*: Assorted fixes to get e2e-aws working again (Calico -> Flannel, etc.)

config.tf

@@ -61,18 +61,18 @@ variable "tectonic_container_images" {
     awscli                               = "quay.io/coreos/awscli:025a357f05242fdad6a81e8a6b520098aa65a600"
     gcloudsdk                            = "google/cloud-sdk:178.0.0-alpine"
     bootkube                             = "quay.io/coreos/bootkube:v0.10.0"
-    tnc_operator                         = "quay.io/coreos/tectonic-node-controller-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
+    tnc_operator                         = "quay.io/coreos/tectonic-node-controller-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
     etcd_cert_signer                     = "quay.io/coreos/kube-etcd-signer-server:678cc8e6841e2121ebfdb6e2db568fce290b67d6"
     etcd                                 = "quay.io/coreos/etcd:v3.2.14"
     hyperkube                            = "openshift/origin-node:latest"
-    kube_core_renderer                   = "quay.io/coreos/kube-core-renderer-dev:df42b97af403702013f4739fc82cd005cfd0c766"
-    kube_core_operator                   = "quay.io/coreos/kube-core-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
-    tectonic_channel_operator            = "quay.io/coreos/tectonic-channel-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
-    kube_addon_operator                  = "quay.io/coreos/kube-addon-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
+    kube_core_renderer                   = "quay.io/coreos/kube-core-renderer-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
+    kube_core_operator                   = "quay.io/coreos/kube-core-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
+    tectonic_channel_operator            = "quay.io/coreos/tectonic-channel-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
+    kube_addon_operator                  = "quay.io/coreos/kube-addon-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
     tectonic_alm_operator                = "quay.io/coreos/tectonic-alm-operator:v0.3.1"
-    tectonic_ingress_controller_operator = "quay.io/coreos/tectonic-ingress-controller-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
-    tectonic_utility_operator            = "quay.io/coreos/tectonic-utility-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
-    tectonic_network_operator            = "quay.io/coreos/tectonic-network-operator-dev:df42b97af403702013f4739fc82cd005cfd0c766"
+    tectonic_ingress_controller_operator = "quay.io/coreos/tectonic-ingress-controller-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
+    tectonic_utility_operator            = "quay.io/coreos/tectonic-utility-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
+    tectonic_network_operator            = "quay.io/coreos/tectonic-network-operator-dev:6705af4bcf26f899e347c88ffddc892a236648e4"
   }
 }
 

examples/tectonic.aws.yaml

@@ -259,7 +259,7 @@ networking:
   # - "calico-ipip": [ALPHA] enables BGP based networking. Routing and network policy is implemented by Calico. Note this has been tested on baremetal installations only.
   #
   # - "none": disables the installation of any Pod level networking layer provided by Tectonic. By setting this value, users are expected to deploy their own solution to enable network connectivity for Pods and Services.
-  # type: canal
+  # type: flannel
 
 nodePools:
     # The number of etcd nodes to be created.

examples/tectonic.libvirt.yaml

@@ -93,8 +93,7 @@ networking:
   # - "calico-ipip": [ALPHA] enables BGP based networking. Routing and network policy is implemented by Calico. Note this has been tested on baremetal installations only.
   #
   # - "none": disables the installation of any Pod level networking layer provided by Tectonic. By setting this value, users are expected to deploy their own solution to enable network connectivity for Pods and Services.
-  type: canal
-  mtu: 1480
+  # type: flannel
 
 nodePools:
     # The number of etcd nodes to be created.

installer/pkg/config/cluster.go

@@ -69,7 +69,7 @@ var defaultCluster = Cluster{
 		MTU:         "1480",
 		PodCIDR:     "10.2.0.0/16",
 		ServiceCIDR: "10.3.0.0/16",
-		Type:        tectonicnetwork.NetworkCanal,
+		Type:        tectonicnetwork.NetworkFlannel,
 	},
 }
 

modules/aws/vpc/sg-etcd.tf

@@ -6,44 +6,104 @@ resource "aws_security_group" "etcd" {
       "kubernetes.io/cluster/${var.cluster_name}", "owned",
       "tectonicClusterID", "${var.cluster_id}"
     ), var.extra_tags)}"
+}
+
+resource "aws_security_group_rule" "etcd_egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  from_port   = 0
+  cidr_blocks = ["0.0.0.0/0"]
+  to_port     = 0
+  protocol    = "-1"
+}
+
+resource "aws_security_group_rule" "etcd_ingress_icmp" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol    = "icmp"
+  cidr_blocks = ["0.0.0.0/0"]
+  from_port   = 0
+  to_port     = 0
+}
+
+resource "aws_security_group_rule" "etcd_ingress_ssh" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 22
+  to_port   = 22
+  self      = true
+}
+
+resource "aws_security_group_rule" "etcd_ingress_etcd" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 2379
+  to_port   = 2379
+  self      = true
+}
+
+resource "aws_security_group_rule" "etcd_ingress_peer" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 2380
+  to_port   = 2380
+  self      = true
+}
+
+resource "aws_security_group_rule" "etcd_ingress_flannel" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "udp"
+  from_port = 4789
+  to_port   = 4789
+  self      = true
+}
+
+resource "aws_security_group_rule" "etcd_ingress_flannel_from_master" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.etcd.id}"
+  source_security_group_id = "${aws_security_group.master.id}"
+
+  protocol  = "udp"
+  from_port = 4789
+  to_port   = 4789
+}
+
+resource "aws_security_group_rule" "etcd_ingress_flannel_from_worker" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.etcd.id}"
+  source_security_group_id = "${aws_security_group.worker.id}"
+
+  protocol  = "udp"
+  from_port = 4789
+  to_port   = 4789
+}
+
+resource "aws_security_group_rule" "etcd_ingress_from_master" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.etcd.id}"
+  source_security_group_id = "${aws_security_group.master.id}"
+
+  protocol  = "tcp"
+  from_port = 0
+  to_port   = 65535
+}
+
+resource "aws_security_group_rule" "etcd_ingress_from_worker" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.etcd.id}"
+  source_security_group_id = "${aws_security_group.worker.id}"
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    self        = true
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    protocol    = "icmp"
-    cidr_blocks = ["0.0.0.0/0"]
-    from_port   = 0
-    to_port     = 0
-  }
-
-  ingress {
-    protocol  = "tcp"
-    from_port = 22
-    to_port   = 22
-    self      = true
-
-    security_groups = ["${aws_security_group.master.id}"]
-  }
-
-  ingress {
-    protocol  = "tcp"
-    from_port = 2379
-    to_port   = 2379
-    self      = true
-
-    security_groups = ["${aws_security_group.master.id}"]
-  }
-
-  ingress {
-    protocol  = "tcp"
-    from_port = 2380
-    to_port   = 2380
-    self      = true
-  }
+  protocol  = "tcp"
+  from_port = 0
+  to_port   = 65535
 }

modules/aws/vpc/sg-master.tf

@@ -98,6 +98,16 @@ resource "aws_security_group_rule" "master_ingress_flannel" {
   self      = true
 }
 
+resource "aws_security_group_rule" "master_ingress_flannel_from_etcd" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.master.id}"
+  source_security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "udp"
+  from_port = 4789
+  to_port   = 4789
+}
+
 resource "aws_security_group_rule" "master_ingress_flannel_from_worker" {
   type                     = "ingress"
   security_group_id        = "${aws_security_group.master.id}"
@@ -207,3 +217,13 @@ resource "aws_security_group_rule" "master_ingress_services_from_console" {
   from_port = 30000
   to_port   = 32767
 }
+
+resource "aws_security_group_rule" "master_ingress_from_etcd" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.master.id}"
+  source_security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 0
+  to_port   = 65535
+}

modules/aws/vpc/sg-worker.tf

@@ -88,6 +88,16 @@ resource "aws_security_group_rule" "worker_ingress_flannel" {
   self      = true
 }
 
+resource "aws_security_group_rule" "worker_ingress_flannel_from_etcd" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.worker.id}"
+  source_security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "udp"
+  from_port = 4789
+  to_port   = 4789
+}
+
 resource "aws_security_group_rule" "worker_ingress_flannel_from_master" {
   type                     = "ingress"
   security_group_id        = "${aws_security_group.worker.id}"
@@ -177,3 +187,13 @@ resource "aws_security_group_rule" "worker_ingress_services_from_console" {
   from_port = 30000
   to_port   = 32767
 }
+
+resource "aws_security_group_rule" "etcd_ingress_from_etcd" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.etcd.id}"
+  source_security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 0
+  to_port   = 65535
+}

modules/bootkube/resources/bootkube.sh

@@ -5,8 +5,8 @@ echo "Rendering Kubernetes core manifests..."
 
 # shellcheck disable=SC2154
 /usr/bin/docker run \
-    --volume "$(pwd)":/assets \
-    --volume /etc/kubernetes:/etc/kubernetes \
+    --volume "$(pwd)":/assets:z \
+    --volume /etc/kubernetes:/etc/kubernetes:z \
     "${kube_core_renderer_image}" \
     --config=/assets/kco-config.yaml \
     --output=/assets
@@ -16,7 +16,7 @@ echo "Rendering TNC manifests..."
 # shellcheck disable=SC2154
 /usr/bin/docker run \
     --user 0 \
-    --volume "$(pwd)":/assets \
+    --volume "$(pwd)":/assets:z \
     "${tnc_operator_image}" \
     --config=/assets/tnco-config.yaml \
     --render-bootstrap=true \
@@ -37,7 +37,7 @@ echo "Starting etcd certificate signer..."
 # shellcheck disable=SC2154,SC2034
 signer_id=$(/usr/bin/docker run -d \
     --tmpfs /tmp \
-    --volume /opt/tectonic/tls:/opt/tectonic/tls:ro \
+    --volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \
     --network host \
     "${etcd_cert_signer_image}" \
     serve \
@@ -61,7 +61,7 @@ while true; do
         --rm \
         --name etcdctl \
         --env ETCDCTL_API=3 \
-        --volume /opt/tectonic/tls:/opt/tectonic/tls:ro \
+        --volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \
         "${etcdctl_image}" \
         /usr/local/bin/etcdctl \
             --dial-timeout=10m \
@@ -96,8 +96,8 @@ echo "Starting bootkube..."
 
 # shellcheck disable=SC2154
 /usr/bin/docker run \
-    --volume "$(pwd)":/assets \
-    --volume /etc/kubernetes:/etc/kubernetes \
+    --volume "$(pwd)":/assets:z \
+    --volume /etc/kubernetes:/etc/kubernetes:z \
     --network=host \
     --entrypoint=/bootkube \
     "${bootkube_image}" \