From c14388629aa114b4567f97bbdabcf10a9a5ff63b Mon Sep 17 00:00:00 2001
From: Etienne Champetier <champetier.etienne@gmail.com>
Date: Mon, 4 Jan 2021 12:07:56 -0500
Subject: [PATCH] calico: check if inventory settings match cluster settings
 (#6969)

If some settings were changed from the default but not commited into an inventory repo,
we risk breaking the cluster / cause downtime, so add some extra checks

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
---
 roles/network_plugin/calico/tasks/check.yml | 24 +++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/roles/network_plugin/calico/tasks/check.yml b/roles/network_plugin/calico/tasks/check.yml
index 5c3fd35ae..1acb852ac 100644
--- a/roles/network_plugin/calico/tasks/check.yml
+++ b/roles/network_plugin/calico/tasks/check.yml
@@ -36,3 +36,27 @@
     msg: "IP in IP and VXLAN mode is mutualy exclusive modes"
   when:
     - "calico_vxlan_mode in ['Always', 'CrossSubnet']"
+
+- name: "Get Calico {{ calico_pool_name }} configuration"
+  command: calicoctl.sh get ipPool {{ calico_pool_name }} -o json
+  failed_when: False
+  changed_when: False
+  register: calico
+  run_once: True
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: "Set calico_pool_conf"
+  set_fact:
+    calico_pool_conf: '{{ calico.stdout | from_json }}'
+  when: calico.rc == 0 and calico.stdout
+
+- name: "Check if inventory match current cluster configuration"
+  assert:
+    that:
+      - calico_pool_conf.spec.blockSize == (calico_pool_blocksize | default(kube_network_node_prefix))
+      - calico_pool_conf.spec.cidr == (calico_pool_cidr | default(kube_pods_subnet))
+      - calico_pool_conf.spec.ipipMode == calico_ipip_mode
+      - calico_pool_conf.spec.vxlanMode == calico_vxlan_mode
+    msg: "Your inventory doesn't match the current cluster configuration"
+  when:
+    - calico_pool_conf is defined
-- 
GitLab