[yaml_builds.git] / templates / aic-clcp-manifests / baremetal / bootaction.j2

---
##############################################################################
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.          #
#                                                                            #
# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
# not use this file except in compliance with the License.                   #
#                                                                            #
# You may obtain a copy of the License at                                    #
#       http://www.apache.org/licenses/LICENSE-2.0                           #
#                                                                            #
# Unless required by applicable law or agreed to in writing, software        #
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT  #
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.           #
# See the License for the specific language governing permissions and        #
# limitations under the License.                                             #
##############################################################################

schema: 'drydock/BootAction/v1'
metadata:
  schema: 'metadata/Document/v1'
  name: promjoin
  storagePolicy: 'cleartext'
  layeringDefinition:
    abstract: false
    layer: site
  labels:
    application: 'drydock'
data:
  node_filter:
    filter_set_type: 'union'
    filter_set:
      - filter_type: 'union'
        node_names:
{% for server in yaml.servers %}
          - '{{server.name}}'
{% endfor %}
{% raw %}  # TODO(alanmeadows) move what is global about this document - everything except nodenames to global
  assets:
    - path: /opt/promjoin.sh
      type: file
      permissions: '555'
      # TODO(alanmeadows) You must replace the ip= parameter below with the appropriate MaaS network name of the network
      # you should use to contact kubernetes in the case below, this is cab24_mgmt
      location: promenade+http://promenade-api.ucp.svc.cluster.local/api/v1.0/join-scripts?design_ref={{ action.design_ref | urlencode }}&hostname={{ node.hostname }}{% if 'ksn' in node.network %}&ip={{ node.network.ksn.ip }}{% endif %}{% for k, v in node.labels.items() %}&labels.dynamic={{ k }}={{ v }}{% endfor %}
      location_pipeline:
        - template
      data_pipeline:
        - utf8_decode
    - path: /lib/systemd/system/promjoin.service
      type: unit
      permissions: '600'
      data: |-
        W1VuaXRdCkRlc2NyaXB0aW9uPVByb21lbmFkZSBJbml0aWFsaXphdGlvbiBTZXJ2aWNlCkFmdGVy
        PW5ldHdvcmstb25saW5lLnRhcmdldCBsb2NhbC1mcy50YXJnZXQKQ29uZGl0aW9uUGF0aEV4aXN0
        cz0hL3Zhci9saWIvcHJvbS5kb25lCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9v
        cHQvcHJvbWpvaW4uc2gKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=
      data_pipeline:
        - base64_decode
        - utf8_decode
{% endraw %}
---
schema: 'drydock/BootAction/v1'
metadata:
  schema: 'metadata/Document/v1'
  name: calico-ip-rules
  storagePolicy: 'cleartext'
  layeringDefinition:
    abstract: false
    layer: site
  labels:
    application: 'drydock'
  substitutions:
    - src:
        schema: pegleg/CommonAddresses/v1
        name: common-addresses
        path: .kubernetes.pod_cidr
      dest:
        path: .assets[0].data
        pattern: DH_SUB_POD_CIDR
data:
  signaling: false
  assets:
    - path: /etc/systemd/system/configure-ip-rules.service
      type: unit
      permissions: '444'
      data: |-
        [Unit]
        Description=IP Rules Initialization Service
        After=network-online.target local-fs.target

        [Service]
        Type=simple
        ExecStart=/opt/configure-ip-rules.sh -g {{yaml.networks.ksn.vrrp_ip}} -c {{yaml.kubernetes.pod_cidr}} -s {{yaml.networks.ksn.additional_cidrs | first}}

        [Install]
        WantedBy=multi-user.target
      data_pipeline:
        - utf8_decode
    - path: /opt/configure-ip-rules.sh
      type: file
      permissions: '700'
      data_pipeline:
        - utf8_decode
      data: |-
        #!/bin/bash
        set -ex

        function usage() {
            cat <<EOU
        Options are:

          -c POD_CIDR     The pod CIDR for the Kubernetes cluster, e.g. {{yaml.kubernetes.pod_cidr}}
          -i INTERFACE    The interface for internal pod traffic, e.g. bond1.2006
          -o OVERLAP_CIDR (optional) This CIDR will be routed via the VRRP IP on
                          INTERFACE.  It is used to provide a work around when
                          complete Calico routes cannot be received via BGP.
                          e.g. 10.96.0.0/15.  NOTE: This must include the POD_CIDR.
          -s SERVICE_CIDR (optional) A routable CIDR to configure for ingress, maas,
                          e.g. 135.21.99.192/29
        EOU
        }

        SERVICE_CIDR=
        OVERLAP_CIDR=

        while getopts ":c:hi:o:s:" o; do
            case "${o}" in
                c)
                    POD_CIDR=${OPTARG}
                    ;;
                h)
                    usage
                    exit 0
                    ;;
                i)
                    INTERFACE=${OPTARG}
                    ;;
                o)
                    OVERLAP_CIDR=${OPTARG}
                    ;;
                s)
                    SERVICE_CIDR=${OPTARG}
                    ;;
                \?)
                    echo "Unknown option: -${OPTARG}" >&2
                    exit 1
                    ;;
                :)
                    echo "Missing argument for option: -${OPTARG}" >&2
                    exit 1
                    ;;
                *)
                    echo "Unimplemented option: -${OPTARG}" >&2
                    exit 1
                    ;;
            esac
        done
        shift $((OPTIND-1))

        if [ "x$POD_CIDR" == "x" ]; then
            echo "Missing pod CIDR, e.g -c {{yaml.kubernetes.pod_cidr}}" >&2
            usage
            exit 1
        fi

        if [ "x$INTERFACE" == "x" ]; then
            echo "Missing interface, e.g. -i bond1.2006" >&2
            usage
            exit 1
        fi

        while ! ip route list dev "${INTERFACE}" > /dev/null; do
            echo Waiting for device "${INTERFACE}" to be ready. >&2
            sleep 5
        done

        intra_vrrp_ip=$(ip route list dev "${INTERFACE}" | awk '($2~/via/){print $3}' | head -n 1)

        TABLE="1500"

        # Setup a routing table for traffic from service IPs
        ip route flush table "${TABLE}"
        ip route add default via "${intra_vrrp_ip}" table "${TABLE}"

        if [ "x$OVERLAP_CIDR" != "x" ]; then
            # NOTE(mb874d): This is a work-around for nodes not receiving complete
            # routes via BGP.  It may also be required for brownfield large sites.
            ip route add "${OVERLAP_CIDR}" via "${intra_vrrp_ip}"
        fi

        if [ "x$SERVICE_CIDR" != "x" ]; then
            # Traffic from the service IPs to pods should use the pod network.
            ip rule add \
                from "${SERVICE_CIDR}" \
                to "${POD_CIDR}" \
                lookup main \
                pref 10000
            # Other traffic from service IPs should only use the VRRP IP
            ip rule add \
                from "${SERVICE_CIDR}" \
                lookup "${TABLE}" \
                pref 10100
        fi
---
schema: 'drydock/BootAction/v1'
metadata:
  schema: 'metadata/Document/v1'
  name: i40evf_blacklist
  storagePolicy: 'cleartext'
  layeringDefinition:
    abstract: false
    layer: site
  labels:
    application: 'drydock'
data:
  assets:
    - path: /etc/modprobe.d/sriov_blacklist.conf
      type: file
      permissions: '644'
      data_pipeline:
        - utf8_decode
      data: |
        blacklist i40evf
...