kinvolk · knrt10 · Jan 18, 2022 · Jan 31, 2022 · Mar 2, 2022 · Mar 9, 2022
diff --git a/assets/charts/control-plane/calico/templates/calico-node.yaml b/assets/charts/control-plane/calico/templates/calico-node.yaml
@@ -163,11 +163,15 @@ spec:
             - name: FELIX_IPINIPENABLED
               value: "{{ .Values.calico.ipipEnabled }}"
             # Enable IPIP
+            {{ if .Values.calico.ipipEnabled }}
             - name: CALICO_IPV4POOL_IPIP
               value: "Always"
+            {{ end }}
             # Enable or Disable VXLAN on the default IP pool.
+            {{ if .Values.calico.vxlanEnabled }}
             - name: CALICO_IPV4POOL_VXLAN
-              value: "Never"
+              value: "Always"
+            {{ end }}
             # Set MTU for tunnel device used if ipip is enabled
             - name: FELIX_IPINIPMTU
               valueFrom:
@@ -227,7 +231,9 @@ spec:
               command:
               - /bin/calico-node
               - -felix-live
+              {{ if .Values.calico.ipipEnabled }}
               - -bird-live
+              {{ end }}
             periodSeconds: 10
             initialDelaySeconds: 10
             failureThreshold: 6
@@ -236,7 +242,9 @@ spec:
               command:
               - /bin/calico-node
               - -felix-ready
+              {{ if .Values.calico.ipipEnabled }}
               - -bird-ready
+              {{ end }}
               {{ .Values.calico.ipipReadiness }}
             periodSeconds: 10
           volumeMounts:

diff --git a/assets/charts/control-plane/calico/templates/config.yaml b/assets/charts/control-plane/calico/templates/config.yaml
@@ -8,7 +8,7 @@ data:
   # Typha is disabled.
   typha_service_name: "none"
   # Configure the backend to use.
-  calico_backend: "bird"
+  calico_backend: {{ .Values.calico.networkBackend }}
 
   # Configure the MTU to use for workload interfaces and tunnels.
   # - If Wireguard is enabled, set to your network MTU - 60

diff --git a/assets/charts/control-plane/calico/values.yaml b/assets/charts/control-plane/calico/values.yaml
@@ -16,3 +16,4 @@ calico:
   # Lokomotive specific change.
   # failsafeInboundHostPorts:
   encryptPodTraffic: false
+  networkBackend: bird
diff --git a/assets/terraform-modules/azure/flatcar-linux/kubernetes/bootkube.tf b/assets/terraform-modules/azure/flatcar-linux/kubernetes/bootkube.tf
@@ -1,22 +1,33 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
+locals {
+  api_server = format("%s.%s", var.cluster_name, var.dns_zone)
+}
+
 module "bootkube" {
   source = "../../../bootkube"
 
-  cluster_name = var.cluster_name
-  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
-  etcd_servers = formatlist("%s.%s", azurerm_dns_a_record.etcds.*.name, var.dns_zone)
-  asset_dir    = var.asset_dir
+  cluster_name     = var.cluster_name
+  api_servers      = [local.api_server]
+  etcd_servers     = [for i, d in azurerm_linux_virtual_machine.controllers : format("%s-etcd%d.%s", var.cluster_name, i, var.dns_zone)]
+  etcd_endpoints   = azurerm_linux_virtual_machine.controllers.*.private_ip_address
+  asset_dir        = var.asset_dir
+  controller_count = var.controller_count
 
   network_encapsulation = "vxlan"
 
   # we should be able to use 1450 MTU, but in practice, 1410 was needed
   network_mtu = "1410"
 
-  pod_cidr              = var.pod_cidr
-  service_cidr          = var.service_cidr
-  cluster_domain_suffix = var.cluster_domain_suffix
-  enable_reporting      = var.enable_reporting
-  enable_aggregation    = var.enable_aggregation
-
+  conntrack_max_per_core = var.conntrack_max_per_core
+  pod_cidr               = var.pod_cidr
+  service_cidr           = var.service_cidr
+  cluster_domain_suffix  = var.cluster_domain_suffix
+  bootstrap_tokens       = var.enable_tls_bootstrap ? concat([local.controller_bootstrap_token], var.worker_bootstrap_tokens) : []
+  enable_tls_bootstrap   = var.enable_tls_bootstrap
+  enable_reporting       = var.enable_reporting
+  enable_aggregation     = var.enable_aggregation
+  encrypt_pod_traffic    = var.encrypt_pod_traffic
+  # Disable the self hosted kubelet.
+  disable_self_hosted_kubelet = var.disable_self_hosted_kubelet
   certs_validity_period_hours = var.certs_validity_period_hours
 }
diff --git a/assets/terraform-modules/azure/flatcar-linux/kubernetes/bootstrap-configs.tf b/assets/terraform-modules/azure/flatcar-linux/kubernetes/bootstrap-configs.tf
@@ -0,0 +1,24 @@
+locals {
+  controller_bootstrap_token = var.enable_tls_bootstrap ? {
+    token_id     = random_string.bootstrap_token_id[0].result
+    token_secret = random_string.bootstrap_token_secret[0].result
+  } : {}
+}
+
+# Generate a cryptographically random token id (public).
+resource "random_string" "bootstrap_token_id" {
+  count = var.enable_tls_bootstrap == true ? 1 : 0
+
+  length  = 6
+  upper   = false
+  special = false
+}
+
+# Generate a cryptographically random token secret.
+resource "random_string" "bootstrap_token_secret" {
+  count = var.enable_tls_bootstrap == true ? 1 : 0
+
+  length  = 16
+  upper   = false
+  special = false
+}