From d9e4a62994e533ecbcde95b58c17ca0d0401a06c Mon Sep 17 00:00:00 2001
From: Kashif Saadat <kashifsaadat@gmail.com>
Date: Fri, 25 Aug 2017 17:49:41 +0100
Subject: [PATCH] Allow user defined endpoint to host action for Canal

---
 pkg/apis/kops/networking.go                                 | 6 +++++-
 pkg/apis/kops/v1alpha1/networking.go                        | 6 +++++-
 pkg/apis/kops/v1alpha1/zz_generated.conversion.go           | 2 ++
 pkg/apis/kops/v1alpha2/networking.go                        | 6 +++++-
 pkg/apis/kops/v1alpha2/zz_generated.conversion.go           | 2 ++
 .../k8s-1.6.yaml.template                                   | 2 +-
 .../pre-k8s-1.6.yaml.template                               | 2 +-
 7 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
index bc7bb1fb57..75ed67c868 100644
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@@ -67,8 +67,12 @@ type CalicoNetworkingSpec struct {
 	CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true
 }
 
-// Canal declares that we want Canal networking
+// CanalNetworkingSpec declares that we want Canal networking
 type CanalNetworkingSpec struct {
+	// DefaultEndpointToHostAction allows users to configure the default behaviour
+	// for traffic between pod to host after calico rules have been processed.
+	// Default: ACCEPT (other options: DROP, RETURN)
+	DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty"`
 }
 
 // Kuberouter declares that we want Kube-router networking
diff --git a/pkg/apis/kops/v1alpha1/networking.go b/pkg/apis/kops/v1alpha1/networking.go
index 1c93d52883..f5ba1bac04 100644
--- a/pkg/apis/kops/v1alpha1/networking.go
+++ b/pkg/apis/kops/v1alpha1/networking.go
@@ -67,8 +67,12 @@ type CalicoNetworkingSpec struct {
 	CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true
 }
 
-// Canal declares that we want Canal networking
+// CanalNetworkingSpec declares that we want Canal networking
 type CanalNetworkingSpec struct {
+	// DefaultEndpointToHostAction allows users to configure the default behaviour
+	// for traffic between pod to host after calico rules have been processed.
+	// Default: ACCEPT (other options: DROP, RETURN)
+	DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty"`
 }
 
 // Kuberouter declares that we want Canal networking
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index b70efee6a5..2d23bc196c 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -361,6 +361,7 @@ func Convert_kops_CalicoNetworkingSpec_To_v1alpha1_CalicoNetworkingSpec(in *kops
 }
 
 func autoConvert_v1alpha1_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalNetworkingSpec, out *kops.CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 
@@ -370,6 +371,7 @@ func Convert_v1alpha1_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalN
 }
 
 func autoConvert_kops_CanalNetworkingSpec_To_v1alpha1_CanalNetworkingSpec(in *kops.CanalNetworkingSpec, out *CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 
diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
index 832b39a1d1..9b6096c6ec 100644
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@@ -67,8 +67,12 @@ type CalicoNetworkingSpec struct {
 	CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true
 }
 
-// Canal declares that we want Canal networking
+// CanalNetworkingSpec declares that we want Canal networking
 type CanalNetworkingSpec struct {
+	// DefaultEndpointToHostAction allows users to configure the default behaviour
+	// for traffic between pod to host after calico rules have been processed.
+	// Default: ACCEPT (other options: DROP, RETURN)
+	DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty"`
 }
 
 // Kuberouter declares that we want Canal networking
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 0dc534ccd5..274b7df404 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -389,6 +389,7 @@ func Convert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *kops
 }
 
 func autoConvert_v1alpha2_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalNetworkingSpec, out *kops.CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 
@@ -398,6 +399,7 @@ func Convert_v1alpha2_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalN
 }
 
 func autoConvert_kops_CanalNetworkingSpec_To_v1alpha2_CanalNetworkingSpec(in *kops.CanalNetworkingSpec, out *CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 
diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.6.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.6.yaml.template
index 198e08b7c7..e6ed8acf69 100644
--- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.6.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.6.yaml.template
@@ -119,7 +119,7 @@ spec:
                   fieldPath: spec.nodeName
             # Set Felix endpoint to host default action to ACCEPT.
             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
-              value: "ACCEPT"
+              value: "{{- or .Networking.Canal.DefaultEndpointToHostAction "ACCEPT" }}"
           securityContext:
             privileged: true
           resources:
diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/pre-k8s-1.6.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/pre-k8s-1.6.yaml.template
index 25dcb2856d..cf1058bdbc 100644
--- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/pre-k8s-1.6.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/pre-k8s-1.6.yaml.template
@@ -111,7 +111,7 @@ spec:
                   fieldPath: spec.nodeName
             # Set Felix endpoint to host default action to ACCEPT.
             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
-              value: "ACCEPT"
+              value: "{{- or .Networking.Canal.DefaultEndpointToHostAction "ACCEPT" }}"
           securityContext:
             privileged: true
           resources: