openstack
/
openstack-helm-infra
Code Issues Proposed changes

[Calico] Allow resource configuration using chart (overrides) 

Allow Calico resources such as NetworkPolicy, GlobalNetworkPolicy,
WorkloadEndpoint, etc to be specified using values.

To avoid the complexities of list management with helm we use a
dictionary that contains a relative priority and set of objects
(called rules).

For example:

network:
  policy:

    someName:
      priority: 0
      rules:
       - apiVersion: projectcalico.org/v3
... some useful resource object ...
       - apiVersion: projectcalico.org/v3
... some other useful resource object ...

    someOtherName:
      priority: 1
      rules:
       - apiVersion: projectcalico.org/v3
... rules that come later ...

    lastSetOfRules:
      priority: 9
      rules:
       - apiVersion: projectcalico.org/v3
... rules that come last ... maybe hostendpoints ...

By having named groups of rules each with it's own priority you can
update, delete and amend individual sets of rules without provided you
set the appropriate "priority" value.

Change-Id: Id441350bcc8b95a91ef4d1b89d1bc3c417f50b13
This commit is contained in:
Chris Wedgwood 2018-10-17 00:56:53 +00:00
parent e7f21a6bd0
commit 02f400e442
2 changed files with 169 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
calico/templates/bin/_calico-settings.sh.tpl
View File

@ -2,6 +2,8 @@
set -eux
{{- $envAll := . }}
{{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }}
{{ $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet }}
{{ end }}
@ -66,5 +68,20 @@ $CTL apply -f - <<EOF
EOF
{{ end }}
exit 0
{{/* gotpl quirks mean it is easier to loop from 0 to 9 looking for a match in an inner loop than trying to extract and sort */}}
{{ if .Values.networking.policy }}
# Policy and Endpoint rules
{{ range $n, $data := tuple 0 1 2 3 4 5 6 7 8 9 }}
# Priority: {{ $n }} objects
{{- range $section, $data := $envAll.Values.networking.policy }}
{{- if eq (toString $data.priority) (toString $n) }}
# Section: {{ $section }} Priority: {{ $data.priority }} {{ $n }}
$CTL apply -f - <<EOF
{{ $data.rules | toYaml }}
EOF
{{- end }}
{{- end }}
{{- end }}
{{ end }}
exit 0

154
calico/values.yaml
View File

@ -247,6 +247,153 @@ networking:
neighbor: 179
listen: 179
# Policy contains embedded Calico policy and/or endpoint objects.
# Because lists are cumbersome to deal with this is stuctured as a
# dictionary (therefore not ordered). The top-level key names are
# not important, priority contains a value between 0 and 9 inclusive
# and rules contains any objects (typically used as rules).
# Priority 0 objects are emitted before priority 9. It is
# recommended any rules such as HostEndpoint be given a higher
# priority so that they are applied after more generic objects.
# Priority values outside of integers 0 through 9 are not valid and
# should not be used.
policy:
# alpha:
# priority: 0
# rules:
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-6379
# spec:
# order: 0
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-3306
# spec:
# order: 1
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 3306
# egress:
# - action: Allow
# beta:
# priority: 1
# rules:
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-6379
# namespace: production
# spec:
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-8081
# namespace: production
# spec:
# selector: role == 'webthing'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 8081
# egress:
# - action: Allow
# zulu:
# priority: 9
# rules:
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: first.thing
# labels:
# type: production
# spec:
# interfaceName: eth0
# node: mysecrethost
# expectedIPs:
# - 192.168.0.1
# - 192.168.0.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: second.thing
# labels:
# type: production
# spec:
# interfaceName: eth1
# node: myothersecrethost
# expectedIPs:
# - 192.168.1.1
# - 192.168.1.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
conf:
etcd:
credentials:
@ -299,9 +446,10 @@ conf:
# Cluster type to identify the deployment type
# NOTE: v2 had a list ... v3 a comma separated string
CLUSTER_TYPE: "k8s,bgp"
# Describes which BGP networking backend to use gobgp, bird, none. Default is bird.
# NOTE(alanmeadows) today this chart only supports applying the bgp customizations to
# bird templates - in the future we may support gobgp as well
# Describes which BGP networking backend to use gobgp, bird, none.
# Default is bird. NOTE(alanmeadows) today this chart only
# supports applying the bgp customizations to bird templates - in
# the future we may support gobgp as well
CALICO_NETWORKING_BACKEND: bird
# Location of the CA certificate for etcd.
ETCD_CA_CERT_FILE: ""