----
-##############################################################################
-# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may #
-# not use this file except in compliance with the License. #
-# #
-# You may obtain a copy of the License at #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT #
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-##############################################################################
-
-schema: 'drydock/BootAction/v1'
-metadata:
- schema: 'metadata/Document/v1'
- name: calico-ip-rules
- storagePolicy: 'cleartext'
- layeringDefinition:
- abstract: false
- layer: site
- labels:
- application: 'drydock'
- substitutions:
- - src:
- schema: pegleg/CommonAddresses/v1
- name: common-addresses
- path: .kubernetes.pod_cidr
- dest:
- path: .assets[0].data
- pattern: DH_SUB_POD_CIDR
-data:
- signaling: false
- assets:
- - path: /etc/systemd/system/configure-ip-rules.service
- type: unit
- permissions: '444'
- data: |-
- [Unit]
- Description=IP Rules Initialization Service
- After=network-online.target local-fs.target
-
- [Service]
- Type=simple
- ExecStart=/opt/configure-ip-rules.sh -g 172.29.1.1 -c 10.99.0.0/16 -s 172.29.1.136/29
-
- [Install]
- WantedBy=multi-user.target
- data_pipeline:
- - utf8_decode
- - path: /opt/configure-ip-rules.sh
- type: file
- permissions: '700'
- data_pipeline:
- - utf8_decode
- data: |-
- #!/bin/bash
- set -ex
-
- function usage() {
- cat <<EOU
- Options are:
-
- -c POD_CIDR The pod CIDR for the Kubernetes cluster, e.g. 10.99.0.0/16
- -i INTERFACE The interface for internal pod traffic, e.g. bond1.2006
- -o OVERLAP_CIDR (optional) This CIDR will be routed via the VRRP IP on
- INTERFACE. It is used to provide a work around when
- complete Calico routes cannot be received via BGP.
- e.g. 10.96.0.0/15. NOTE: This must include the POD_CIDR.
- -s SERVICE_CIDR (optional) A routable CIDR to configure for ingress, maas,
- e.g. 135.21.99.192/29
- EOU
- }
-
- SERVICE_CIDR=
- OVERLAP_CIDR=
-
- while getopts ":c:hi:o:s:" o; do
- case "${o}" in
- c)
- POD_CIDR=${OPTARG}
- ;;
- h)
- usage
- exit 0
- ;;
- i)
- INTERFACE=${OPTARG}
- ;;
- o)
- OVERLAP_CIDR=${OPTARG}
- ;;
- s)
- SERVICE_CIDR=${OPTARG}
- ;;
- \?)
- echo "Unknown option: -${OPTARG}" >&2
- exit 1
- ;;
- :)
- echo "Missing argument for option: -${OPTARG}" >&2
- exit 1
- ;;
- *)
- echo "Unimplemented option: -${OPTARG}" >&2
- exit 1
- ;;
- esac
- done
- shift $((OPTIND-1))
-
- if [ "x$POD_CIDR" == "x" ]; then
- echo "Missing pod CIDR, e.g -c 10.99.0.0/16" >&2
- usage
- exit 1
- fi
-
- if [ "x$INTERFACE" == "x" ]; then
- echo "Missing interface, e.g. -i bond1.2006" >&2
- usage
- exit 1
- fi
-
- while ! ip route list dev "${INTERFACE}" > /dev/null; do
- echo Waiting for device "${INTERFACE}" to be ready. >&2
- sleep 5
- done
-
- intra_vrrp_ip=$(ip route list dev "${INTERFACE}" | awk '($2~/via/){print $3}' | head -n 1)
-
- TABLE="1500"
-
- # Setup a routing table for traffic from service IPs
- ip route flush table "${TABLE}"
- ip route add default via "${intra_vrrp_ip}" table "${TABLE}"
-
- if [ "x$OVERLAP_CIDR" != "x" ]; then
- # NOTE(mb874d): This is a work-around for nodes not receiving complete
- # routes via BGP. It may also be required for brownfield large sites.
- ip route add "${OVERLAP_CIDR}" via "${intra_vrrp_ip}"
- fi
-
- if [ "x$SERVICE_CIDR" != "x" ]; then
- # Traffic from the service IPs to pods should use the pod network.
- ip rule add \
- from "${SERVICE_CIDR}" \
- to "${POD_CIDR}" \
- lookup main \
- pref 10000
- # Other traffic from service IPs should only use the VRRP IP
- ip rule add \
- from "${SERVICE_CIDR}" \
- lookup "${TABLE}" \
- pref 10100
- fi
-...