From f66c051e269ff0aa578e6f7463f1c800cf208452 Mon Sep 17 00:00:00 2001
From: Anthony Delannoy <adelannoy@wiremind.io>
Date: Thu, 25 Apr 2024 12:28:04 +0200
Subject: [PATCH 1/2] chore(calico-typha): add calico_typha_affinity parameter

---
 .../calico/templates/calico-typha.yml.j2       |  4 ++++
 .../calico_defaults/defaults/main.yml          | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/roles/network_plugin/calico/templates/calico-typha.yml.j2 b/roles/network_plugin/calico/templates/calico-typha.yml.j2
index d1f37aa5d3d..fa25e615908 100644
--- a/roles/network_plugin/calico/templates/calico-typha.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-typha.yml.j2
@@ -64,6 +64,10 @@ spec:
         - key: node-role.kubernetes.io/control-plane
           operator: Exists
           effect: NoSchedule
+{% if calico_typha_affinity is defined %}
+      affinity:
+        {{ calico_typha_affinity | to_nice_yaml(indent=2) | indent(8) }}
+{% endif %}
       # Since Calico can't network a pod until Typha is up, we need to run Typha itself
       # as a host-networked pod.
       serviceAccountName: calico-node
diff --git a/roles/network_plugin/calico_defaults/defaults/main.yml b/roles/network_plugin/calico_defaults/defaults/main.yml
index 8b909f02114..6a27dccb7b7 100644
--- a/roles/network_plugin/calico_defaults/defaults/main.yml
+++ b/roles/network_plugin/calico_defaults/defaults/main.yml
@@ -141,6 +141,24 @@ typha_max_connections_lower_limit: 300
 # Generate certifcates for typha<->calico-node communication
 typha_secure: false
 
+# Add typha affinities
+# calico_typha_affinity:
+#   nodeAffinity:
+#     preferredDuringSchedulingIgnoredDuringExecution:
+#       - weight: 100
+#         preference:
+#           matchExpressions:
+#             - key: node-role.kubernetes.io/control-plane
+#               operator: In
+#               values:
+#                 - ''
+#   podAntiAffinity:
+#     requiredDuringSchedulingIgnoredDuringExecution:
+#       - labelSelector:
+#           matchLabels:
+#             k8s-app: calico-typha
+#         topologyKey: kubernetes.io/hostname
+
 calico_feature_control: {}
 
 # Calico default BGP port

From d46a93eebc4f5db5cbb2fd6f988b1c6bc02cbdf1 Mon Sep 17 00:00:00 2001
From: Anthony Delannoy <adelannoy@wiremind.io>
Date: Thu, 25 Apr 2024 12:32:12 +0200
Subject: [PATCH 2/2] chore(calico-kube-controller): add
 calico_policy_controller_affinity parameter

---
 .../policy_controller/calico/defaults/main.yml         | 10 ++++++++++
 .../calico/templates/calico-kube-controllers.yml.j2    |  6 ++++++
 2 files changed, 16 insertions(+)

diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
index d3a780c92db..08d7c901ecb 100644
--- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
@@ -5,6 +5,16 @@ calico_policy_controller_memory_limit: 256M
 calico_policy_controller_cpu_requests: 30m
 calico_policy_controller_memory_requests: 64M
 calico_policy_controller_deployment_nodeselector: "kubernetes.io/os: linux"
+# calico_policy_controller_affinity:
+#   nodeAffinity:
+#     preferredDuringSchedulingIgnoredDuringExecution:
+#       - weight: 100
+#         preference:
+#           matchExpressions:
+#             - key: node-role.kubernetes.io/control-plane
+#               operator: In
+#               values:
+#                 - ''
 
 # SSL
 calico_cert_dir: "/etc/calico/certs"
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
index 490111c701e..7a335b48484 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -6,6 +6,8 @@ metadata:
   labels:
     k8s-app: calico-kube-controllers
 spec:
+  # XXX The controllers can only have a single active instance.
+  # See: https://github.com/projectcalico/calico/blob/master/charts/calico/templates/calico-kube-controllers.yaml#L10
   replicas: 1
   strategy:
     type: Recreate
@@ -30,6 +32,10 @@ spec:
           operator: Exists
         - key: node-role.kubernetes.io/control-plane
           effect: NoSchedule
+{% if calico_policy_controller_affinity is defined %}
+      affinity:
+        {{ calico_policy_controller_affinity | to_nice_yaml(indent=2) | indent(8) }}
+{% endif %}
 {% if policy_controller_extra_tolerations is defined %}
         {{ policy_controller_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}