Stop fighting calico and fix firewall resources

The newer firewall can get into a weird state when port ranges are
defined with hyphens, because in iptables they are defined with colons,
so puppet agent will view this as a corrective change.

This is not necessarily a problem, but when the host's networking is
sufficiently chaotic, this attempt at a corrective change can cause the
puppet server to lose the resource in favor of `nil` and crash.

Calico is sufficiently chaotic, and this commit also aims to stop
purging half of calico's firewall on every puppet agent run.

manifests/profile/kubernetes/kubelet.pp

@@ -82,7 +82,7 @@
     ;
 
     '200 Cluster NodePorts':
-      dport => '30000-32767',
+      dport => '30000:32767',
     ;
 
     '200 Cluster Prometheus':

manifests/profile/networking/firewall.pp

@@ -113,7 +113,7 @@
     firewallchain {
       default:
         ensure => 'present',
-        purge  => true,
+        purge  => $internal_routing != 'kubernetes_calico',
         policy => 'accept',
       ;
 

spec/classes/profile/kubernetes/kubelet_spec.rb

@@ -93,7 +93,7 @@
           [%w[2379 2380 2381], 'etcd',           'tcp'],
           [10250,              'kubelet',        'tcp'],
           [6443,               'kubernetes API', 'tcp'],
-          %w[30000-32767 NodePorts tcp],
+          %w[30000:32767 NodePorts tcp],
           [9100, 'Prometheus', 'tcp'],
         ].each do |ports, purpose, proto|
           it do

spec/classes/profile/networking/firewall_spec.rb

@@ -113,13 +113,13 @@
           it do
             expect(subject).to contain_firewallchain("#{chain}:filter:IPv4")
               .with_ensure('present')
-              .with_purge(true)
+              .with_purge(false)
           end
 
           it do
             expect(subject).to contain_firewallchain("#{chain}:filter:IPv6")
               .with_ensure('present')
-              .with_purge(true)
+              .with_purge(false)
           end
         end
       end

spec/classes/role/kubernetes_spec.rb

@@ -53,12 +53,12 @@
 
         it { is_expected.to contain_class('Nebula::Profile::Ntp') }
 
-        it { is_expected.not_to contain_resources('firewall').with_purge(true) }
+        it { is_expected.not_to contain_resources('firewall').with_purge(false) }
 
         it do
           expect(subject).to contain_firewallchain('INPUT:filter:IPv4').with(
             ensure: 'present',
-            purge: true,
+            purge: false,
             ignore: ['-j cali-INPUT',
                      '-j KUBE-FIREWALL',
                      '-j KUBE-SERVICES',
@@ -69,7 +69,7 @@
         it do
           expect(subject).to contain_firewallchain('OUTPUT:filter:IPv4').with(
             ensure: 'present',
-            purge: true,
+            purge: false,
             ignore: ['-j cali-OUTPUT',
                      '-j KUBE-FIREWALL',
                      '-j KUBE-SERVICES'],
@@ -79,7 +79,7 @@
         it do
           expect(subject).to contain_firewallchain('FORWARD:filter:IPv4').with(
             ensure: 'present',
-            purge: true,
+            purge: false,
             ignore: ['-j cali-FORWARD',
                      '-j KUBE-FORWARD',
                      '-j KUBE-SERVICES'],

spec/defines/exposed_port_spec.rb

@@ -86,14 +86,14 @@
         let(:title) { '400 Who knows' }
         let(:params) { { block: 'developers' } }
 
-        context 'with port "30000-32967"' do
+        context 'with port "30000:32967"' do
           let(:params) do
-            super().merge(port: '30000-32967')
+            super().merge(port: '30000:32967')
           end
 
           it do
             expect(subject).to contain_firewall('400 Who knows: Developers')
-              .with_dport('30000-32967')
+              .with_dport('30000:32967')
           end
         end