[Calico] Configuration robustness improvements

No longer use networking.settings.ippool.ipip.mode, rather take from
conf.node.CALICO_IPV4POOL_IPIP (this avoids duplication and
possibility of setting them differently).

Logging values previously required Titlecase in some places, lower in
others (and it changed across versions); have the chart DTRT where it
matters to avoid configuration problems.

Change-Id: Idb7ccb5be8f9e1cb184ed86a9fd0875704912564

calico/templates/bin/_calico-settings.sh.tpl

@@ -2,6 +2,13 @@
 
 set -eux
 
+
+{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}}
+{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}}
+{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}}
+{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}}
+
+
 {{- $envAll := . }}
 
 {{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }}
@@ -51,7 +58,7 @@ spec:
 {{- if .Values.conf.node.CALICO_IPV4POOL_BLOCKSIZE }}
   blockSize: {{ .Values.conf.node.CALICO_IPV4POOL_BLOCKSIZE }}
 {{- end }}
-  ipipMode: {{ .Values.networking.settings.ippool.ipip.mode }}
+  ipipMode: {{ .Values.conf.node.CALICO_IPV4POOL_IPIP }}
   natOutgoing: {{ .Values.networking.settings.ippool.nat_outgoing }}
   disabled: {{ .Values.networking.settings.ippool.disabled }}
 EOF

calico/templates/daemonset-calico-node.yaml

@@ -18,30 +18,33 @@ limitations under the License.
 {{- $envAll := . }}
 
 
-
-{{/* Adjust MTU iff we have tunnel overhead; 20 suffices for an IPv4 IPIP header */}}
-{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}}
-{{- $_ := set .Values.networking "mtu" (sub .Values.networking.mtu 20) -}}
-# Adjusted MTU to {{ .Values.networking.mtu }}
-{{ end -}}
+{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}}
+{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}}
+{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}}
+{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}}
 
 
-
-
-{{/* Some values need to be specified in multiple places; set appropriately */}}
-
+{{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}}
 {{- if empty .Values.conf.node.FELIX_IPINIPMTU -}}
-{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" .Values.networking.mtu -}}
+{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}}
+{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}}
+# Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }}
+{{- end -}}
 {{- end -}}
 
+
+{{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}}
 {{- if empty .Values.conf.node.CNI_MTU -}}
-{{- $_ := set .Values.conf.node "CNI_MTU" .Values.conf.node.FELIX_IPINIPMTU -}}
+{{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}}
 {{- end -}}
 
+
 {{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}}
 {{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}}
 {{- end -}}
 
+
+
 {{- $serviceAccountName := "calico-node" }}
 {{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---

calico/values.yaml

@@ -190,14 +190,12 @@ networking:
 
   settings:
     mesh: "on"
-    # technically this could be a list, today we only support
-    # a single podSubnet, the one above.  The settings below
-    # will be applied to that ipPool
+    # technically this could be a list, today we only support a single
+    # podSubnet, the one above.  The settings below will be applied to
+    # that ipPool
     ippool:
       ipip:
         enabled: "true"
-        # Titlecase
-        mode: "Always"
       nat_outgoing: "true"
       disabled: "false"
 
@@ -496,22 +494,26 @@ conf:
     # Disable file logging so `kubectl logs` works.
     CALICO_DISABLE_FILE_LOGGING: "true"
     # Set Felix endpoint to host default action to ACCEPT.
-    # early/startup log level for calico-node on startup.  Titlecase
-    # not lowercase.
+    # early/startup log level for calico-node on startup.
     CALICO_STARTUP_LOGLEVEL: "Info"
     FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT"
-    # Configure the IP Pool from which Pod IPs will be chosen.
+    # Configure the IP Pool from which Pod IPs will be chosen; it's
+    # recommended you leave this as null and the value from
+    # networking.podSubnet will be used
     CALICO_IPV4POOL_CIDR: null
     # See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool
     CALICO_IPV4POOL_BLOCKSIZE: 26
-    # Change this to 'off' in environments with direct L2 communication
-    # Titlecase
+    # Change this to 'Never' in environments with direct L2
+    # communication (such that tunnels are not needed for pods on
+    # different hosts to communicate with each otehr).
     CALICO_IPV4POOL_IPIP: "Always"
     # Disable IPv6 on Kubernetes.
     FELIX_IPV6SUPPORT: "false"
-    # Set MTU for tunnel device used if ipip is enabled
+    # Set MTU for tunnel device used if ipip is enabled, it's
+    # recommended you leave this as null and an appropriate value will
+    # be set based on tunneling mode and the networking.mtu value
     FELIX_IPINIPMTU: null
-    # Set Felix logging, Titlecase not lowercase.
+    # Set Felix logging; also (ab)used for bgp configuration
     FELIX_LOGSEVERITYSCREEN: "Info"
     FELIX_HEALTHENABLED: "true"
     # Set Felix experimental Prometheus metrics server