feat: Add Calico install options + VCN-Native CNI config

Signed-off-by: Devon Crouse <[email protected]>

Author: devoncrouse

docs/configuration.adoc

@@ -242,7 +242,7 @@ kubectl --namespace=default get secret ocirsecret --export -o yaml | kubectl app
 
 == Configure Calico parameters
 
-The calico parameters control the installation of {uri-calico}[Calico] for {uri-calico-policy}[network policy].
+The Calico parameters control the installation of {uri-calico}[Calico] for {uri-calico-policy}[network policy].
 
 {uri-terraform-options}#calico[Reference]
 

docs/terraformoptions.adoc

@@ -9,7 +9,13 @@
 :uri-rel-file-base: link:{uri-repo}/blob/main
 :uri-rel-tree-base: link:{uri-repo}/tree/main
 :uri-calico: https://www.projectcalico.org/
-:uri-calico-policy: https://docs.projectcalico.org/getting-started/kubernetes/flannel/flannel
+:uri-calico-docs: https://projectcalico.docs.tigera.io
+:uri-calico-networking: {uri-calico-docs}/networking/determine-best-networking#about-calico-networking
+:uri-calico-policy: {uri-calico-docs}/getting-started/kubernetes/flannel/flannel
+:uri-calico-mtu: {uri-calico-docs}/networking/mtu
+:uri-calico-manifests: https://github.com/projectcalico/calico/tree/master/manifests
+:uri-calico-apiserver: {uri-calico-docs}/reference/architecture/overview#calico-api-server
+:uri-typha: {uri-calico-docs}/reference/typha/overview
 :uri-cert-manager: https://cert-manager.readthedocs.io/en/latest/
 :uri-docs: {uri-rel-file-base}/docs
 :uri-kubernetes-hpa: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
@@ -1000,14 +1006,39 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |Default
 
 |enable_calico
-|Whether to install {uri-calico}[Calico] as {uri-calico-policy}[pod network policy].
+|Whether to install {uri-calico}[Calico] for pod {uri-calico-policy}[network policy] and/or {uri-calico-networking}[networking].
 |true/false
 |false
 
 |calico_version
 |Version of {uri-calico}[Calico] to install.
-|3.19
-|3.19
+|3.7-3.21, 3.24.1-3.24.5
+|3.24.5
+
+|calico_mode
+|{uri-calico}[Calico] installation {uri-calico-manifests}[mode].
+|canal, vxlan, flannel-migration, policy-only, ipip
+|policy-only
+
+|calico_mtu
+|{uri-calico-mtu}[Interface MTU] for {uri-calico}[Calico] device(s).
+|`8980` (IP-in-IP), `8950` (VXLAN), `0` (Auto)
+|0
+
+|calico_apiserver_enabled
+|Whether to enable the {uri-calico-apiserver}[Calico apiserver] component.
+|true/false
+|false
+
+|typha_enabled
+|Whether to enable Typha. Requires `cni_type = flannel`. Always `true` when >50 nodes.
+|true/false
+|false
+
+|typha_replicas
+|# of Typha replicas.
+|`0`-`5`+, `0` (Auto)
+|0
 
 |===
 

main.tf

@@ -380,8 +380,16 @@ module "extensions" {
   username         = var.username
 
   # calico parameters
-  calico_version = var.calico_version
-  install_calico = var.enable_calico
+  install_calico           = var.enable_calico
+  calico_version           = var.calico_version
+  calico_mode              = var.calico_mode
+  cni_type                 = var.cni_type
+  calico_mtu               = var.calico_mtu
+  calico_url               = var.calico_url
+  calico_apiserver_enabled = var.calico_apiserver_enabled
+  calico_staging_dir       = var.calico_staging_dir
+  typha_enabled            = var.typha_enabled
+  typha_replicas           = var.typha_replicas
 
   # metric server
   enable_metric_server = var.enable_metric_server

modules/extensions/calico.tf

@@ -1,5 +1,5 @@
-## Copyright 2017, 2021 Oracle Corporation and/or affiliates.
-## Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+# Copyright (c) 2017, 2022 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 resource "null_resource" "install_calico" {
   connection {
@@ -16,16 +16,47 @@ resource "null_resource" "install_calico" {
 
   depends_on = [null_resource.install_k8stools_on_operator, null_resource.write_kubeconfig_on_operator]
 
+  provisioner "remote-exec" {
+    inline = [
+      "mkdir -p ${var.calico_staging_dir}"
+    ]
+  }
+
+  provisioner "file" {
+    source      = "${path.module}/resources/calico"
+    destination = "${var.calico_staging_dir}/"
+  }
+
   provisioner "file" {
-    content     = local.install_calico_template
-    destination = "/home/opc/install_calico.sh"
+    source      = "${path.module}/scripts/split_yaml.awk"
+    destination = "${var.calico_staging_dir}/split_yaml.awk"
+  }
+
+  provisioner "file" {
+    content     = local.calico_env_template
+    destination = "${var.calico_staging_dir}/calico_env.sh"
+  }
+
+  provisioner "file" {
+    source      = "${path.module}/scripts/calico_install.sh"
+    destination = "${var.calico_staging_dir}/calico_install.sh"
   }
 
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"$HOME/install_calico.sh\" ]; then bash \"$HOME/install_calico.sh\"; rm -f \"$HOME/install_calico.sh\";fi",
+      "bash ${var.calico_staging_dir}/calico_install.sh && rm -r ${var.calico_staging_dir}"
     ]
   }
 
+  triggers = {
+    calico_mode              = var.calico_mode
+    calico_mtu               = var.calico_mtu
+    calico_url               = var.calico_url
+    calico_version           = var.calico_version
+    calico_apiserver_enabled = var.calico_apiserver_enabled
+    typha_enabled            = var.typha_enabled
+    typha_replicas           = var.typha_replicas
+  }
+
   count = local.post_provisioning_ops == true && var.install_calico == true ? 1 : 0
 }

modules/extensions/resources/calico/calico-node-env-flannel.yaml

@@ -0,0 +1,12 @@
+spec:
+  template:
+    spec:
+      containers:
+      - name: "calico-node"
+        env:
+        - name: "CALICO_IPV4POOL_CIDR"
+          value: "${POD_CIDR}"
+        - name: "CALICO_IPV4POOL_VXLAN"
+          value: "${IPV4POOL_VXLAN}"
+        - name: "FELIX_IPTABLESBACKEND"
+          value: "${IPTABLES_BACKEND}"

modules/extensions/resources/calico/calico-node-env-npn.yaml

@@ -0,0 +1,20 @@
+spec:
+  template:
+    spec:
+      containers:
+      - name: "calico-node"
+        env:
+        - name: "FELIX_INTERFACEPREFIX"
+          value: "oci"
+        - name: "NO_DEFAULT_POOLS"
+          value: "true"
+        - name: "FELIX_CHAININSERTMODE"
+          value: "Append"
+        - name: "FELIX_IPTABLESMANGLEALLOWACTION"
+          value: "Return"
+        - name: "FELIX_IPTABLESBACKEND"
+          value: "${iptables_backend}"
+        - name: "USE_POD_CIDR"
+          value: "true"
+        - name: "FELIX_REMOVEEXTERNALROUTES"
+          value: "false"

modules/extensions/resources/calico/felix-config-flannel.yaml

@@ -0,0 +1,7 @@
+apiVersion: crd.projectcalico.org/v1
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  ipv6Support: false
+  iptablesBackend: ${iptables_backend}

modules/extensions/resources/calico/felix-config-npn.yaml

@@ -0,0 +1,11 @@
+apiVersion: crd.projectcalico.org/v1
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  ipv6Support: false
+  chainInsertMode: Append
+  iptablesBackend: ${iptables_backend}
+  interfacePrefix: oci
+  iptablesMangleAllowAction: Return
+  removeExternalRoutes: false

modules/extensions/scripts/calico_env.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Copyright (c) 2022 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+# shellcheck disable=SC2034,SC2154,SC2269 # Ignore templated file variables
+set -ae
+MODE=${mode}
+VERSION=${version}
+CNI_TYPE=${cni_type}
+POD_CIDR=${pod_cidr}
+MTU=${mtu}
+URL=${url}
+APISERVER_ENABLED=${apiserver_enabled}
+TYPHA_ENABLED=${typha_enabled}
+TYPHA_REPLICAS=${typha_replicas}