From 02f400e442ee8ef6813565f6e0ce18b09f4986cd Mon Sep 17 00:00:00 2001
From: Chris Wedgwood <cw@f00f.org>
Date: Wed, 17 Oct 2018 00:56:53 +0000
Subject: [PATCH] [Calico] Allow resource configuration using chart (overrides)

Allow Calico resources such as NetworkPolicy, GlobalNetworkPolicy,
WorkloadEndpoint, etc to be specified using values.

To avoid the complexities of list management with helm we use a
dictionary that contains a relative priority and set of objects
(called rules).

For example:

network:
  policy:

    someName:
      priority: 0
      rules:
       - apiVersion: projectcalico.org/v3
... some useful resource object ...
       - apiVersion: projectcalico.org/v3
... some other useful resource object ...

    someOtherName:
      priority: 1
      rules:
       - apiVersion: projectcalico.org/v3
... rules that come later ...

    lastSetOfRules:
      priority: 9
      rules:
       - apiVersion: projectcalico.org/v3
... rules that come last ... maybe hostendpoints ...

By having named groups of rules each with it's own priority you can
update, delete and amend individual sets of rules without provided you
set the appropriate "priority" value.

Change-Id: Id441350bcc8b95a91ef4d1b89d1bc3c417f50b13
---
 calico/templates/bin/_calico-settings.sh.tpl |  19 ++-
 calico/values.yaml                           | 154 ++++++++++++++++++-
 2 files changed, 169 insertions(+), 4 deletions(-)

diff --git a/calico/templates/bin/_calico-settings.sh.tpl b/calico/templates/bin/_calico-settings.sh.tpl
index 041036f49..f2c0f9221 100644
--- a/calico/templates/bin/_calico-settings.sh.tpl
+++ b/calico/templates/bin/_calico-settings.sh.tpl
@@ -2,6 +2,8 @@
 
 set -eux
 
+{{- $envAll := . }}
+
 {{ if empty .Values.conf.node.CALICO_IPV4POOL_CIDR }}
 {{ $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet }}
 {{ end }}
@@ -66,5 +68,20 @@ $CTL apply -f - <<EOF
 EOF
 {{ end }}
 
-exit 0
+{{/* gotpl quirks mean it is easier to loop from 0 to 9 looking for a match in an inner loop than trying to extract and sort */}}
+{{ if .Values.networking.policy }}
+# Policy and Endpoint rules
+{{ range $n, $data := tuple 0 1 2 3 4 5 6 7 8 9 }}
+# Priority: {{ $n }} objects
+{{- range $section, $data := $envAll.Values.networking.policy }}
+{{- if eq (toString $data.priority) (toString $n) }}
+# Section: {{ $section }} Priority: {{ $data.priority }} {{ $n }}
+$CTL apply -f - <<EOF
+{{ $data.rules | toYaml }}
+EOF
+{{- end }}
+{{- end }}
+{{- end }}
+{{ end }}
 
+exit 0
diff --git a/calico/values.yaml b/calico/values.yaml
index eb393c982..14148fbee 100644
--- a/calico/values.yaml
+++ b/calico/values.yaml
@@ -247,6 +247,153 @@ networking:
         neighbor: 179
         listen: 179
 
+  # Policy contains embedded Calico policy and/or endpoint objects.
+  # Because lists are cumbersome to deal with this is stuctured as a
+  # dictionary (therefore not ordered).  The top-level key names are
+  # not important, priority contains a value between 0 and 9 inclusive
+  # and rules contains any objects (typically used as rules).
+  # Priority 0 objects are emitted before priority 9.  It is
+  # recommended any rules such as HostEndpoint be given a higher
+  # priority so that they are applied after more generic objects.
+  # Priority values outside of integers 0 through 9 are not valid and
+  # should not be used.
+  policy:
+    # alpha:
+    #   priority: 0
+    #   rules:
+    #   - apiVersion: projectcalico.org/v3
+    #     kind: GlobalNetworkPolicy
+    #     metadata:
+    #       name: allow-tcp-6379
+    #     spec:
+    #       order: 0
+    #       selector: role == 'database'
+    #       types:
+    #       - Ingress
+    #       - Egress
+    #       ingress:
+    #       - action: Allow
+    #         protocol: TCP
+    #         source:
+    #           selector: role == 'frontend'
+    #         destination:
+    #           ports:
+    #           - 6379
+    #       egress:
+    #       - action: Allow
+    #   - apiVersion: projectcalico.org/v3
+    #     kind: GlobalNetworkPolicy
+    #     metadata:
+    #       name: allow-tcp-3306
+    #     spec:
+    #       order: 1
+    #       selector: role == 'database'
+    #       types:
+    #       - Ingress
+    #       - Egress
+    #       ingress:
+    #       - action: Allow
+    #         protocol: TCP
+    #         source:
+    #           selector: role == 'frontend'
+    #         destination:
+    #           ports:
+    #           - 3306
+    #       egress:
+    #       - action: Allow
+
+    # beta:
+    #   priority: 1
+    #   rules:
+    #   - apiVersion: projectcalico.org/v3
+    #     kind: NetworkPolicy
+    #     metadata:
+    #       name: allow-tcp-6379
+    #       namespace: production
+    #     spec:
+    #       selector: role == 'database'
+    #       types:
+    #       - Ingress
+    #       - Egress
+    #       ingress:
+    #       - action: Allow
+    #         protocol: TCP
+    #         source:
+    #           selector: role == 'frontend'
+    #         destination:
+    #           ports:
+    #           - 6379
+    #       egress:
+    #       - action: Allow
+    #   - apiVersion: projectcalico.org/v3
+    #     kind: NetworkPolicy
+    #     metadata:
+    #       name: allow-tcp-8081
+    #       namespace: production
+    #     spec:
+    #       selector: role == 'webthing'
+    #       types:
+    #       - Ingress
+    #       - Egress
+    #       ingress:
+    #       - action: Allow
+    #         protocol: TCP
+    #         source:
+    #           selector: role == 'frontend'
+    #         destination:
+    #           ports:
+    #           - 8081
+    #       egress:
+    #       - action: Allow
+
+    # zulu:
+    #   priority: 9
+    #   rules:
+    #   - apiVersion: projectcalico.org/v3
+    #     kind: HostEndpoint
+    #     metadata:
+    #       name: first.thing
+    #       labels:
+    #         type: production
+    #     spec:
+    #       interfaceName: eth0
+    #       node: mysecrethost
+    #       expectedIPs:
+    #       - 192.168.0.1
+    #       - 192.168.0.2
+    #       profiles:
+    #       - profile1
+    #       - profile2
+    #       ports:
+    #       - name: some-port
+    #         port: 1234
+    #         protocol: TCP
+    #       - name: another-port
+    #         port: 5432
+    #         protocol: UDP
+    #   - apiVersion: projectcalico.org/v3
+    #     kind: HostEndpoint
+    #     metadata:
+    #       name: second.thing
+    #       labels:
+    #         type: production
+    #     spec:
+    #       interfaceName: eth1
+    #       node: myothersecrethost
+    #       expectedIPs:
+    #       - 192.168.1.1
+    #       - 192.168.1.2
+    #       profiles:
+    #       - profile1
+    #       - profile2
+    #       ports:
+    #       - name: some-port
+    #         port: 1234
+    #         protocol: TCP
+    #       - name: another-port
+    #         port: 5432
+    #         protocol: UDP
+
 conf:
   etcd:
     credentials:
@@ -299,9 +446,10 @@ conf:
     # Cluster type to identify the deployment type
     # NOTE: v2 had a list ... v3 a comma separated string
     CLUSTER_TYPE: "k8s,bgp"
-    # Describes which BGP networking backend to use gobgp, bird, none.  Default is bird.
-    # NOTE(alanmeadows) today this chart only supports applying the bgp customizations to
-    # bird templates - in the future we may support gobgp as well
+    # Describes which BGP networking backend to use gobgp, bird, none.
+    # Default is bird.  NOTE(alanmeadows) today this chart only
+    # supports applying the bgp customizations to bird templates - in
+    # the future we may support gobgp as well
     CALICO_NETWORKING_BACKEND: bird
     # Location of the CA certificate for etcd.
     ETCD_CA_CERT_FILE: ""