Make source network address translation configurable in IPv6 scenario. (#585)

Previously, source network address translation (SNAT) was always
disabled via the `IPPool` configuration in the IPv6 scenario. This
should be a sensible default for scenarios when globally routable IPv6
address space is used. However, if unique local addresses (ULA) are used
it might be useful to still perform source network address translation
on the node level.
This change exposes an option so that SNAT can be enabled for IPv6.

Author: ScheererJ

charts/internal/calico/templates/ippool/ippool.yaml

@@ -63,7 +63,7 @@ spec:
   blockSize: 122
   cidr: "{{ .Values.global.podCIDR }}"
   ipipMode: Never
-  natOutgoing: false
+  natOutgoing: {{ if .Values.config.ipv6.natOutgoing }}true{{ else }}false{{ end }}
   nodeSelector: all()
   vxlanMode: Never
-{{- end -}}
+{{- end -}}

charts/internal/calico/values.yaml

@@ -31,7 +31,7 @@ config:
     pool: vxlan
     mode: "Never"
     autoDetectionMethod: "first-found"
-    natOutgoing: true
+    natOutgoing: false
     wireguard: false
   felix:
     ipinip:

hack/api-reference/calico.md

@@ -513,6 +513,19 @@ string
 <a href="https://docs.projectcalico.org/v3.8/reference/node/configuration#ip-autodetection-methods">https://docs.projectcalico.org/v3.8/reference/node/configuration#ip-autodetection-methods</a></p>
 </td>
 </tr>
+<tr>
+<td>
+<code>sourceNATEnabled</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SourceNATEnabled indicates whether the pod IP addresses should be masqueraded when targeting external destinations.
+Per default, source network address translation is disabled.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="calico.networking.extensions.gardener.cloud/v1alpha1.NetworkStatus">NetworkStatus

pkg/apis/calico/types_network.go

@@ -62,6 +62,9 @@ type IPv6 struct {
 	// AutoDetectionMethod is the method to use to autodetect the IPv6 address for this host. This is only used when the IPv6 address is being autodetected.
 	// https://docs.projectcalico.org/v3.8/reference/node/configuration#ip-autodetection-methods
 	AutoDetectionMethod *string
+	// SourceNATEnabled indicates whether the pod IP addresses should be masqueraded when targeting external destinations.
+	// Per default, source network address translation is disabled.
+	SourceNATEnabled *bool
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/apis/calico/v1alpha1/types_network.go

@@ -69,6 +69,10 @@ type IPv6 struct {
 	// https://docs.projectcalico.org/v3.8/reference/node/configuration#ip-autodetection-methods
 	// +optional
 	AutoDetectionMethod *string `json:"autoDetectionMethod,omitempty"`
+	// SourceNATEnabled indicates whether the pod IP addresses should be masqueraded when targeting external destinations.
+	// Per default, source network address translation is disabled.
+	// +optional
+	SourceNATEnabled *bool `json:"sourceNATEnabled,omitempty"`
 }
 
 // +genclient

pkg/apis/calico/v1alpha1/zz_generated.conversion.go

@@ -481,7 +481,7 @@ var _ = Describe("Chart package test", func() {
 						"pool":                "vxlan",
 						"mode":                "Never",
 						"autoDetectionMethod": nil,
-						"natOutgoing":         true,
+						"natOutgoing":         false,
 						"wireguard":           false,
 					})),
 				))
@@ -519,7 +519,7 @@ var _ = Describe("Chart package test", func() {
 						"pool":                "vxlan",
 						"mode":                "CrossSubnet",
 						"autoDetectionMethod": "first-found",
-						"natOutgoing":         true,
+						"natOutgoing":         false,
 						"wireguard":           false,
 					})),
 				))
@@ -563,7 +563,7 @@ var _ = Describe("Chart package test", func() {
 						"pool":                "vxlan",
 						"mode":                "Never",
 						"autoDetectionMethod": nil,
-						"natOutgoing":         true,
+						"natOutgoing":         false,
 						"wireguard":           false,
 					})),
 				))

pkg/apis/calico/v1alpha1/zz_generated.deepcopy.go

@@ -255,7 +255,7 @@ func generateChartValues(network *extensionsv1alpha1.Network, config *calicov1al
 			Pool:                calicov1alpha1.PoolVXLan,
 			Mode:                calicov1alpha1.Never,
 			AutoDetectionMethod: nil,
-			NATOutgoing:         true,
+			NATOutgoing:         false,
 		}
 		c.Felix.IPInIP.Enabled = false
 	}
@@ -392,6 +392,9 @@ func mergeCalicoValuesWithConfig(c *calicoConfig, config *calicov1alpha1.Network
 		if config.IPv6.AutoDetectionMethod != nil {
 			c.IPv6.AutoDetectionMethod = config.IPv6.AutoDetectionMethod
 		}
+		if config.IPv6.SourceNATEnabled != nil {
+			c.IPv6.NATOutgoing = *config.IPv6.SourceNATEnabled
+		}
 	}
 
 	if config.Typha != nil {