cluster: do not export metallb routes to mesh peers
This prevents metallb routes being announced from all peers to our ToR,
thereby preventing issues with traffic hitting services with
externalTrafficPolicy: local.
There still is the from-host loopback issue, but that will be fixed by
upgrading to kube 1.15.
Change-Id: Ifc9964b46840aee82d99f0b6550188550e46fe04
diff --git a/cluster/kube/lib/calico-bird-ipam.cfg.template b/cluster/kube/lib/calico-bird-ipam.cfg.template
index 869a480..8f96951 100644
--- a/cluster/kube/lib/calico-bird-ipam.cfg.template
+++ b/cluster/kube/lib/calico-bird-ipam.cfg.template
@@ -1,13 +1,22 @@
# This is forked from bird.cfg.template from calico running on k0.hswaw.net on 2020/09/21.
# Changed vs. upstream (C-f HSCLOUD):
+# - do not pass over RTD_UNREACHABLE routes obtained from mesh peers, to
+# prevent them from being then passed over to ToRs. This prevents route leaks
+# of metallb routes into ToRs from nodes that do not actually run that
+# particular metallb service.
# - do not program RTD_UNREACHABLE routes into the kernel (these come from metallb, and
# programming them seems to break things)
# Generated by confd
+
filter calico_export_to_bgp_peers {
calico_aggr();
{{- $static_key := "/staticroutes"}}
{{- if ls $static_key}}
+ if ( proto ~ "Mesh_*" ) && ( dest = RTD_UNREACHABLE ) then { # HSCLOUD
+ reject;
+ }
+
# Export static routes.
{{- range ls $static_key}}
{{- $parts := split . "-"}}