Change sense of Cilium DisableMasquerade in v1alpha3

pkg/apis/kops/networking.go

@@ -321,8 +321,9 @@ type CiliumNetworkingSpec struct {
 	// IdentityChangeGracePeriod specifies the duration to wait before using a changed identity.
 	// Default: 5s
 	IdentityChangeGracePeriod string `json:"identityChangeGracePeriod,omitempty"`
-	// DisableMasquerade disables masquerading traffic to external destinations behind the node IP.
+	// Masquerade enables masquerading IPv4 traffic to external destinations behind the node IP.
-	DisableMasquerade *bool `json:"disableMasquerade,omitempty"`
+	// Default: false if IPAM is "eni" or in IPv6 mode, otherwise true
+	Masquerade *bool `json:"masquerade,omitempty"`
 	// AgentPodAnnotations makes possible to add additional annotations to cilium agent.
 	// Default: none
 	AgentPodAnnotations map[string]string `json:"agentPodAnnotations,omitempty"`

pkg/apis/kops/v1alpha2/conversion.go

@@ -44,6 +44,26 @@ func Convert_kops_CanalNetworkingSpec_To_v1alpha2_CanalNetworkingSpec(in *kops.C
 	return nil
 }
 
+func Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error {
+	if err := autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in, out, s); err != nil {
+		return err
+	}
+	if in.Masquerade != nil {
+		out.Masquerade = values.Bool(!*in.Masquerade)
+	}
+	return nil
+}
+
+func Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops.CiliumNetworkingSpec, out *CiliumNetworkingSpec, s conversion.Scope) error {
+	if err := autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in, out, s); err != nil {
+		return err
+	}
+	if in.Masquerade != nil {
+		out.Masquerade = values.Bool(!*in.Masquerade)
+	}
+	return nil
+}
+
 func Convert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *kops.ClusterSpec, s conversion.Scope) error {
 	if err := autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in, out, s); err != nil {
 		return err

pkg/apis/kops/v1alpha2/networking.go

@@ -436,7 +436,7 @@ type CiliumNetworkingSpec struct {
 	// +k8s:conversion-gen=false
 	LogstashProbeTimer uint32 `json:"logstashProbeTimer,omitempty"`
 	// DisableMasquerade disables masquerading traffic to external destinations behind the node IP.
-	DisableMasquerade *bool `json:"disableMasquerade,omitempty"`
+	Masquerade *bool `json:"disableMasquerade,omitempty"`
 	// Nat46Range is unused.
 	// +k8s:conversion-gen=false
 	Nat46Range string `json:"nat46Range,omitempty"`

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -224,16 +224,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*CiliumNetworkingSpec)(nil), (*kops.CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(a.(*CiliumNetworkingSpec), b.(*kops.CiliumNetworkingSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*kops.CiliumNetworkingSpec)(nil), (*CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(a.(*kops.CiliumNetworkingSpec), b.(*CiliumNetworkingSpec), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*ClassicNetworkingSpec)(nil), (*kops.ClassicNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_ClassicNetworkingSpec_To_kops_ClassicNetworkingSpec(a.(*ClassicNetworkingSpec), b.(*kops.ClassicNetworkingSpec), scope)
 	}); err != nil {
@@ -1129,6 +1119,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*kops.CiliumNetworkingSpec)(nil), (*CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(a.(*kops.CiliumNetworkingSpec), b.(*CiliumNetworkingSpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*kops.ClusterSpec)(nil), (*ClusterSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(a.(*kops.ClusterSpec), b.(*ClusterSpec), scope)
 	}); err != nil {
@@ -1144,6 +1139,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*CiliumNetworkingSpec)(nil), (*kops.CiliumNetworkingSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(a.(*CiliumNetworkingSpec), b.(*kops.CiliumNetworkingSpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*ClusterSpec)(nil), (*kops.ClusterSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(a.(*ClusterSpec), b.(*kops.ClusterSpec), scope)
 	}); err != nil {
@@ -1893,7 +1893,7 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	// INFO: in.Logstash opted out of conversion generation
 	// INFO: in.LogstashAgent opted out of conversion generation
 	// INFO: in.LogstashProbeTimer opted out of conversion generation
-	out.DisableMasquerade = in.DisableMasquerade
+	out.Masquerade = in.Masquerade
 	// INFO: in.Nat46Range opted out of conversion generation
 	out.AgentPodAnnotations = in.AgentPodAnnotations
 	// INFO: in.Pprof opted out of conversion generation
@@ -1948,11 +1948,6 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	return nil
 }
 
-// Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec is an autogenerated conversion function.
-func Convert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *CiliumNetworkingSpec, out *kops.CiliumNetworkingSpec, s conversion.Scope) error {
-	return autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in, out, s)
-}
-
 func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops.CiliumNetworkingSpec, out *CiliumNetworkingSpec, s conversion.Scope) error {
 	out.Version = in.Version
 	out.MemoryRequest = in.MemoryRequest
@@ -1970,7 +1965,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	out.EncryptionType = CiliumEncryptionType(in.EncryptionType)
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
-	out.DisableMasquerade = in.DisableMasquerade
+	out.Masquerade = in.Masquerade
 	out.AgentPodAnnotations = in.AgentPodAnnotations
 	out.Tunnel = in.Tunnel
 	out.MonitorAggregation = in.MonitorAggregation
@@ -2008,11 +2003,6 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	return nil
 }
 
-// Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec is an autogenerated conversion function.
-func Convert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *kops.CiliumNetworkingSpec, out *CiliumNetworkingSpec, s conversion.Scope) error {
-	return autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in, out, s)
-}
-
 func autoConvert_v1alpha2_ClassicNetworkingSpec_To_kops_ClassicNetworkingSpec(in *ClassicNetworkingSpec, out *kops.ClassicNetworkingSpec, s conversion.Scope) error {
 	return nil
 }

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -592,8 +592,8 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 			(*out)[key] = val
 		}
 	}
-	if in.DisableMasquerade != nil {
+	if in.Masquerade != nil {
-		in, out := &in.DisableMasquerade, &out.DisableMasquerade
+		in, out := &in.Masquerade, &out.Masquerade
 		*out = new(bool)
 		**out = **in
 	}

pkg/apis/kops/v1alpha3/networking.go

@@ -305,8 +305,9 @@ type CiliumNetworkingSpec struct {
 	// IdentityChangeGracePeriod specifies the duration to wait before using a changed identity.
 	// Default: 5s
 	IdentityChangeGracePeriod string `json:"identityChangeGracePeriod,omitempty"`
-	// DisableMasquerade disables masquerading traffic to external destinations behind the node IP.
+	// Masquerade enables masquerading IPv4 traffic to external destinations behind the node IP.
-	DisableMasquerade *bool `json:"disableMasquerade,omitempty"`
+	// Default: false if IPAM is "eni" or in IPv6 mode, otherwise true
+	Masquerade *bool `json:"masquerade,omitempty"`
 	// AgentPodAnnotations makes possible to add additional annotations to the cilium agent.
 	// Default: none
 	AgentPodAnnotations map[string]string `json:"agentPodAnnotations,omitempty"`

pkg/apis/kops/v1alpha3/zz_generated.conversion.go

@@ -1816,7 +1816,7 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	out.EncryptionType = kops.CiliumEncryptionType(in.EncryptionType)
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
-	out.DisableMasquerade = in.DisableMasquerade
+	out.Masquerade = in.Masquerade
 	out.AgentPodAnnotations = in.AgentPodAnnotations
 	out.Tunnel = in.Tunnel
 	out.MonitorAggregation = in.MonitorAggregation
@@ -1876,7 +1876,7 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in *
 	out.EncryptionType = CiliumEncryptionType(in.EncryptionType)
 	out.IdentityAllocationMode = in.IdentityAllocationMode
 	out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod
-	out.DisableMasquerade = in.DisableMasquerade
+	out.Masquerade = in.Masquerade
 	out.AgentPodAnnotations = in.AgentPodAnnotations
 	out.Tunnel = in.Tunnel
 	out.MonitorAggregation = in.MonitorAggregation

pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

@@ -554,8 +554,8 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 		*out = new(bool)
 		**out = **in
 	}
-	if in.DisableMasquerade != nil {
+	if in.Masquerade != nil {
-		in, out := &in.DisableMasquerade, &out.DisableMasquerade
+		in, out := &in.Masquerade, &out.Masquerade
 		*out = new(bool)
 		**out = **in
 	}

pkg/apis/kops/validation/validation.go

@@ -934,8 +934,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 			if c.CloudProvider != string(kops.CloudProviderAWS) {
 				allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilum ENI IPAM is supported only in AWS"))
 			}
-			if v.DisableMasquerade != nil && !*v.DisableMasquerade {
+			if v.Masquerade != nil && *v.Masquerade {
-				allErrs = append(allErrs, field.Forbidden(fldPath.Child("disableMasquerade"), "Masquerade must be disabled when ENI IPAM is used"))
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child("masquerade"), "Masquerade must be disabled when ENI IPAM is used"))
 			}
 			if c.IsIPv6Only() {
 				allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilium ENI IPAM does not support IPv6"))

pkg/apis/kops/validation/validation_test.go

@@ -830,8 +830,8 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				DisableMasquerade: fi.Bool(true),
+				Masquerade: fi.Bool(false),
-				IPAM:              "eni",
+				IPAM:       "eni",
 			},
 			Spec: kops.ClusterSpec{
 				CloudProvider: "aws",
@@ -845,13 +845,13 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				DisableMasquerade: fi.Bool(false),
+				Masquerade: fi.Bool(true),
-				IPAM:              "eni",
+				IPAM:       "eni",
 			},
 			Spec: kops.ClusterSpec{
 				CloudProvider: "aws",
 			},
-			ExpectedErrors: []string{"Forbidden::cilium.disableMasquerade"},
+			ExpectedErrors: []string{"Forbidden::cilium.masquerade"},
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{

pkg/apis/kops/zz_generated.deepcopy.go

@@ -630,8 +630,8 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 		*out = new(bool)
 		**out = **in
 	}
-	if in.DisableMasquerade != nil {
+	if in.Masquerade != nil {
-		in, out := &in.DisableMasquerade, &out.DisableMasquerade
+		in, out := &in.Masquerade, &out.Masquerade
 		*out = new(bool)
 		**out = **in
 	}

pkg/commands/set_cluster_test.go

@@ -233,14 +233,14 @@ func TestSetClusterFields(t *testing.T) {
 		},
 		{
 			Fields: []string{
-				"cluster.spec.networking.cilium.disableMasquerade=true",
+				"cluster.spec.networking.cilium.masquerade=false",
 			},
 			Input: kops.Cluster{},
 			Output: kops.Cluster{
 				Spec: kops.ClusterSpec{
 					Networking: &kops.NetworkingSpec{
 						Cilium: &kops.CiliumNetworkingSpec{
-							DisableMasquerade: fi.Bool(true),
+							Masquerade: fi.Bool(false),
 						},
 					},
 				},
@@ -304,7 +304,7 @@ func TestSetCiliumFields(t *testing.T) {
 			Fields: []string{
 				"cluster.spec.networking.cilium.ipam=eni",
 				"cluster.spec.networking.cilium.enableNodePort=true",
-				"cluster.spec.networking.cilium.disableMasquerade=true",
+				"cluster.spec.networking.cilium.masquerade=false",
 				"cluster.spec.kubeProxy.enabled=false",
 			},
 			Input: kops.Cluster{
@@ -317,9 +317,9 @@ func TestSetCiliumFields(t *testing.T) {
 					},
 					Networking: &kops.NetworkingSpec{
 						Cilium: &kops.CiliumNetworkingSpec{
-							IPAM:              "eni",
+							IPAM:           "eni",
-							EnableNodePort:    true,
+							EnableNodePort: true,
-							DisableMasquerade: fi.Bool(true),
+							Masquerade:     fi.Bool(false),
 						},
 					},
 				},

pkg/commands/unset_cluster_test.go

@@ -302,13 +302,13 @@ func TestUnsetClusterFields(t *testing.T) {
 		},
 		{
 			Fields: []string{
-				"cluster.spec.networking.cilium.disableMasquerade",
+				"cluster.spec.networking.cilium.masquerade",
 			},
 			Input: kops.Cluster{
 				Spec: kops.ClusterSpec{
 					Networking: &kops.NetworkingSpec{
 						Cilium: &kops.CiliumNetworkingSpec{
-							DisableMasquerade: fi.Bool(true),
+							Masquerade: fi.Bool(false),
 						},
 					},
 				},
@@ -389,7 +389,7 @@ func TestUnsetCiliumFields(t *testing.T) {
 			Fields: []string{
 				"cluster.spec.networking.cilium.ipam",
 				"cluster.spec.networking.cilium.enableNodePort",
-				"cluster.spec.networking.cilium.disableMasquerade",
+				"cluster.spec.networking.cilium.masquerade",
 				"cluster.spec.kubeProxy.enabled",
 			},
 			Input: kops.Cluster{
@@ -399,9 +399,9 @@ func TestUnsetCiliumFields(t *testing.T) {
 					},
 					Networking: &kops.NetworkingSpec{
 						Cilium: &kops.CiliumNetworkingSpec{
-							IPAM:              "eni",
+							IPAM:           "eni",
-							EnableNodePort:    true,
+							EnableNodePort: true,
-							DisableMasquerade: fi.Bool(true),
+							Masquerade:     fi.Bool(false),
 						},
 					},
 				},

pkg/model/components/cilium.go

@@ -111,8 +111,8 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 		c.IPAM = "kubernetes"
 	}
 
-	if c.DisableMasquerade == nil {
+	if c.Masquerade == nil {
-		c.DisableMasquerade = fi.Bool(c.IPAM == "eni")
+		c.Masquerade = fi.Bool(!clusterSpec.IsIPv6Only() && c.IPAM != "eni")
 	}
 
 	if c.Tunnel == "" {

tests/integration/conversion/BUILD.bazel

@@ -21,6 +21,7 @@ filegroup(
     srcs = glob([
         "aws/**",
         "canal/**",
+        "cilium/**",
         "minimal/**",
     ]),
     visibility = ["//visibility:public"],

tests/integration/conversion/cilium/v1alpha2.yaml

@@ -0,0 +1,92 @@
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  creationTimestamp: "2016-12-10T22:42:27Z"
+  name: minimal.example.com
+spec:
+  additionalSans:
+  - proxy.api.minimal.example.com
+  addons:
+  - manifest: s3://somebucket/example.yaml
+  api:
+    dns: {}
+  authorization:
+    alwaysAllow: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://clusters.example.com/minimal.example.com
+  etcdClusters:
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: main
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: events
+  iam:
+    legacy: false
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  kubernetesVersion: v1.14.0
+  masterInternalName: api.internal.minimal.example.com
+  masterPublicName: api.minimal.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    cilium:
+      disableMasquerade: true
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+  topology:
+    dns:
+      type: Public
+    masters: public
+    nodes: public
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2016-12-10T22:42:28Z"
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+  name: nodes
+spec:
+  associatePublicIp: true
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  role: Node
+  subnets:
+  - us-test-1a
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2016-12-10T22:42:28Z"
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+  name: master-us-test-1a
+spec:
+  associatePublicIp: true
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1a

tests/integration/conversion/cilium/v1alpha3.yaml

@@ -0,0 +1,91 @@
+apiVersion: kops.k8s.io/v1alpha3
+kind: Cluster
+metadata:
+  creationTimestamp: "2016-12-10T22:42:27Z"
+  name: minimal.example.com
+spec:
+  additionalSANs:
+  - proxy.api.minimal.example.com
+  addons:
+  - manifest: s3://somebucket/example.yaml
+  api:
+    dns: {}
+  authorization:
+    alwaysAllow: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://clusters.example.com/minimal.example.com
+  etcdClusters:
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: main
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: events
+  iam: {}
+  kubernetesAPIAccess:
+  - 0.0.0.0/0
+  kubernetesVersion: v1.14.0
+  masterInternalName: api.internal.minimal.example.com
+  masterPublicName: api.minimal.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    cilium:
+      masquerade: false
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+  topology:
+    dns:
+      type: Public
+    masters: public
+    nodes: public
+
+---
+
+apiVersion: kops.k8s.io/v1alpha3
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2016-12-10T22:42:28Z"
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+  name: nodes
+spec:
+  associatePublicIP: true
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  role: Node
+  subnets:
+  - us-test-1a
+
+---
+
+apiVersion: kops.k8s.io/v1alpha3
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2016-12-10T22:42:28Z"
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+  name: master-us-test-1a
+spec:
+  associatePublicIP: true
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1a

tests/integration/conversion/integration_test.go

@@ -48,6 +48,11 @@ func TestConversionCanal(t *testing.T) {
 	runTest(t, "canal", "v1alpha3", "v1alpha2")
 }
 
+func TestConversionCilium(t *testing.T) {
+	runTest(t, "cilium", "v1alpha2", "v1alpha3")
+	runTest(t, "cilium", "v1alpha3", "v1alpha2")
+}
+
 func runTest(t *testing.T, srcDir string, fromVersion string, toVersion string) {
 	t.Run(fromVersion+"-"+toVersion, func(t *testing.T) {
 		sourcePath := path.Join(srcDir, fromVersion+".yaml")

tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -199,7 +199,7 @@ spec:
       clusterName: default
       cpuRequest: 25m
       disableCNPStatusUpdates: true
-      disableMasquerade: false
+      disableMasquerade: true
       enableBPFMasquerade: false
       enableEndpointHealthChecking: true
       enableL7Proxy: true

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template

@@ -148,7 +148,7 @@ data:
   # - none
   # - auto (automatically detect the container runtime)
   #
-  masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}"
+  masquerade: "{{ .Masquerade }}"
   install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
   auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
   {{ if .EnableHostReachableServices }}

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template

@@ -201,7 +201,7 @@ data:
   # - none
   # - auto (automatically detect the container runtime)
   #
-  masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}"
+  masquerade: "{{ .Masquerade }}"
   install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
   auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
   {{ if .EnableHostReachableServices }}

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template

@@ -221,7 +221,7 @@ data:
   # - none
   # - auto (automatically detect the container runtime)
   #
-  masquerade: "{{- not (or IsIPv6Only (WithDefaultBool .DisableMasquerade false) ) -}}"
+  masquerade: "{{ .Masquerade }}"
   enable-ipv6-masquerade: "false"
   install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
   auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"