Skip to content

bolcom/terraform-provider-calico

Repository files navigation

Calico Terraform Provider

About

Terraform provider for use with Calico 2.x.

Known Issues

Kubernetes as a storage backend for Calico support is there, but untested. Feedback wanted!

Install

Due to the large amount of dependencies from libcalico-go and it's usage of glide for dep management, the install is a bit more than just a go get.

mkdir -p $GOPATH/src/github.com/bolcom
git clone https://github.com/bolcom/terraform-provider-calico.git $GOPATH/src/github.com/bolcom/terraform-provider-calico
cd $GOPATH/src/github.com/bolcom/terraform-provider-calico
./build_for_terraform_version.sh 0.7.11 #insert your terraform version here

Usage

Provider Configuration

provider.tf

provider "calico" {
  backend_type = "etcdv2"
  backend_etcd_authority = "192.168.56.20:2379"
}

Etcd Backend

  • backend_etcd_scheme: default: http
  • backend_etcd_authority
  • backend_etcd_endpoints: multiple etcd endpoints separated by comma
  • backend_etcd_username
  • backend_etcd_password
  • backend_etcd_keyfile: File location keyfile
  • backend_etcd_certfile: File location certfile
  • backend_etcd_cacertfile: File location cacert

Kubernetes Backend

  • backend_k8s_configfile: K8sKubeconfigFile
  • backend_k8s_server: K8sServer
  • backend_k8s_clientcert: K8sClientCertificate
  • backend_k8s_clientkey: K8sClientKey
  • backend_k8s_ca: K8sCertificateAuthority
  • backend_k8s_token: K8sToken

Host Endpoint

resource "calico_hostendpoint" "myendpoint" {
  name = "myendpoint"
  node = "my-endpoint-001"
  interface = "eth0"
  expected_ips = ["127.0.0.1"]
  profiles = ["endpointprofile"]
  labels = { endpointlabel = "myvalue" }
}

Profile

resource "calico_profile" "myprofile" {
  name = "myprofile"
  labels = { endpointlabel = "myvalue" }
  spec {
    ingress {
      rule {
        action = "deny"
        protocol = "tcp"
        source {
          net = "10.0.0.0/24"
          selector = "profile == 'test'"
          ports = ["1:10", "20:30"]
          notPorts = ["40:60"]
        }
        icmp {
          code = 100
          type = 101
        }
      }
      rule {
        action = "allow"
        protocol = "udp"
        source {
          net = "11.0.0.0/24"
        }
      }
    }
    egress {
      rule {
        action = "deny"
        protocol = "tcp"
        source {
          net = "12.0.0.0/24"
        }
      }
      rule {
        action = "allow"
        protocol = "udp"
        source {
          net = "13.0.0.0/24"
        }
      }
    }
  }
}

Policy

resource "calico_policy" "mypolicy" {
  name = "mypolicy"
  spec {
    order = 100
    selector = "globalpolicy == 'test123'"
    ingress {
      rule {
        action = "deny"
        protocol = "tcp"
        source {
          net = "10.0.0.0/24"
          selector = "mykey == 'test'"
          ports = ["1:10", "20:30"]
          notPorts = ["40:60"]
        }
        icmp {
          code = 100
          type = 101
        }
      }
      rule {
        action = "allow"
        protocol = "udp"
        source {
          net = "11.0.0.0/24"
        }
      }
    }
    egress {
      rule {
        action = "deny"
        protocol = "tcp"
        source {
          net = "12.0.0.0/24"
        }
      }
      rule {
        action = "allow"
        protocol = "udp"
        source {
          net = "13.0.0.0/24"
        }
      }
    }
  }
}

IP Pools

resource "calico_ippool" "myippool" {
  cidr = "10.1.0.0/16"
  spec {
    ipip {
      enabled = "true"
    }
    nat-outgoing = "true"
    disabled = "true"
  }
}

BGP Peers

resource "calico_bgppeer" "mybgppeer" {
  scope = "node"
  node = "rack1-host1"
  peerIP = "192.168.1.1"
  spec {
    asNumber = "63400"
  }
}

Nodes

resource "calico_node" "mynode" {
  name = "node-hostname"
  spec {
    bgp {
      asNumber = "64512"
      ipv4Address = "10.244.0.1"
      ipv6Address = "2001:db8:85a3::8a2e:370:7334"
    }
  }
}

Testing

The script test.sh will:

  • download calicoctl and terraform
  • build terraform-provider-calico
  • spin up a container with etcd (docker-compose)
  • pull tests out of testing/test_*
  • do a terraform apply of the TF file
  • use calicoctl to get the result
  • compare it with the prestored results in the test_*.yaml file

About

Terraform Provider for Calico

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published