add weave-net as a CNI plugin

Signed-off-by: Artiom Diomin <kron82@gmail.com>

config.yaml.dist

@@ -31,6 +31,16 @@ clusterNetwork:
   serviceDomainName: ""
   # a nodePort range to reserve for services (default: 30000-32767)
   nodePortRange: ""
+  # CNI plugin choise
+  cni:
+    # possible values:
+    # * canal
+    # * weave-net
+    provider: canal
+    # when selected CNI provider support encryption and `encrypted: true` is
+    # set, secret will be automatically generated and referenced in appropriate
+    # manifests
+    encrypted: false
 
 cloudProvider:
   # Supported cloud provider names:
@@ -42,7 +52,8 @@ cloudProvider:
   # * packet
   # * vsphere
   name: ""
-  # Set the kubelet flag '--cloud-provider=external' and deploy the external CCM for supported providers
+  # Set the kubelet flag '--cloud-provider=external' and deploy the external CCM
+  # for supported providers
   external: false
   # Path to file that will be uploaded and used as custom '--cloud-config' file.
   cloudConfig: ""
@@ -132,7 +143,8 @@ features:
 # case, anything you configure in your "workers" sections is ignored.
 # machineController:
 #  deploy: false
-#  # Defines for what provider the machine-controller will be configured (defaults to cloudProvider.Name)
+#  # Defines for what provider the machine-controller will be configured
+#  # (defaults to cloudProvider.Name)
 #  provider: ""
 
 # Proxy is used to configure HTTP_PROXY, HTTPS_PROXY and NO_PROXY

pkg/apis/kubeone/types.go

@@ -111,6 +111,30 @@ type ClusterNetworkConfig struct {
 	ServiceSubnet     string `json:"serviceSubnet"`
 	ServiceDomainName string `json:"serviceDomainName"`
 	NodePortRange     string `json:"nodePortRange"`
+	CNI               *CNI   `json:"cni,omitempty"`
+}
+
+// CNIProvider type
+type CNIProvider string
+
+// List of CNI Providers
+const (
+	// https://docs.projectcalico.org/v3.7/getting-started/kubernetes/installation/flannel
+	// This provider does not support encryption.
+	CNIProviderCanal = CNIProvider("canal")
+
+	// https://www.weave.works/docs/net/latest/kubernetes/kube-addon/
+	// This provider support optional encryption.
+	// Strong secret will be autogenerated.
+	CNIProviderWeaveNet = CNIProvider("weave-net")
+)
+
+// CNI config
+type CNI struct {
+	// Provider choise
+	Provider CNIProvider `json:"provider"`
+	// Some of providers do provide optional encryption
+	Encrypted bool `json:"encrypted"`
 }
 
 // ProxyConfig configures proxy for the Docker daemon and is used by KubeOne scripts

pkg/apis/kubeone/v1alpha1/defaults.go

@@ -86,6 +86,11 @@ func SetDefaults_ClusterNetwork(obj *KubeOneCluster) {
 	if len(obj.ClusterNetwork.NodePortRange) == 0 {
 		obj.ClusterNetwork.NodePortRange = DefaultNodePortRange
 	}
+	if obj.ClusterNetwork.CNI == nil {
+		obj.ClusterNetwork.CNI = &CNI{
+			Provider: CNIProviderCanal,
+		}
+	}
 }
 
 func SetDefaults_MachineController(obj *KubeOneCluster) {

pkg/apis/kubeone/v1alpha1/types.go

@@ -111,6 +111,30 @@ type ClusterNetworkConfig struct {
 	ServiceSubnet     string `json:"serviceSubnet"`
 	ServiceDomainName string `json:"serviceDomainName"`
 	NodePortRange     string `json:"nodePortRange"`
+	CNI               *CNI   `json:"cni,omitempty"`
+}
+
+// CNIProvider type
+type CNIProvider string
+
+// List of CNI Providers
+const (
+	// https://docs.projectcalico.org/v3.7/getting-started/kubernetes/installation/flannel
+	// This provider does not support encryption.
+	CNIProviderCanal = CNIProvider("canal")
+
+	// https://www.weave.works/docs/net/latest/kubernetes/kube-addon/
+	// This provider support optional encryption.
+	// Strong secret will be autogenerated.
+	CNIProviderWeaveNet = CNIProvider("weave-net")
+)
+
+// CNI config
+type CNI struct {
+	// Provider choise
+	Provider CNIProvider `json:"provider"`
+	// Some of providers do provide optional encryption
+	Encrypted bool `json:"encrypted"`
 }
 
 // ProxyConfig configures proxy for the Docker daemon and is used by KubeOne scripts

pkg/apis/kubeone/validation/validation.go

@@ -167,6 +167,19 @@ func ValidateClusterNetworkConfig(c kubeone.ClusterNetworkConfig, fldPath *field
 		}
 	}
 
+	if c.CNI != nil {
+		switch c.CNI.Provider {
+		case kubeone.CNIProviderCanal:
+		case kubeone.CNIProviderWeaveNet:
+		default:
+			allErrs = append(allErrs, field.Invalid(fldPath, c.CNI.Provider, "unknown CNI provider"))
+		}
+
+		if c.CNI.Encrypted && c.CNI.Provider != kubeone.CNIProviderWeaveNet {
+			allErrs = append(allErrs, field.Invalid(fldPath, c.CNI, "only `weave-net` cni provider support `encrypted: true`"))
+		}
+	}
+
 	return allErrs
 }
 

pkg/installer/installation/cni.go

@@ -17,11 +17,31 @@ limitations under the License.
 package installation
 
 import (
+	"github.com/pkg/errors"
+
+	"github.com/kubermatic/kubeone/pkg/apis/kubeone"
 	"github.com/kubermatic/kubeone/pkg/templates/canal"
+	"github.com/kubermatic/kubeone/pkg/templates/weave"
 	"github.com/kubermatic/kubeone/pkg/util"
 )
 
-func applyCanalCNI(ctx *util.Context) error {
+func ensureCNI(ctx *util.Context) error {
+	switch ctx.Cluster.ClusterNetwork.CNI.Provider {
+	case kubeone.CNIProviderCanal:
+		return ensureCNICanal(ctx)
+	case kubeone.CNIProviderWeaveNet:
+		return ensureCNIWeaveNet(ctx)
+	}
+
+	return errors.Errorf("unknown CNI provider: %s", ctx.Cluster.ClusterNetwork.CNI.Provider)
+}
+
+func ensureCNIWeaveNet(ctx *util.Context) error {
+	ctx.Logger.Infoln("Applying weave-net CNI plugin…")
+	return weave.Deploy(ctx)
+}
+
+func ensureCNICanal(ctx *util.Context) error {
 	ctx.Logger.Infoln("Applying canal CNI plugin…")
 	return canal.Deploy(ctx)
 }

pkg/installer/installation/install.go

@@ -47,7 +47,7 @@ func Install(ctx *util.Context) error {
 		{Fn: credentials.Ensure, ErrMsg: "unable to ensure credentials secret"},
 		{Fn: externalccm.Ensure, ErrMsg: "failed to install external CCM"},
 		{Fn: patchCoreDNS, ErrMsg: "failed to patch CoreDNS", Retries: 3},
-		{Fn: applyCanalCNI, ErrMsg: "failed to install cni plugin canal", Retries: 3},
+		{Fn: ensureCNI, ErrMsg: "failed to install cni plugin", Retries: 3},
 		{Fn: machinecontroller.Ensure, ErrMsg: "failed to install machine-controller", Retries: 3},
 		{Fn: machinecontroller.WaitReady, ErrMsg: "failed to wait for machine-controller", Retries: 3},
 		{Fn: createWorkerMachines, ErrMsg: "failed to create worker machines", Retries: 3},

pkg/templates/canal/canal.go

@@ -39,38 +39,38 @@ const (
 	cniNetworkConfig = `
 {
 	"name": "k8s-pod-network",
-    "cniVersion": "0.3.0",
-    "plugins": [
-      {
-        "type": "calico",
-        "log_level": "info",
-        "datastore_type": "kubernetes",
-        "nodename": "__KUBERNETES_NODE_NAME__",
-        "ipam": {
-          "type": "host-local",
-          "subnet": "usePodCidr"
-        },
-        "policy": {
-            "type": "k8s"
-        },
-        "kubernetes": {
-            "kubeconfig": "__KUBECONFIG_FILEPATH__"
-        }
-      },
-      {
-        "type": "portmap",
-        "snat": true,
-        "capabilities": {"portMappings": true}
-      }
-    ]
+	"cniVersion": "0.3.0",
+	"plugins": [
+		{
+			"type": "calico",
+			"log_level": "info",
+			"datastore_type": "kubernetes",
+			"nodename": "__KUBERNETES_NODE_NAME__",
+			"ipam": {
+				"type": "host-local",
+				"subnet": "usePodCidr"
+			},
+			"policy": {
+					"type": "k8s"
+			},
+			"kubernetes": {
+					"kubeconfig": "__KUBECONFIG_FILEPATH__"
+			}
+		},
+		{
+			"type": "portmap",
+			"snat": true,
+			"capabilities": {"portMappings": true}
+		}
+	]
 }
 `
 	// Flannel network configuration (mounted into the flannel container)
 	flannelNetworkConfig = `
 {
 	"Network": "{{ .POD_SUBNET }}",
-    "Backend": {
-	"Type": "vxlan"
+	"Backend": {
+		"Type": "vxlan"
 	}
 }
 `