X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=site%2Fdellgen10%2Fbaremetal%2Fcalico-ip-rules.yaml;fp=site%2Fdellgen10%2Fbaremetal%2Fcalico-ip-rules.yaml;h=022b17c9da81bb716f7c9794b8937f8edcda6d3a;hb=8e1d108f64f06572790ee4db71bc1d9dd32e82da;hp=0000000000000000000000000000000000000000;hpb=d743ec6c91f97cc9f5b944a8d0a609883440b14e;p=yaml_builds.git diff --git a/site/dellgen10/baremetal/calico-ip-rules.yaml b/site/dellgen10/baremetal/calico-ip-rules.yaml new file mode 100644 index 0000000..022b17c --- /dev/null +++ b/site/dellgen10/baremetal/calico-ip-rules.yaml @@ -0,0 +1,160 @@ +--- +############################################################################## +# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); you may # +# not use this file except in compliance with the License. # +# # +# You may obtain a copy of the License at # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +############################################################################## + +schema: 'drydock/BootAction/v1' +metadata: + schema: 'metadata/Document/v1' + name: calico-ip-rules + storagePolicy: 'cleartext' + layeringDefinition: + abstract: false + layer: site + labels: + application: 'drydock' + substitutions: + - src: + schema: pegleg/CommonAddresses/v1 + name: common-addresses + path: .kubernetes.pod_cidr + dest: + path: .assets[0].data + pattern: DH_SUB_POD_CIDR +data: + signaling: false + assets: + - path: /etc/systemd/system/configure-ip-rules.service + type: unit + permissions: '444' + data: |- + [Unit] + Description=IP Rules Initialization Service + After=network-online.target local-fs.target + + [Service] + Type=simple + ExecStart=/opt/configure-ip-rules.sh -g 172.29.1.1 -c 10.98.0.0/16 -s 172.29.1.128/29 + + [Install] + WantedBy=multi-user.target + data_pipeline: + - utf8_decode + - path: /opt/configure-ip-rules.sh + type: file + permissions: '700' + data_pipeline: + - utf8_decode + data: |- + #!/bin/bash + set -ex + + function usage() { + cat <&2 + exit 1 + ;; + :) + echo "Missing argument for option: -${OPTARG}" >&2 + exit 1 + ;; + *) + echo "Unimplemented option: -${OPTARG}" >&2 + exit 1 + ;; + esac + done + shift $((OPTIND-1)) + + if [ "x$POD_CIDR" == "x" ]; then + echo "Missing pod CIDR, e.g -c 10.98.0.0/16" >&2 + usage + exit 1 + fi + + if [ "x$INTERFACE" == "x" ]; then + echo "Missing interface, e.g. -i bond1.2006" >&2 + usage + exit 1 + fi + + while ! ip route list dev "${INTERFACE}" > /dev/null; do + echo Waiting for device "${INTERFACE}" to be ready. >&2 + sleep 5 + done + + intra_vrrp_ip=$(ip route list dev "${INTERFACE}" | awk '($2~/via/){print $3}' | head -n 1) + + TABLE="1500" + + # Setup a routing table for traffic from service IPs + ip route flush table "${TABLE}" + ip route add default via "${intra_vrrp_ip}" table "${TABLE}" + + if [ "x$OVERLAP_CIDR" != "x" ]; then + # NOTE(mb874d): This is a work-around for nodes not receiving complete + # routes via BGP. It may also be required for brownfield large sites. + ip route add "${OVERLAP_CIDR}" via "${intra_vrrp_ip}" + fi + + if [ "x$SERVICE_CIDR" != "x" ]; then + # Traffic from the service IPs to pods should use the pod network. + ip rule add \ + from "${SERVICE_CIDR}" \ + to "${POD_CIDR}" \ + lookup main \ + pref 10000 + # Other traffic from service IPs should only use the VRRP IP + ip rule add \ + from "${SERVICE_CIDR}" \ + lookup "${TABLE}" \ + pref 10100 + fi +...