From d0349fd6bb8013f3be88b4dbe818fe4d5040a3df Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian.hacman@sematext.com>
Date: Fri, 9 Oct 2020 07:49:14 +0300
Subject: [PATCH 1/2] Open etcd port only when Calico uses "etcd" datastore

---
 nodeup/pkg/model/networking/calico.go |  2 +-
 pkg/apis/kops/cluster.go              |  6 ++++++
 pkg/model/firewall.go                 | 10 ++++++----
 pkg/model/iam/iam_builder.go          |  2 +-
 pkg/model/pki.go                      |  2 +-
 5 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/nodeup/pkg/model/networking/calico.go b/nodeup/pkg/model/networking/calico.go
index 1f682fd540716..230aa6f2808a2 100644
--- a/nodeup/pkg/model/networking/calico.go
+++ b/nodeup/pkg/model/networking/calico.go
@@ -39,7 +39,7 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	// @check if tls is enabled and if so, we need to download the client certificates
-	if !b.UseEtcdManager() && b.UseEtcdTLS() {
+	if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() {
 		name := "calico-client"
 		dirname := "calico"
 		ca := filepath.Join(dirname, "ca.pem")
diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
index 9fbd531bba12c..eb9380fb88436 100644
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@@ -674,6 +674,12 @@ func (c *Cluster) IsKubernetesGTE(version string) bool {
 	return clusterVersion.GTE(*parsedVersion)
 }
 
+// IsKubernetesLT checks if the version is < the specified version.
+// It panics if the kubernetes version in the cluster is invalid, or if the version is invalid.
+func (c *Cluster) IsKubernetesLT(version string) bool {
+	return !c.IsKubernetesGTE(version)
+}
+
 // EnvVar represents an environment variable present in a Container.
 type EnvVar struct {
 	// Name of the environment variable. Must be a C_IDENTIFIER.
diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go
index 604089f8eef06..d7d9b3872b17f 100644
--- a/pkg/model/firewall.go
+++ b/pkg/model/firewall.go
@@ -250,10 +250,12 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.ModelBu
 	}
 
 	if b.Cluster.Spec.Networking.Calico != nil {
-		// Calico needs to access etcd
-		// TODO: Remove, replace with etcd in calico manifest
-		klog.Warningf("Opening etcd port on masters for access from the nodes, for calico.  This is unsafe in untrusted environments.")
-		tcpBlocked[4001] = false
+		if b.IsKubernetesLT("1.12") {
+			// Calico needs to access etcd
+			// TODO: Remove, replace with etcd in calico manifest
+			klog.Warningf("Opening etcd port on masters for access from the nodes, for calico.  This is unsafe in untrusted environments.")
+			tcpBlocked[4001] = false
+		}
 		protocols = append(protocols, ProtocolIPIP)
 	}
 
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index a7ce4a55771f3..991944ed7b501 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -570,7 +570,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error) {
 				}
 
 				// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
-				if networkingSpec.Calico != nil {
+				if cluster.IsKubernetesLT("1.12") && networkingSpec.Calico != nil {
 					calicoClientCert := false
 					for _, x := range cluster.Spec.EtcdClusters {
 						if x.Provider == kops.EtcdProviderTypeManager {
diff --git a/pkg/model/pki.go b/pkg/model/pki.go
index 60aee7e3f23e0..bfa5c5cdafef8 100644
--- a/pkg/model/pki.go
+++ b/pkg/model/pki.go
@@ -129,7 +129,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		})
 
 		// @check if calico is enabled as the CNI provider
-		if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
+		if b.IsKubernetesLT("1.12") && b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
 			c.AddTask(&fitasks.Keypair{
 				Name:      fi.String("calico-client"),
 				Lifecycle: b.Lifecycle,

From 9c888bcdcf5b4ce7d90f4fb7417fdef463d67a48 Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian.hacman@sematext.com>
Date: Fri, 9 Oct 2020 08:50:47 +0300
Subject: [PATCH 2/2] Update expected outputs of integration tests

---
 .../update_cluster/bastionadditional_user-data/kubernetes.tf  | 4 ++--
 .../update_cluster/privatecalico/cloudformation.json          | 4 ++--
 tests/integration/update_cluster/privatecalico/kubernetes.tf  | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
index 2cd9afd8f4ce9..63adfc0561b78 100644
--- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
+++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
@@ -753,12 +753,12 @@ resource "aws_security_group_rule" "node-to-master-tcp-1-2379" {
   type                     = "ingress"
 }
 
-resource "aws_security_group_rule" "node-to-master-tcp-2382-4001" {
+resource "aws_security_group_rule" "node-to-master-tcp-2382-4000" {
   from_port                = 2382
   protocol                 = "tcp"
   security_group_id        = aws_security_group.masters-bastionuserdata-example-com.id
   source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id
-  to_port                  = 4001
+  to_port                  = 4000
   type                     = "ingress"
 }
 
diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json
index c9cdba0c12866..54c8fc33409f7 100644
--- a/tests/integration/update_cluster/privatecalico/cloudformation.json
+++ b/tests/integration/update_cluster/privatecalico/cloudformation.json
@@ -847,7 +847,7 @@
         "IpProtocol": "tcp"
       }
     },
-    "AWSEC2SecurityGroupIngressnodetomastertcp23824001": {
+    "AWSEC2SecurityGroupIngressnodetomastertcp23824000": {
       "Type": "AWS::EC2::SecurityGroupIngress",
       "Properties": {
         "GroupId": {
@@ -857,7 +857,7 @@
           "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom"
         },
         "FromPort": 2382,
-        "ToPort": 4001,
+        "ToPort": 4000,
         "IpProtocol": "tcp"
       }
     },
diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf
index 98181269a619a..a7f5a59290632 100644
--- a/tests/integration/update_cluster/privatecalico/kubernetes.tf
+++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf
@@ -752,12 +752,12 @@ resource "aws_security_group_rule" "node-to-master-tcp-1-2379" {
   type                     = "ingress"
 }
 
-resource "aws_security_group_rule" "node-to-master-tcp-2382-4001" {
+resource "aws_security_group_rule" "node-to-master-tcp-2382-4000" {
   from_port                = 2382
   protocol                 = "tcp"
   security_group_id        = aws_security_group.masters-privatecalico-example-com.id
   source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id
-  to_port                  = 4001
+  to_port                  = 4000
   type                     = "ingress"
 }