From 837176340d6c67d539e7069f6be0b01a667b770a Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Thu, 25 Nov 2021 14:33:20 -0800 Subject: [PATCH] Change sense of Cilium DisableMasquerade in v1alpha3 --- pkg/apis/kops/networking.go | 5 +- pkg/apis/kops/v1alpha2/conversion.go | 20 ++++ pkg/apis/kops/v1alpha2/networking.go | 2 +- .../kops/v1alpha2/zz_generated.conversion.go | 34 +++---- .../kops/v1alpha2/zz_generated.deepcopy.go | 4 +- pkg/apis/kops/v1alpha3/networking.go | 5 +- .../kops/v1alpha3/zz_generated.conversion.go | 4 +- .../kops/v1alpha3/zz_generated.deepcopy.go | 4 +- pkg/apis/kops/validation/validation.go | 4 +- pkg/apis/kops/validation/validation_test.go | 10 +- pkg/apis/kops/zz_generated.deepcopy.go | 4 +- pkg/commands/set_cluster_test.go | 12 +-- pkg/commands/unset_cluster_test.go | 12 +-- pkg/model/components/cilium.go | 4 +- tests/integration/conversion/BUILD.bazel | 1 + .../conversion/cilium/v1alpha2.yaml | 92 +++++++++++++++++++ .../conversion/cilium/v1alpha3.yaml | 91 ++++++++++++++++++ .../conversion/integration_test.go | 5 + ...cket_object_cluster-completed.spec_content | 2 +- .../k8s-1.12-v1.8.yaml.template | 2 +- .../k8s-1.12-v1.9.yaml.template | 2 +- .../k8s-1.16-v1.10.yaml.template | 2 +- 22 files changed, 261 insertions(+), 60 deletions(-) create mode 100644 tests/integration/conversion/cilium/v1alpha2.yaml create mode 100644 tests/integration/conversion/cilium/v1alpha3.yaml diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index c129e40e3f..9641ec1691 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -321,8 +321,9 @@ type CiliumNetworkingSpec struct { // IdentityChangeGracePeriod specifies the duration to wait before using a changed identity. // Default: 5s IdentityChangeGracePeriod string `json:"identityChangeGracePeriod,omitempty"` - // DisableMasquerade disables masquerading traffic to external destinations behind the node IP. - DisableMasquerade *bool `json:"disableMasquerade,omitempty"` + // Masquerade enables masquerading IPv4 traffic to external destinations behind the node IP. + // Default: false if IPAM is "eni" or in IPv6 mode, otherwise true + Masquerade *bool `json:"masquerade,omitempty"` // AgentPodAnnotations makes possible to add additional annotations to cilium agent. // Default: none AgentPodAnnotations map[string]string `json:"agentPodAnnotations,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/conversion.go b/pkg/apis/kops/v1alpha2/conversion.go index b37346ac43..b63f2da07c 100644 --- a/pkg/apis/kops/v1alpha2/conversion.go +++ b/pkg/apis/kops/v1alpha2/conversion.go @@ -44,6 +44,26 @@ func Convert_kops_CanalNetworkingSpec_To_v1alpha2_CanalNetworkingSpec(in *kops.C return nil } +func Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error { + if err := autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in, out, s); err != nil { + return err + } + if in.Masquerade != nil { + out.Masquerade = values.Bool(!*in.Masquerade) + } + return nil +} + +func Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops.CiliumNetworkingSpec, out *CiliumNetworkingSpec, s conversion.Scope) error { + if err := autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in, out, s); err != nil { + return err + } + if in.Masquerade != nil { + out.Masquerade = values.Bool(!*in.Masquerade) + } + return nil +} + func Convert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *kops.ClusterSpec, s conversion.Scope) error { if err := autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in, out, s); err != nil { return err diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index b527349f46..23ffeac078 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -436,7 +436,7 @@ type CiliumNetworkingSpec struct { // +k8s:conversion-gen=false LogstashProbeTimer uint32 `json:"logstashProbeTimer,omitempty"` // DisableMasquerade disables masquerading traffic to external destinations behind the node IP. - DisableMasquerade *bool `json:"disableMasquerade,omitempty"` + Masquerade *bool `json:"disableMasquerade,omitempty"` // Nat46Range is unused. // +k8s:conversion-gen=false Nat46Range string `json:"nat46Range,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 1f0570ce40..4507ad5699 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -224,16 +224,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*CiliumNetworkingSpec)(nil), (*kops.CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(a.(*CiliumNetworkingSpec), b.(*kops.CiliumNetworkingSpec), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*kops.CiliumNetworkingSpec)(nil), (*CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(a.(*kops.CiliumNetworkingSpec), b.(*CiliumNetworkingSpec), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*ClassicNetworkingSpec)(nil), (*kops.ClassicNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha2_ClassicNetworkingSpec_To_kops_ClassicNetworkingSpec(a.(*ClassicNetworkingSpec), b.(*kops.ClassicNetworkingSpec), scope) }); err != nil { @@ -1129,6 +1119,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*kops.CiliumNetworkingSpec)(nil), (*CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(a.(*kops.CiliumNetworkingSpec), b.(*CiliumNetworkingSpec), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*kops.ClusterSpec)(nil), (*ClusterSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(a.(*kops.ClusterSpec), b.(*ClusterSpec), scope) }); err != nil { @@ -1144,6 +1139,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*CiliumNetworkingSpec)(nil), (*kops.CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(a.(*CiliumNetworkingSpec), b.(*kops.CiliumNetworkingSpec), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*ClusterSpec)(nil), (*kops.ClusterSpec)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(a.(*ClusterSpec), b.(*kops.ClusterSpec), scope) }); err != nil { @@ -1893,7 +1893,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * // INFO: in.Logstash opted out of conversion generation // INFO: in.LogstashAgent opted out of conversion generation // INFO: in.LogstashProbeTimer opted out of conversion generation - out.DisableMasquerade = in.DisableMasquerade + out.Masquerade = in.Masquerade // INFO: in.Nat46Range opted out of conversion generation out.AgentPodAnnotations = in.AgentPodAnnotations // INFO: in.Pprof opted out of conversion generation @@ -1948,11 +1948,6 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * return nil } -// Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec is an autogenerated conversion function. -func Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error { - return autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in, out, s) -} - func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops.CiliumNetworkingSpec, out *CiliumNetworkingSpec, s conversion.Scope) error { out.Version = in.Version out.MemoryRequest = in.MemoryRequest @@ -1970,7 +1965,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * out.EncryptionType = CiliumEncryptionType(in.EncryptionType) out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod - out.DisableMasquerade = in.DisableMasquerade + out.Masquerade = in.Masquerade out.AgentPodAnnotations = in.AgentPodAnnotations out.Tunnel = in.Tunnel out.MonitorAggregation = in.MonitorAggregation @@ -2008,11 +2003,6 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * return nil } -// Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec is an autogenerated conversion function. -func Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops.CiliumNetworkingSpec, out *CiliumNetworkingSpec, s conversion.Scope) error { - return autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in, out, s) -} - func autoConvert_v1alpha2_ClassicNetworkingSpec_To_kops_ClassicNetworkingSpec(in *ClassicNetworkingSpec, out *kops.ClassicNetworkingSpec, s conversion.Scope) error { return nil } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index d15057c78b..a6d2dac507 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -592,8 +592,8 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { (*out)[key] = val } } - if in.DisableMasquerade != nil { - in, out := &in.DisableMasquerade, &out.DisableMasquerade + if in.Masquerade != nil { + in, out := &in.Masquerade, &out.Masquerade *out = new(bool) **out = **in } diff --git a/pkg/apis/kops/v1alpha3/networking.go b/pkg/apis/kops/v1alpha3/networking.go index 8cf2fb7776..6cc7af3b32 100644 --- a/pkg/apis/kops/v1alpha3/networking.go +++ b/pkg/apis/kops/v1alpha3/networking.go @@ -305,8 +305,9 @@ type CiliumNetworkingSpec struct { // IdentityChangeGracePeriod specifies the duration to wait before using a changed identity. // Default: 5s IdentityChangeGracePeriod string `json:"identityChangeGracePeriod,omitempty"` - // DisableMasquerade disables masquerading traffic to external destinations behind the node IP. - DisableMasquerade *bool `json:"disableMasquerade,omitempty"` + // Masquerade enables masquerading IPv4 traffic to external destinations behind the node IP. + // Default: false if IPAM is "eni" or in IPv6 mode, otherwise true + Masquerade *bool `json:"masquerade,omitempty"` // AgentPodAnnotations makes possible to add additional annotations to the cilium agent. // Default: none AgentPodAnnotations map[string]string `json:"agentPodAnnotations,omitempty"` diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index 4f2306c4d4..af1dc73753 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -1816,7 +1816,7 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.EncryptionType = kops.CiliumEncryptionType(in.EncryptionType) out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod - out.DisableMasquerade = in.DisableMasquerade + out.Masquerade = in.Masquerade out.AgentPodAnnotations = in.AgentPodAnnotations out.Tunnel = in.Tunnel out.MonitorAggregation = in.MonitorAggregation @@ -1876,7 +1876,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in * out.EncryptionType = CiliumEncryptionType(in.EncryptionType) out.IdentityAllocationMode = in.IdentityAllocationMode out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod - out.DisableMasquerade = in.DisableMasquerade + out.Masquerade = in.Masquerade out.AgentPodAnnotations = in.AgentPodAnnotations out.Tunnel = in.Tunnel out.MonitorAggregation = in.MonitorAggregation diff --git a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go index e953987536..bfc7b5bcde 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go @@ -554,8 +554,8 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(bool) **out = **in } - if in.DisableMasquerade != nil { - in, out := &in.DisableMasquerade, &out.DisableMasquerade + if in.Masquerade != nil { + in, out := &in.Masquerade, &out.Masquerade *out = new(bool) **out = **in } diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index 8d636e88dc..f8c76cc747 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -934,8 +934,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe if c.CloudProvider != string(kops.CloudProviderAWS) { allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilum ENI IPAM is supported only in AWS")) } - if v.DisableMasquerade != nil && !*v.DisableMasquerade { - allErrs = append(allErrs, field.Forbidden(fldPath.Child("disableMasquerade"), "Masquerade must be disabled when ENI IPAM is used")) + if v.Masquerade != nil && *v.Masquerade { + allErrs = append(allErrs, field.Forbidden(fldPath.Child("masquerade"), "Masquerade must be disabled when ENI IPAM is used")) } if c.IsIPv6Only() { allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilium ENI IPAM does not support IPv6")) diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index 1eba39fce3..8d2b3ab158 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -830,8 +830,8 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - DisableMasquerade: fi.Bool(true), - IPAM: "eni", + Masquerade: fi.Bool(false), + IPAM: "eni", }, Spec: kops.ClusterSpec{ CloudProvider: "aws", @@ -845,13 +845,13 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - DisableMasquerade: fi.Bool(false), - IPAM: "eni", + Masquerade: fi.Bool(true), + IPAM: "eni", }, Spec: kops.ClusterSpec{ CloudProvider: "aws", }, - ExpectedErrors: []string{"Forbidden::cilium.disableMasquerade"}, + ExpectedErrors: []string{"Forbidden::cilium.masquerade"}, }, { Cilium: kops.CiliumNetworkingSpec{ diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 779f214610..1d63f9e24f 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -630,8 +630,8 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = new(bool) **out = **in } - if in.DisableMasquerade != nil { - in, out := &in.DisableMasquerade, &out.DisableMasquerade + if in.Masquerade != nil { + in, out := &in.Masquerade, &out.Masquerade *out = new(bool) **out = **in } diff --git a/pkg/commands/set_cluster_test.go b/pkg/commands/set_cluster_test.go index 68cc36f445..e9a86e8bd2 100644 --- a/pkg/commands/set_cluster_test.go +++ b/pkg/commands/set_cluster_test.go @@ -233,14 +233,14 @@ func TestSetClusterFields(t *testing.T) { }, { Fields: []string{ - "cluster.spec.networking.cilium.disableMasquerade=true", + "cluster.spec.networking.cilium.masquerade=false", }, Input: kops.Cluster{}, Output: kops.Cluster{ Spec: kops.ClusterSpec{ Networking: &kops.NetworkingSpec{ Cilium: &kops.CiliumNetworkingSpec{ - DisableMasquerade: fi.Bool(true), + Masquerade: fi.Bool(false), }, }, }, @@ -304,7 +304,7 @@ func TestSetCiliumFields(t *testing.T) { Fields: []string{ "cluster.spec.networking.cilium.ipam=eni", "cluster.spec.networking.cilium.enableNodePort=true", - "cluster.spec.networking.cilium.disableMasquerade=true", + "cluster.spec.networking.cilium.masquerade=false", "cluster.spec.kubeProxy.enabled=false", }, Input: kops.Cluster{ @@ -317,9 +317,9 @@ func TestSetCiliumFields(t *testing.T) { }, Networking: &kops.NetworkingSpec{ Cilium: &kops.CiliumNetworkingSpec{ - IPAM: "eni", - EnableNodePort: true, - DisableMasquerade: fi.Bool(true), + IPAM: "eni", + EnableNodePort: true, + Masquerade: fi.Bool(false), }, }, }, diff --git a/pkg/commands/unset_cluster_test.go b/pkg/commands/unset_cluster_test.go index 446be9f086..89c5ef4fa5 100644 --- a/pkg/commands/unset_cluster_test.go +++ b/pkg/commands/unset_cluster_test.go @@ -302,13 +302,13 @@ func TestUnsetClusterFields(t *testing.T) { }, { Fields: []string{ - "cluster.spec.networking.cilium.disableMasquerade", + "cluster.spec.networking.cilium.masquerade", }, Input: kops.Cluster{ Spec: kops.ClusterSpec{ Networking: &kops.NetworkingSpec{ Cilium: &kops.CiliumNetworkingSpec{ - DisableMasquerade: fi.Bool(true), + Masquerade: fi.Bool(false), }, }, }, @@ -389,7 +389,7 @@ func TestUnsetCiliumFields(t *testing.T) { Fields: []string{ "cluster.spec.networking.cilium.ipam", "cluster.spec.networking.cilium.enableNodePort", - "cluster.spec.networking.cilium.disableMasquerade", + "cluster.spec.networking.cilium.masquerade", "cluster.spec.kubeProxy.enabled", }, Input: kops.Cluster{ @@ -399,9 +399,9 @@ func TestUnsetCiliumFields(t *testing.T) { }, Networking: &kops.NetworkingSpec{ Cilium: &kops.CiliumNetworkingSpec{ - IPAM: "eni", - EnableNodePort: true, - DisableMasquerade: fi.Bool(true), + IPAM: "eni", + EnableNodePort: true, + Masquerade: fi.Bool(false), }, }, }, diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index 5c4dd3cd11..606db21f96 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -111,8 +111,8 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error { c.IPAM = "kubernetes" } - if c.DisableMasquerade == nil { - c.DisableMasquerade = fi.Bool(c.IPAM == "eni") + if c.Masquerade == nil { + c.Masquerade = fi.Bool(!clusterSpec.IsIPv6Only() && c.IPAM != "eni") } if c.Tunnel == "" { diff --git a/tests/integration/conversion/BUILD.bazel b/tests/integration/conversion/BUILD.bazel index 42b2907aed..7dea840277 100644 --- a/tests/integration/conversion/BUILD.bazel +++ b/tests/integration/conversion/BUILD.bazel @@ -21,6 +21,7 @@ filegroup( srcs = glob([ "aws/**", "canal/**", + "cilium/**", "minimal/**", ]), visibility = ["//visibility:public"], diff --git a/tests/integration/conversion/cilium/v1alpha2.yaml b/tests/integration/conversion/cilium/v1alpha2.yaml new file mode 100644 index 0000000000..985e98055a --- /dev/null +++ b/tests/integration/conversion/cilium/v1alpha2.yaml @@ -0,0 +1,92 @@ +apiVersion: kops.k8s.io/v1alpha2 +kind: Cluster +metadata: + creationTimestamp: "2016-12-10T22:42:27Z" + name: minimal.example.com +spec: + additionalSans: + - proxy.api.minimal.example.com + addons: + - manifest: s3://somebucket/example.yaml + api: + dns: {} + authorization: + alwaysAllow: {} + channel: stable + cloudProvider: aws + configBase: memfs://clusters.example.com/minimal.example.com + etcdClusters: + - cpuRequest: 200m + etcdMembers: + - instanceGroup: master-us-test-1a + name: us-test-1a + memoryRequest: 100Mi + name: main + - cpuRequest: 200m + etcdMembers: + - instanceGroup: master-us-test-1a + name: us-test-1a + memoryRequest: 100Mi + name: events + iam: + legacy: false + kubernetesApiAccess: + - 0.0.0.0/0 + kubernetesVersion: v1.14.0 + masterInternalName: api.internal.minimal.example.com + masterPublicName: api.minimal.example.com + networkCIDR: 172.20.0.0/16 + networking: + cilium: + disableMasquerade: true + nonMasqueradeCIDR: 100.64.0.0/10 + sshAccess: + - 0.0.0.0/0 + subnets: + - cidr: 172.20.32.0/19 + name: us-test-1a + type: Public + zone: us-test-1a + topology: + dns: + type: Public + masters: public + nodes: public + +--- + +apiVersion: kops.k8s.io/v1alpha2 +kind: InstanceGroup +metadata: + creationTimestamp: "2016-12-10T22:42:28Z" + labels: + kops.k8s.io/cluster: minimal.example.com + name: nodes +spec: + associatePublicIp: true + image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 + machineType: t2.medium + maxSize: 2 + minSize: 2 + role: Node + subnets: + - us-test-1a + +--- + +apiVersion: kops.k8s.io/v1alpha2 +kind: InstanceGroup +metadata: + creationTimestamp: "2016-12-10T22:42:28Z" + labels: + kops.k8s.io/cluster: minimal.example.com + name: master-us-test-1a +spec: + associatePublicIp: true + image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 + machineType: m3.medium + maxSize: 1 + minSize: 1 + role: Master + subnets: + - us-test-1a diff --git a/tests/integration/conversion/cilium/v1alpha3.yaml b/tests/integration/conversion/cilium/v1alpha3.yaml new file mode 100644 index 0000000000..92103216fa --- /dev/null +++ b/tests/integration/conversion/cilium/v1alpha3.yaml @@ -0,0 +1,91 @@ +apiVersion: kops.k8s.io/v1alpha3 +kind: Cluster +metadata: + creationTimestamp: "2016-12-10T22:42:27Z" + name: minimal.example.com +spec: + additionalSANs: + - proxy.api.minimal.example.com + addons: + - manifest: s3://somebucket/example.yaml + api: + dns: {} + authorization: + alwaysAllow: {} + channel: stable + cloudProvider: aws + configBase: memfs://clusters.example.com/minimal.example.com + etcdClusters: + - cpuRequest: 200m + etcdMembers: + - instanceGroup: master-us-test-1a + name: us-test-1a + memoryRequest: 100Mi + name: main + - cpuRequest: 200m + etcdMembers: + - instanceGroup: master-us-test-1a + name: us-test-1a + memoryRequest: 100Mi + name: events + iam: {} + kubernetesAPIAccess: + - 0.0.0.0/0 + kubernetesVersion: v1.14.0 + masterInternalName: api.internal.minimal.example.com + masterPublicName: api.minimal.example.com + networkCIDR: 172.20.0.0/16 + networking: + cilium: + masquerade: false + nonMasqueradeCIDR: 100.64.0.0/10 + sshAccess: + - 0.0.0.0/0 + subnets: + - cidr: 172.20.32.0/19 + name: us-test-1a + type: Public + zone: us-test-1a + topology: + dns: + type: Public + masters: public + nodes: public + +--- + +apiVersion: kops.k8s.io/v1alpha3 +kind: InstanceGroup +metadata: + creationTimestamp: "2016-12-10T22:42:28Z" + labels: + kops.k8s.io/cluster: minimal.example.com + name: nodes +spec: + associatePublicIP: true + image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 + machineType: t2.medium + maxSize: 2 + minSize: 2 + role: Node + subnets: + - us-test-1a + +--- + +apiVersion: kops.k8s.io/v1alpha3 +kind: InstanceGroup +metadata: + creationTimestamp: "2016-12-10T22:42:28Z" + labels: + kops.k8s.io/cluster: minimal.example.com + name: master-us-test-1a +spec: + associatePublicIP: true + image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 + machineType: m3.medium + maxSize: 1 + minSize: 1 + role: Master + subnets: + - us-test-1a diff --git a/tests/integration/conversion/integration_test.go b/tests/integration/conversion/integration_test.go index 50a195af9f..f6c4e3d680 100644 --- a/tests/integration/conversion/integration_test.go +++ b/tests/integration/conversion/integration_test.go @@ -48,6 +48,11 @@ func TestConversionCanal(t *testing.T) { runTest(t, "canal", "v1alpha3", "v1alpha2") } +func TestConversionCilium(t *testing.T) { + runTest(t, "cilium", "v1alpha2", "v1alpha3") + runTest(t, "cilium", "v1alpha3", "v1alpha2") +} + func runTest(t *testing.T, srcDir string, fromVersion string, toVersion string) { t.Run(fromVersion+"-"+toVersion, func(t *testing.T) { sourcePath := path.Join(srcDir, fromVersion+".yaml") diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_bucket_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_bucket_object_cluster-completed.spec_content index 6a7118b1ff..fe8e6182a0 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_bucket_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_bucket_object_cluster-completed.spec_content @@ -199,7 +199,7 @@ spec: clusterName: default cpuRequest: 25m disableCNPStatusUpdates: true - disableMasquerade: false + disableMasquerade: true enableBPFMasquerade: false enableEndpointHealthChecking: true enableL7Proxy: true diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template index 2c340229c7..09ad06cf1e 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template @@ -148,7 +148,7 @@ data: # - none # - auto (automatically detect the container runtime) # - masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}" + masquerade: "{{ .Masquerade }}" install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" {{ if .EnableHostReachableServices }} diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template index ddb50af9ba..70b3346867 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template @@ -201,7 +201,7 @@ data: # - none # - auto (automatically detect the container runtime) # - masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}" + masquerade: "{{ .Masquerade }}" install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" {{ if .EnableHostReachableServices }} diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template index 5fcb5c767c..03bcf25aee 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template @@ -221,7 +221,7 @@ data: # - none # - auto (automatically detect the container runtime) # - masquerade: "{{- not (or IsIPv6Only (WithDefaultBool .DisableMasquerade false) ) -}}" + masquerade: "{{ .Masquerade }}" enable-ipv6-masquerade: "false" install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"