kube-up: move Calico policy components off master, and add support for GCI master

cluster/saltbase/salt/calico/10-calico.conf

@@ -1,7 +1,7 @@
 {
     "name": "k8s-pod-network",
     "type": "calico",
-    "etcd_authority": "{{ grains.api_servers }}:6666",
+    "etcd_authority": "10.0.0.17:6666",
     "log_level": "info",
     "ipam": {
         "type": "host-local",

cluster/saltbase/salt/calico/calico-node.manifest

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: calico-node
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    k8s-app: calico-node
+spec:
+  hostNetwork: true
+  containers:
+    - name: calico-node
+      image: quay.io/calico/node:v0.20.0
+      env:
+        - name: ETCD_ENDPOINTS
+          value: "http://10.0.0.17:6666"
+        - name: CALICO_NETWORKING
+          value: "false"
+      securityContext:
+        privileged: true
+      volumeMounts:
+        - mountPath: /lib/modules
+          name: lib-modules
+          readOnly: true
+        - mountPath: /var/log/calico
+          name: var-log-calico
+          readOnly: false
+        - mountPath: /var/run/calico
+          name: var-run-calico
+          readOnly: false
+  volumes:
+    - name: lib-modules
+      hostPath:
+        path: /lib/modules
+    - name: var-run-calico
+      hostPath:
+        path: /var/run/calico
+    - name: var-log-calico
+      hostPath:
+        path: /var/log/calico

cluster/saltbase/salt/calico/calico-policy-controller.manifest

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: calico-policy-controller
-  namespace: kube-system
-  labels:
-    kubernetes.io/cluster-service: "true"
-    k8s-app: calico-policy
-spec:
-  hostNetwork: true
-  containers:
-    - name: policy-controller
-      image: calico/kube-policy-controller:v0.2.0
-      env:
-      - name: ETCD_AUTHORITY
-        value: "127.0.0.1:6666"
-      - name: K8S_API
-        value: "http://127.0.0.1:8080"
-    - name: calico-etcd
-      image: gcr.io/google_containers/etcd:2.2.1
-      command:
-        - /usr/local/bin/etcd
-        - --name=calico
-        - --data-dir=/var/etcd/calico-data
-        - --advertise-client-urls=http://{{ grains.id }}:6666
-        - --listen-client-urls=http://0.0.0.0:6666
-        - --listen-peer-urls=http://0.0.0.0:6667
-        - --initial-advertise-peer-urls=http://{{ grains.id }}:6667
-        - --initial-cluster=calico=http://{{ grains.id }}:6667
-      volumeMounts:
-        - name: varetcd
-          mountPath: /var/etcd
-  volumes:
-    - name: varetcd
-      hostPath:
-        path: /var/calico/etcd

cluster/saltbase/salt/calico/node.sls

@@ -1,30 +1,25 @@
 {% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
 
-calicoctl:
-  file.managed:
-    - name: /usr/bin/calicoctl
-    - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
-    - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
-    - makedirs: True
-    - mode: 744
-
 calico-node:
-  cmd.run:
-    - name: calicoctl node
-    - unless: docker ps | grep calico-node
-    - env:
-      - ETCD_AUTHORITY: "{{ grains.api_servers }}:6666"
-      - CALICO_NETWORKING: "false"
+  file.managed:
+    - name: /etc/kubernetes/manifests/calico-node.manifest
+    - source: salt://calico/calico-node.manifest
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: true
+    - dir_mode: 755
     - require:
       - kmod: ip6_tables
       - kmod: xt_set
       - service: docker
-      - file: calicoctl
+      - service: kubelet
 
 calico-cni:
   file.managed:
     - name: /opt/cni/bin/calico
-    - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico 
+    - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico
     - source_hash: sha256=ac05cb9254b5aaa5822cf10325983431bd25489147f2edf9dec7e43d99c43e77
     - makedirs: True
     - mode: 744