Remove mutual exclusivity in calico: NAT and router mode #9255
Conversation
k8s-ci-robot
added
the
kind/feature
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @kerryeon. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/S
HoKim98
force-pushed
the
add-peer_with_router_nat_outgoing
branch
from
97bcec2
to
a1ea040
Compare
docs/calico.md
Outdated
| Then the following variables need to be set: | ||
|
|
||
| * `nat_outgoing` to enable NAT (default value: true). | ||
| * `peer_with_router_nat_outgoing` to forcefully enable NAT (default value: false). |
There was a problem hiding this comment.
to forcefully enable NAT (default value: false).
seems to make confusions because nat_outgoing is to enable NAT and the default value is true.
That means the NAT is already enabled by default.
| @@ -227,7 +227,7 @@ | |||
| "cidr": "{{ calico_pool_cidr | default(kube_pods_subnet) }}", | |||
| "ipipMode": "{{ calico_ipip_mode }}", | |||
| "vxlanMode": "{{ calico_vxlan_mode }}", | |||
| "natOutgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }} | |||
| "natOutgoing": {{ nat_outgoing|default(false) and ((not peer_with_router|default(false)) or (peer_with_router_nat_outgoing|default(false))) }} | |||
There was a problem hiding this comment.
Can we control this use case with the existing nat_outgoing only?
There was a problem hiding this comment.
Sure, we can remove the mutual exclusivity between nat_outgoing and not peer_with_router by ignoring the peer_with_router flag.
But it may causes for users that enable peer_with_router to get side-effect.
Regardless, the direction of concise and complete improvement seems to fit the content of the review, so I made a new commit.
k8s-ci-robot
added
size/XS
HoKim98
changed the title
k8s-ci-robot
added
size/S
| @@ -227,7 +227,7 @@ | |||
| "cidr": "{{ calico_pool_cidr | default(kube_pods_subnet) }}", | |||
| "ipipMode": "{{ calico_ipip_mode }}", | |||
| "vxlanMode": "{{ calico_vxlan_mode }}", | |||
| "natOutgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }} | |||
There was a problem hiding this comment.
This original line has been added since #3086
And I could not find the reason of this condition.
The new line
"natOutgoing": {{ nat_outgoing|default(false) }}
seems pretty straightforward for me.
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: floryut, kerryeon, oomichi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
floryut
added
kind/network
…sigs#9255) * Add optional NAT support in calico router mode * Add a blank line in front of lists * Remove mutual exclusivity: NAT and router mode * Ignore router mode from NAT * Update calico doc
…sigs#9255) * Add optional NAT support in calico router mode * Add a blank line in front of lists * Remove mutual exclusivity: NAT and router mode * Ignore router mode from NAT * Update calico doc
…sigs#9255) * Add optional NAT support in calico router mode * Add a blank line in front of lists * Remove mutual exclusivity: NAT and router mode * Ignore router mode from NAT * Update calico doc
What type of PR is this?
/kind bug
What this PR does / why we need it:
In special cases it's needed to enable
peer_with_routerwith NAT in calico, such as in labs.But these have been implemented as mutually exclusive, so there is no way to enable both of them.
So, I offer a optional feature that forcefully enables NAT mode even when `peer_with_router` is enabled: * `peer_with_router_nat_outgoing` to forcefully enable NAT when `peer_with_router` is enabled (default value: false).So, I think it's better to release the mutual exclusivity between
nat_outgoingandpeer_with_router.If someone wants to use
peer_with_routerwithout the NAT, he/she should disable thenat_outgoingmanually.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: