100644 --- a/tests/integration/conversion/cilium/v1alpha2.yaml +++ b/tests/integration/conversion/cilium/v1alpha2.yaml @@ -38,6 +38,7 @@ spec: networkCIDR: 172.20.0.0/16 networking: cilium: + IPTablesRulesNoinstall: true disableMasquerade: true nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: diff --git a/tests/integration/conversion/cilium/v1alpha3.yaml b/tests/integration/conversion/cilium/v1alpha3.yaml index 92103216fa..daa133d53c 100644 --- a/tests/integration/conversion/cilium/v1alpha3.yaml +++ b/tests/integration/conversion/cilium/v1alpha3.yaml @@ -37,6 +37,7 @@ spec: networkCIDR: 172.20.0.0/16 networking: cilium: + installIptablesRules: false masquerade: false nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template index 09ad06cf1e..e569283f7e 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template @@ -149,7 +149,7 @@ data: # - auto (automatically detect the container runtime) # masquerade: "{{ .Masquerade }}" - install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" + install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" {{ if .EnableHostReachableServices }} enable-host-reachable-services: "{{ .EnableHostReachableServices }}" diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template index 70b3346867..6e81505bba 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template @@ -202,7 +202,7 @@ data: # - auto (automatically detect the container runtime) # masquerade: "{{ .Masquerade }}" - install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" + install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" {{ if .EnableHostReachableServices }} enable-host-reachable-services: "{{ .EnableHostReachableServices }}" diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template index 03bcf25aee..92f36cd1f3 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template @@ -223,7 +223,7 @@ data: # masquerade: "{{ .Masquerade }}" enable-ipv6-masquerade: "false" - install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" + install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" {{ if .EnableHostReachableServices }} enable-host-reachable-services: "{{ .EnableHostReachableServices }}"