Change sense of Cilium IPTablesRulesNoinstall in v1alpha3

pkg/apis/kops/networking.go

@@ -387,9 +387,9 @@ type CiliumNetworkingSpec struct {
 	// "kubernetes" will use addersing based on node pod CIDR.
 	// Default: "kubernetes".
 	IPAM string `json:"ipam,omitempty"`
-	// IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy.
-	// Default: false
-	IPTablesRulesNoinstall bool `json:"IPTablesRulesNoinstall,omitempty"`
+	// InstallIptablesRules enables installing the base IPTables rules used for masquerading and kube-proxy.
+	// Default: true
+	InstallIptablesRules *bool `json:"installIptablesRules,omitempty"`
 	// AutoDirectNodeRoutes adds automatic L2 routing between nodes.
 	// Default: false
 	AutoDirectNodeRoutes bool `json:"autoDirectNodeRoutes,omitempty"`

pkg/apis/kops/v1alpha2/conversion.go

@@ -48,6 +48,9 @@ func Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *Cili
 	if err := autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in, out, s); err != nil {
 		return err
 	}
+	if in.InstallIptablesRules != nil {
+		out.InstallIptablesRules = values.Bool(!*in.InstallIptablesRules)
+	}
 	if in.Masquerade != nil {
 		out.Masquerade = values.Bool(!*in.Masquerade)
 	}
@@ -58,6 +61,9 @@ func Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops
 	if err := autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in, out, s); err != nil {
 		return err
 	}
+	if in.InstallIptablesRules != nil {
+		out.InstallIptablesRules = values.Bool(!*in.InstallIptablesRules)
+	}
 	if in.Masquerade != nil {
 		out.Masquerade = values.Bool(!*in.Masquerade)
 	}

pkg/apis/kops/v1alpha2/networking.go

@@ -538,7 +538,7 @@ type CiliumNetworkingSpec struct {
 	IPAM string `json:"ipam,omitempty"`
 	// IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy.
 	// Default: false
-	IPTablesRulesNoinstall bool `json:"IPTablesRulesNoinstall,omitempty"`
+	InstallIptablesRules *bool `json:"IPTablesRulesNoinstall,omitempty"`
 	// AutoDirectNodeRoutes adds automatic L2 routing between nodes.
 	// Default: false
 	AutoDirectNodeRoutes bool `json:"autoDirectNodeRoutes,omitempty"`

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -1924,7 +1924,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller
 	// INFO: in.ContainerRuntimeLabels opted out of conversion generation
 	out.IPAM = in.IPAM
-	out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall
+	out.InstallIptablesRules = in.InstallIptablesRules
 	out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes
 	out.EnableHostReachableServices = in.EnableHostReachableServices
 	out.EnableNodePort = in.EnableNodePort
@@ -1984,7 +1984,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	out.ToFQDNsDNSRejectResponseCode = in.ToFQDNsDNSRejectResponseCode
 	out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller
 	out.IPAM = in.IPAM
-	out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall
+	out.InstallIptablesRules = in.InstallIptablesRules
 	out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes
 	out.EnableHostReachableServices = in.EnableHostReachableServices
 	out.EnableNodePort = in.EnableNodePort

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -604,6 +604,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 			(*out)[key] = val
 		}
 	}
+	if in.InstallIptablesRules != nil {
+		in, out := &in.InstallIptablesRules, &out.InstallIptablesRules
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EnableRemoteNodeIdentity != nil {
 		in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity
 		*out = new(bool)

pkg/apis/kops/v1alpha3/networking.go

@@ -371,9 +371,9 @@ type CiliumNetworkingSpec struct {
 	// "kubernetes" will use addersing based on node pod CIDR.
 	// Default: "kubernetes".
 	IPAM string `json:"ipam,omitempty"`
-	// IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy.
-	// Default: false
-	IPTablesRulesNoinstall bool `json:"IPTablesRulesNoinstall,omitempty"`
+	// InstallIptablesRules enables installing the base IPTables rules used for masquerading and kube-proxy.
+	// Default: true
+	InstallIptablesRules *bool `json:"installIptablesRules,omitempty"`
 	// AutoDirectNodeRoutes adds automatic L2 routing between nodes.
 	// Default: false
 	AutoDirectNodeRoutes bool `json:"autoDirectNodeRoutes,omitempty"`

pkg/apis/kops/v1alpha3/zz_generated.conversion.go

@@ -1835,7 +1835,7 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.ToFQDNsDNSRejectResponseCode = in.ToFQDNsDNSRejectResponseCode
 	out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller
 	out.IPAM = in.IPAM
-	out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall
+	out.InstallIptablesRules = in.InstallIptablesRules
 	out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes
 	out.EnableHostReachableServices = in.EnableHostReachableServices
 	out.EnableNodePort = in.EnableNodePort
@@ -1895,7 +1895,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in *
 	out.ToFQDNsDNSRejectResponseCode = in.ToFQDNsDNSRejectResponseCode
 	out.ToFQDNsEnablePoller = in.ToFQDNsEnablePoller
 	out.IPAM = in.IPAM
-	out.IPTablesRulesNoinstall = in.IPTablesRulesNoinstall
+	out.InstallIptablesRules = in.InstallIptablesRules
 	out.AutoDirectNodeRoutes = in.AutoDirectNodeRoutes
 	out.EnableHostReachableServices = in.EnableHostReachableServices
 	out.EnableNodePort = in.EnableNodePort

pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

@@ -566,6 +566,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 			(*out)[key] = val
 		}
 	}
+	if in.InstallIptablesRules != nil {
+		in, out := &in.InstallIptablesRules, &out.InstallIptablesRules
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EnableRemoteNodeIdentity != nil {
 		in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity
 		*out = new(bool)

pkg/apis/kops/validation/validation.go

@@ -922,8 +922,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 		}
 	}
 
-	if fi.BoolValue(v.EnableL7Proxy) && v.IPTablesRulesNoinstall {
-		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires IPTablesRules to be installed."))
+	if fi.BoolValue(v.EnableL7Proxy) && v.InstallIptablesRules != nil && !*v.InstallIptablesRules {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableL7Proxy"), "Cilium L7 Proxy requires installIptablesRules."))
 	}
 
 	if v.IPAM != "" {

pkg/apis/kops/validation/validation_test.go

@@ -856,7 +856,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		{
 			Cilium: kops.CiliumNetworkingSpec{
 				EnableL7Proxy:        fi.Bool(true),
-				IPTablesRulesNoinstall: true,
+				InstallIptablesRules: fi.Bool(false),
 			},
 			Spec: kops.ClusterSpec{
 				CloudProvider: "aws",

pkg/apis/kops/zz_generated.deepcopy.go

@@ -642,6 +642,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 			(*out)[key] = val
 		}
 	}
+	if in.InstallIptablesRules != nil {
+		in, out := &in.InstallIptablesRules, &out.InstallIptablesRules
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EnableRemoteNodeIdentity != nil {
 		in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity
 		*out = new(bool)

tests/integration/conversion/cilium/v1alpha2.yaml

@@ -38,6 +38,7 @@ spec:
   networkCIDR: 172.20.0.0/16
   networking:
     cilium:
+      IPTablesRulesNoinstall: true
       disableMasquerade: true
   nonMasqueradeCIDR: 100.64.0.0/10
   sshAccess:

tests/integration/conversion/cilium/v1alpha3.yaml

@@ -37,6 +37,7 @@ spec:
   networkCIDR: 172.20.0.0/16
   networking:
     cilium:
+      installIptablesRules: false
       masquerade: false
   nonMasqueradeCIDR: 100.64.0.0/10
   sshAccess:

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template

@@ -149,7 +149,7 @@ data:
   # - auto (automatically detect the container runtime)
   #
   masquerade: "{{ .Masquerade }}"
-  install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
+  install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}"
   auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
   {{ if .EnableHostReachableServices }}
   enable-host-reachable-services: "{{ .EnableHostReachableServices }}"

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template

@@ -202,7 +202,7 @@ data:
   # - auto (automatically detect the container runtime)
   #
   masquerade: "{{ .Masquerade }}"
-  install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
+  install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}"
   auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
   {{ if .EnableHostReachableServices }}
   enable-host-reachable-services: "{{ .EnableHostReachableServices }}"

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template

@@ -223,7 +223,7 @@ data:
   #
   masquerade: "{{ .Masquerade }}"
   enable-ipv6-masquerade: "false"
-  install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
+  install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}"
   auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
   {{ if .EnableHostReachableServices }}
   enable-host-reachable-services: "{{ .EnableHostReachableServices }}"