disable internal networking

deployments/liqo/README.md

@@ -84,11 +84,15 @@
 | networkManager.config.podCIDR | string | `""` | The subnet used by the cluster for the pods, in CIDR notation |
 | networkManager.config.reservedSubnets | list | `[]` | Usually the IPs used for the pods in k8s clusters belong to private subnets. In order to prevent IP conflicting between locally used private subnets in your infrastructure and private subnets belonging to remote clusters you need tell liqo the subnets used in your cluster. E.g if your cluster nodes belong to the 192.168.2.0/24 subnet then you should add that subnet to the reservedSubnets. PodCIDR and serviceCIDR used in the local cluster are automatically added to the reserved list. |
 | networkManager.config.serviceCIDR | string | `""` | The subnet used by the cluster for the services, in CIDR notation |
+| networkManager.externalIPAM.enabled | bool | `false` | Use an external IPAM to allocate the IP addresses for the pods |
+| networkManager.externalIPAM.url | string | `""` | The url of the external IPAM |
 | networkManager.imageName | string | `"ghcr.io/liqotech/liqonet"` | networkManager image repository |
 | networkManager.pod.annotations | object | `{}` | networkManager pod annotations |
 | networkManager.pod.extraArgs | list | `[]` | networkManager pod extra arguments |
 | networkManager.pod.labels | object | `{}` | networkManager pod labels |
 | networkManager.pod.resources | object | `{"limits":{},"requests":{}}` | networkManager pod containers' resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) |
+| networking.internal | bool | `true` | Use the default Liqo network manager |
+| networking.reflectIPs | bool | `true` | Reflect pod IPs and EnpointSlices to the remote clusters |
 | openshiftConfig.enable | bool | `false` | enable the OpenShift support |
 | openshiftConfig.virtualKubeletSCCs | list | `["anyuid"]` | the security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. |
 | proxy.config.listeningPort | int | `8118` | port used by envoy proxy |

deployments/liqo/templates/liqo-controller-manager-deployment.yaml

@@ -8,6 +8,18 @@
 {{- if not (or (has "--enable-apiserver-support" $vkargs ) (has "--enable-apiserver-support=true" $vkargs ) (has "--enable-apiserver-support=false" $vkargs )) }}
 {{- $vkargs = append $vkargs "--enable-apiserver-support=true" }}
 {{- end }}
+{{- /* Configure the appropriate flags if the internal networking is disabled, if not overridden by the user */ -}}
+{{- if not .Values.networking.internal }}
+{{- if not (or (has "--node-check-network" $vkargs ) (has "--node-check-network=true" $vkargs ) (has "--node-check-network=false" $vkargs )) }}
+{{- $vkargs = append $vkargs "--node-check-network=false" }}
+{{- end }}
+{{- end }}
+{{- /* Configure the appropriate flags if the IP reflection is disabled, if not overridden by the user */ -}}
+{{- if not .Values.networking.reflectIPs }}
+{{- if not (or (has "--disable-ip-reflection" $vkargs ) (has "--disable-ip-reflection=true" $vkargs ) (has "--disable-ip-reflection=false" $vkargs )) }}
+{{- $vkargs = append $vkargs "--disable-ip-reflection" }}
+{{- end }}
+{{- end }}
 {{- /* Configure the appropriate certificate generation approach on EKS clusters, if not overridden by the user */ -}}
 {{- if .Values.awsConfig.accessKeyId }}
 {{- if not (or (has "--certificate-type=kubelet" $vkargs ) (has "--certificate-type=aws" $vkargs ) (has "--certificate-type=self-signed" $vkargs )) }}
@@ -66,7 +78,13 @@ spec:
           - --enable-incoming-peering={{ .Values.discovery.config.incomingPeeringEnabled }}
           - --resource-sharing-percentage={{ .Values.controllerManager.config.resourceSharingPercentage }}
           - --kubelet-image={{ .Values.virtualKubelet.imageName }}{{ include "liqo.suffix" $ctrlManagerConfig }}:{{ include "liqo.version" $ctrlManagerConfig }}
+          {{- if .Values.networkManager.externalIPAM.enabled }}
+          - --kubelet-ipam-server={{ .Values.networkManager.externalIPAM.url }}
+          {{- else if not .Values.networking.internal }}
+          - --kubelet-ipam-server=
+          {{- else }}
           - --kubelet-ipam-server={{ include "liqo.prefixedName" $netManagerConfig }}.{{ .Release.Namespace }}:6000
+          {{- end }}
           - --auto-join-discovered-clusters={{ .Values.discovery.config.autojoin }}
           - --enable-storage={{ .Values.storage.enable }}
           - --webhook-port={{ .Values.webhook.port }}

deployments/liqo/templates/liqo-gateway-deployment.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $gatewayConfig := (merge (dict "name" "gateway" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -71,3 +73,5 @@ spec:
             - name: WIREGUARD_IMPLEMENTATION
               value: {{ .Values.gateway.config.wireguardImplementation }}
       hostNetwork: true
+
+{{- end }}

deployments/liqo/templates/liqo-gateway-rbac.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $gatewayConfig := (merge (dict "name" "gateway" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -64,3 +66,5 @@ metadata:
   verbs:
   - use
 {{- end }}
+
+{{- end }}

deployments/liqo/templates/liqo-gateway-service.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $gatewayConfig := (merge (dict "name" "gateway" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -46,3 +48,5 @@ spec:
       port: {{ .Values.gateway.metrics.port }}
       targetPort: metrics
 {{- end}}
+
+{{- end }}

deployments/liqo/templates/liqo-gateway-servicemonitor.yaml

@@ -1,3 +1,5 @@
+{{- if .Values.networking.internal }}
+
 ---
 {{- $gatewayMetricsConfig := (merge (dict "name" "gateway-metrics" "module" "networking") .) -}}
 {{- if .Values.gateway.metrics.serviceMonitor.enabled }}
@@ -17,3 +19,4 @@ spec:
     scrapeTimeout: {{ .Values.gateway.metrics.serviceMonitor.scrapeTimeout }}
 {{- end }}
 
+{{- end }}

deployments/liqo/templates/liqo-network-manager-deployment.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $netManagerConfig := (merge (dict "name" "network-manager" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -57,3 +59,5 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
           resources: {{- toYaml .Values.networkManager.pod.resources | nindent 12 }}
+
+{{- end }}

deployments/liqo/templates/liqo-network-manager-rbac.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $netManagerConfig := (merge (dict "name" "network-manager" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -52,4 +54,6 @@ metadata:
   name: {{ include "liqo.prefixedName" $netManagerConfig }}
   labels:
   {{- include "liqo.labels" $netManagerConfig | nindent 4 }}
-{{ .Files.Get (include "liqo.role-filename" (dict "prefix" ( include "liqo.prefixedName" $netManagerConfig))) }}
+{{ .Files.Get (include "liqo.role-filename" (dict "prefix" ( include "liqo.prefixedName" $netManagerConfig))) }}
+
+{{- end }}

deployments/liqo/templates/liqo-network-manager-service.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $netManagerConfig := (merge (dict "name" "network-manager" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -15,4 +17,6 @@ spec:
       port: 6000
       protocol: TCP
   selector:
-    {{- include "liqo.selectorLabels" $netManagerConfig | nindent 4 }}
+    {{- include "liqo.selectorLabels" $netManagerConfig | nindent 4 }}
+
+{{- end }}

deployments/liqo/templates/liqo-route-daemonset.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $routeConfig := (merge (dict "name" "route" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -71,3 +73,5 @@ spec:
             path: /run/xtables.lock
             type: FileOrCreate
           name: xtables-lock
+
+{{- end }}

deployments/liqo/templates/liqo-route-rbac.yaml

@@ -1,6 +1,8 @@
 ---
 {{- $routeConfig := (merge (dict "name" "route" "module" "networking") .) -}}
 
+{{- if .Values.networking.internal }}
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -63,3 +65,5 @@ metadata:
   verbs:
   - use
 {{- end }}
+
+{{- end }}

deployments/liqo/values.yaml

@@ -12,6 +12,12 @@ apiServer:
   # -- Indicates that the API Server is exposing a certificate issued by a trusted Certification Authority
   trustedCA: false
 
+networking:
+  # -- Use the default Liqo network manager
+  internal: true
+  # -- Reflect pod IPs and EnpointSlices to the remote clusters
+  reflectIPs: true
+
 controllerManager:
   # -- The number of controller-manager instances to run, which can be increased for active/passive high availability.
   replicas: 1
@@ -108,6 +114,11 @@ gateway:
       scrapeTimeout: ""
 
 networkManager:
+  externalIPAM:
+    # -- Use an external IPAM to allocate the IP addresses for the pods
+    enabled: false
+    # -- The url of the external IPAM
+    url: ""
   pod:
     # -- networkManager pod annotations
     annotations: {}