felix programs ipip tunnel routes

Author: mazdakn

charts/calico/templates/calico-config.yaml

@@ -41,6 +41,8 @@ data:
   # Configure the backend to use.
 {{- if or (.Values.flannel_migration) (.Values.vxlan) }}
   calico_backend: "vxlan"
+{{- else if (.Values.ipip) }}
+  calico_backend: "ipip"
 {{- else }}
   calico_backend: "bird"
 {{- end }}

charts/calico/templates/calico-node.yaml

@@ -406,7 +406,7 @@ spec:
               command:
               - /bin/calico-node
               - -felix-live
-{{- if and (eq .Values.network "calico") (not .Values.flannel_migration) (not .Values.vxlan) }}
+{{- if and (eq .Values.network "calico") (not .Values.flannel_migration) (not .Values.vxlan) (not .Values.ipip) }}
               - -bird-live
 {{- end }}
             periodSeconds: 10
@@ -419,7 +419,7 @@ spec:
               command:
               - /bin/calico-node
               - -felix-ready
-{{- if and (not .Values.flannel_migration) (not .Values.vxlan) }}
+{{- if and (not .Values.flannel_migration) (not .Values.vxlan) (not .Values.ipip) }}
               - -bird-ready
 {{- end }}
 {{- else if eq .Values.network "flannel" }}

charts/values/calico-ipip.yaml

@@ -0,0 +1,3 @@
+datastore: kubernetes
+network: calico
+ipip: true

confd/etc/calico/confd/templates/bird6_ipam.cfg.template

@@ -10,11 +10,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 
@@ -66,19 +65,17 @@ function calico_export_to_bgp_peers(bool internal_peer) {
 filter calico_kernel_programming {
 {{- $reject_key := "/rejectcidrsv6"}}
 {{- if ls $reject_key}}
-
   # Don't program static routes into kernel.
   {{- range ls $reject_key}}
     {{- $parts := split . "-"}}
     {{- $cidr := join $parts "/"}}
   if ( net ~ {{$cidr}} ) then { reject; }
   {{- end}}
-
 {{- end}}
 {{range ls "/v1/ipam/v6/pool"}}{{$data := json (getv (printf "/v1/ipam/v6/pool/%s" .))}}
-{{- if $data.vxlan_mode}}
+{{- if or ($data.vxlan_mode) ($data.ipip_mode)}}
   if ( net ~ {{$data.cidr}} ) then {
-    # Don't program VXLAN routes into the kernel - these are handled by Felix.
+    # Don't program VXLAN or IPIP routes into the kernel - these are handled by Felix.
     reject;
   }
 {{- end}}{{/* End of '$data.vxlan_mode' */}}

confd/etc/calico/confd/templates/bird_ipam.cfg.template

@@ -10,11 +10,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 
@@ -67,36 +66,20 @@ function calico_export_to_bgp_peers(bool internal_peer) {
 filter calico_kernel_programming {
 {{- $reject_key := "/rejectcidrs"}}
 {{- if ls $reject_key}}
-
   # Don't program static routes into kernel.
   {{- range ls $reject_key}}
     {{- $parts := split . "-"}}
     {{- $cidr := join $parts "/"}}
   if ( net ~ {{$cidr}} ) then { reject; }
   {{- end}}
-
 {{- end}}
-{{- if exists $network_key}}{{$network := getv $network_key}}
 {{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}
+{{- if or ($data.vxlan_mode) ($data.ipip_mode)}}
   if ( net ~ {{$data.cidr}} ) then {
-{{- if $data.vxlan_mode}}
-    # Don't program VXLAN routes into the kernel - these are handled by Felix.
+    # Don't program VXLAN or IPIP routes into the kernel - these are handled by Felix.
     reject;
   }
-{{- else if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}
-    if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then
-      krt_tunnel = "";                     {{- /* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}
-    else
-      krt_tunnel = "{{$data.ipip}}";       {{- /* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}
-    accept;
-  } {{- else}}
-    krt_tunnel = "{{$data.ipip}}";         {{- /* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}
-    accept;
-  } {{- end}} {{- else}}
-    krt_tunnel = "{{$data.ipip}}";         {{- /* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}
-    accept;
-  } {{- end}}
-{{end}}
-{{- end}}{{/* End of 'exists $network_key' */}}
+{{- end}}{{/* End of '$data.vxlan_mode' */}}
+{{- end}}{{/* End of 'range ls...' */}}
   accept;                                  {{- /* Destination is not in any ipPool, accept  */}}
 }

confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/filter_names/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/filter_names/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/match_interface/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/match_interface/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/match_operators/bird6_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }
 

confd/tests/compiled_templates/bgpfilter/match_operators/bird_ipam.cfg

@@ -6,11 +6,10 @@ function reject_disabled_pools ()
 
 function reject_tunnel_routes () {
   # Don't export tunnel routes to other nodes, Felix programs them.
-  # IPIP routes are handled by Bird, and it does not re-advertise them.
   if (defined(ifname)) then {
-     if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then {
-        reject;
-     }
+    if ((ifname ~ "*.cali") || (ifname ~ "*.calico") || (ifname ~ "tunl0")) then {
+      reject;
+    }
   }
 }