Merge pull request #647 from coutinhop/pedro-CORE-7109

Don't export BGP routes for IP pools that have disableBGPExport==true

Author: coutinhop

Makefile

@@ -44,10 +44,10 @@ K8S_VERSION=v1.17.0
 
 test: ut test-kdd test-etcd
 
-CALICOCTL_VER=master
-CALICOCTL_CONTAINER_NAME=calico/ctl:$(CALICOCTL_VER)-$(ARCH)
-TYPHA_VER=master
-TYPHA_CONTAINER_NAME=calico/typha:$(TYPHA_VER)-$(ARCH)
+CALICOCTL_VER?=master
+CALICOCTL_CONTAINER_NAME?=calico/ctl:$(CALICOCTL_VER)-$(ARCH)
+TYPHA_VER?=master
+TYPHA_CONTAINER_NAME?=calico/typha:$(TYPHA_VER)-$(ARCH)
 LOCAL_IP_ENV?=$(shell ip route get 8.8.8.8 | head -1 | awk '{print $$7}')
 
 LDFLAGS=-ldflags "-X $(PACKAGE_NAME)/pkg/buildinfo.GitVersion=$(GIT_DESCRIPTION)"

etc/calico/confd/templates/bird6_ipam.cfg.template

@@ -14,10 +14,14 @@ filter calico_export_to_bgp_peers {
   {{- end}}
 {{- end}}
 {{range ls "/v1/ipam/v6/pool"}}{{$data := json (getv (printf "/v1/ipam/v6/pool/%s" .))}}
+{{- if $data.disableBGPExport}}
+  # Skip {{$data.cidr}} as BGP export is disabled for it
+{{- else}}
   if ( net ~ {{$data.cidr}} ) then {
     accept;
   }
-{{end}}
+{{- end}}
+{{- end}}
   reject;
 }
 

etc/calico/confd/templates/bird_ipam.cfg.template

@@ -14,9 +14,13 @@ filter calico_export_to_bgp_peers {
   {{- end}}
 {{- end}}
 {{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}
+{{- if $data.disableBGPExport}}
+  # Skip {{$data.cidr}} as BGP export is disabled for it
+{{- else}}
   if ( net ~ {{$data.cidr}} ) then {
     accept;
   }
+{{- end}}
 {{- end}}
   reject;
 }

tests/compiled_templates/mesh/bgp-export/bird.cfg

@@ -0,0 +1,100 @@
+function apply_communities ()
+{
+}
+
+# Generated by confd
+include "bird_aggr.cfg";
+include "bird_ipam.cfg";
+
+router id 10.192.0.2;
+
+# Configure synchronization between routing tables and kernel.
+protocol kernel {
+  learn;             # Learn all alien routes from the kernel
+  persist;           # Don't remove routes on bird shutdown
+  scan time 2;       # Scan kernel routing table every 2 seconds
+  import all;
+  export filter calico_kernel_programming; # Default is export none
+  graceful restart;  # Turn on graceful restart to reduce potential flaps in
+                     # routes when reloading BIRD configuration.  With a full
+                     # automatic mesh, there is no way to prevent BGP from
+                     # flapping since multiple nodes update their BGP
+                     # configuration at the same time, GR is not guaranteed to
+                     # work correctly in this scenario.
+  merge paths on;    # Allow export multipath routes (ECMP)
+}
+
+# Watch interface up/down events.
+protocol device {
+  debug { states };
+  scan time 2;    # Scan interfaces every 2 seconds
+}
+
+protocol direct {
+  debug { states };
+  interface -"cali*", -"kube-ipvs*", "*"; # Exclude cali* and kube-ipvs* but
+                                          # include everything else.  In
+                                          # IPVS-mode, kube-proxy creates a
+                                          # kube-ipvs0 interface. We exclude
+                                          # kube-ipvs0 because this interface
+                                          # gets an address for every in use
+                                          # cluster IP. We use static routes
+                                          # for when we legitimately want to
+                                          # export cluster IPs.
+}
+
+
+# Template for all BGP clients
+template bgp bgp_template {
+  debug { states };
+  description "Connection to BGP peer";
+  local as 64512;
+  multihop;
+  gateway recursive; # This should be the default, but just in case.
+  import all;        # Import all routes, since we don't know what the upstream
+                     # topology is and therefore have to trust the ToR/RR.
+  export filter calico_export_to_bgp_peers;  # Only want to export routes for workloads.
+  add paths on;
+  graceful restart;  # See comment in kernel section about graceful restart.
+  connect delay time 2;
+  connect retry time 5;
+  error wait time 5,30;
+}
+
+# ------------- Node-to-node mesh -------------
+
+
+
+
+
+# For peer /host/kube-master/ip_addr_v4
+# Skipping ourselves (10.192.0.2)
+
+
+
+# For peer /host/kube-node-1/ip_addr_v4
+protocol bgp Mesh_10_192_0_3 from bgp_template {
+  neighbor 10.192.0.3 as 64512;
+  source address 10.192.0.2;  # The local address we use for the TCP connection
+  passive on; # Mesh is unidirectional, peer will connect to us.
+}
+
+
+
+# For peer /host/kube-node-2/ip_addr_v4
+protocol bgp Mesh_10_192_0_4 from bgp_template {
+  neighbor 10.192.0.4 as 64512;
+  source address 10.192.0.2;  # The local address we use for the TCP connection
+  passive on; # Mesh is unidirectional, peer will connect to us.
+}
+
+
+
+# ------------- Global peers -------------
+# No global peers configured.
+
+
+# ------------- Node-specific peers -------------
+
+# No node-specific peers configured.
+

tests/compiled_templates/mesh/bgp-export/bird6.cfg

@@ -0,0 +1,47 @@
+function apply_communities ()
+{
+}
+
+# Generated by confd
+include "bird6_aggr.cfg";
+include "bird6_ipam.cfg";
+
+router id 10.192.0.2;  # Use IPv4 address since router id is 4 octets, even in MP-BGP
+
+# Configure synchronization between routing tables and kernel.
+protocol kernel {
+  learn;             # Learn all alien routes from the kernel
+  persist;           # Don't remove routes on bird shutdown
+  scan time 2;       # Scan kernel routing table every 2 seconds
+  import all;
+  export filter calico_kernel_programming; # Default is export none
+  graceful restart;  # Turn on graceful restart to reduce potential flaps in
+                     # routes when reloading BIRD configuration.  With a full
+                     # automatic mesh, there is no way to prevent BGP from
+                     # flapping since multiple nodes update their BGP
+                     # configuration at the same time, GR is not guaranteed to
+                     # work correctly in this scenario.
+  merge paths on;    # Allow export multipath routes (ECMP)
+}
+
+# Watch interface up/down events.
+protocol device {
+  debug { states };
+  scan time 2;    # Scan interfaces every 2 seconds
+}
+
+protocol direct {
+  debug { states };
+  interface -"cali*", -"kube-ipvs*", "*"; # Exclude cali* and kube-ipvs* but
+                                          # include everything else.  In
+                                          # IPVS-mode, kube-proxy creates a
+                                          # kube-ipvs0 interface. We exclude
+                                          # kube-ipvs0 because this interface
+                                          # gets an address for every in use
+                                          # cluster IP. We use static routes
+                                          # for when we legitimately want to
+                                          # export cluster IPs.
+}
+
+# IPv6 disabled on this node.
+

tests/compiled_templates/mesh/bgp-export/bird6_aggr.cfg

@@ -0,0 +1,8 @@
+# Generated by confd
+
+# No IP blocks or static routes for this host.
+
+# Aggregation of routes on this host; export the block, nothing beneath it.
+function calico_aggr ()
+{
+}

tests/compiled_templates/mesh/bgp-export/bird6_ipam.cfg

@@ -0,0 +1,19 @@
+# Generated by confd
+filter calico_export_to_bgp_peers {
+  # filter code terminates when it calls `accept;` or `reject;`, call apply_communities() before calico_aggr()
+  apply_communities();
+  calico_aggr();
+
+  if ( net ~ 2002:101::/64 ) then {
+    accept;
+  }
+  # Skip 2002:102::/64 as BGP export is disabled for it
+  if ( net ~ 2002:103::/64 ) then {
+    accept;
+  }
+  reject;
+}
+
+filter calico_kernel_programming {
+  accept;
+}

tests/compiled_templates/mesh/bgp-export/bird_aggr.cfg

@@ -0,0 +1,32 @@
+# Generated by confd
+
+protocol static {
+   # IP blocks for this host.
+   route 10.0.0.0/30 blackhole;
+   route 10.1.0.0/24 blackhole;
+   route 192.168.221.0/26 blackhole;
+   route 192.168.221.192/26 blackhole;
+   route 192.168.221.64/26 blackhole;
+}
+
+
+# Aggregation of routes on this host; export the block, nothing beneath it.
+function calico_aggr ()
+{
+      # Block 10.0.0.0/30 is implicitly confirmed.
+      if ( net = 10.0.0.0/30 ) then { accept; }
+      if ( net ~ 10.0.0.0/30 ) then { reject; }
+      # Block 10.1.0.0/24 is implicitly confirmed.
+      if ( net = 10.1.0.0/24 ) then { accept; }
+      if ( net ~ 10.1.0.0/24 ) then { reject; }
+      # Block 10.2.0.1/32 is implicitly confirmed.
+      if ( net = 10.2.0.1/32 ) then { accept; }
+      if ( net ~ 10.2.0.1/32 ) then { reject; }
+      # Block 192.168.221.0/26 is pending
+      # Block 192.168.221.192/26 is implicitly confirmed.
+      if ( net = 192.168.221.192/26 ) then { accept; }
+      if ( net ~ 192.168.221.192/26 ) then { reject; }
+      # Block 192.168.221.64/26 is confirmed
+      if ( net = 192.168.221.64/26 ) then { accept; }
+      if ( net ~ 192.168.221.64/26 ) then { reject; }
+}

tests/compiled_templates/mesh/bgp-export/bird_ipam.cfg

@@ -0,0 +1,36 @@
+# Generated by confd
+filter calico_export_to_bgp_peers {
+  # filter code terminates when it calls `accept;` or `reject;`, call apply_communities() before calico_aggr()
+  apply_communities();
+  calico_aggr();
+
+  if ( net ~ 192.168.1.0/24 ) then {
+    accept;
+  }
+  # Skip 192.168.2.0/24 as BGP export is disabled for it
+  if ( net ~ 192.168.3.0/24 ) then {
+    accept;
+  }
+  reject;
+}
+
+
+filter calico_kernel_programming {
+
+  if ( net ~ 192.168.1.0/24 ) then {
+    krt_tunnel = "";
+    accept;
+  }
+
+  if ( net ~ 192.168.2.0/24 ) then {
+    krt_tunnel = "";
+    accept;
+  }
+
+  if ( net ~ 192.168.3.0/24 ) then {
+    krt_tunnel = "";
+    accept;
+  }
+
+  accept;
+}

tests/mock_data/calicoctl/mesh/bgp-export/delete.yaml

@@ -0,0 +1,70 @@
+kind: IPPool
+apiVersion: projectcalico.org/v3
+metadata:
+  name: ippool-1
+spec:
+  cidr: 192.168.1.0/24
+  ipipMode: Never
+  natOutgoing: true
+
+---
+
+kind: IPPool
+apiVersion: projectcalico.org/v3
+metadata:
+  name: ippool-2
+spec:
+  cidr: 192.168.2.0/24
+  ipipMode: Never
+  natOutgoing: true
+  disableBGPExport: true
+
+---
+
+kind: IPPool
+apiVersion: projectcalico.org/v3
+metadata:
+  name: ippool-3
+spec:
+  cidr: 192.168.3.0/24
+  ipipMode: Never
+  natOutgoing: true
+  disableBGPExport: false
+
+---
+
+kind: IPPool
+apiVersion: projectcalico.org/v3
+metadata:
+  name: ippool-v6-1
+spec:
+  cidr: 2002:101::/64
+  ipipMode: Never
+  vxlanMode: Never
+  natOutgoing: true
+
+---
+
+kind: IPPool
+apiVersion: projectcalico.org/v3
+metadata:
+  name: ippool-v6-2
+spec:
+  cidr: 2002:102::/64
+  ipipMode: Never
+  vxlanMode: Never
+  natOutgoing: true
+  disableBGPExport: true
+
+---
+
+kind: IPPool
+apiVersion: projectcalico.org/v3
+metadata:
+  name: ippool-v6-3
+spec:
+  cidr: 2002:103::/64
+  ipipMode: Never
+  vxlanMode: Never
+  natOutgoing: true
+  disableBGPExport: false