From: Krisztian Lengyel Date: Mon, 7 Oct 2019 15:56:49 +0000 (+0200) Subject: Add policy based routing to `caas_oam` network X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Finfra-ansible.git;a=commitdiff_plain;h=05483a058fcc2c8a92890793a75f5b9bbbdc8daa Add policy based routing to `caas_oam` network For`caas_oam` network traffic routed only to the gateway (if specified). This will enable cluster external IP connection for pods using this network, and also closes a loophole, which allowed external connectivity for these pods on master nodes. If no gateway specified for `caas_oam` network, then the subnet's first IP address is assumed. Change-Id: I85fe01fce55b2da18fc80909d189a778e8c8b7c8 Signed-off-by: Krisztian Lengyel --- diff --git a/roles/baremetal_interface_config/defaults/main.yml b/roles/baremetal_interface_config/defaults/main.yml index 43da92f..c890741 100644 --- a/roles/baremetal_interface_config/defaults/main.yml +++ b/roles/baremetal_interface_config/defaults/main.yml @@ -16,3 +16,5 @@ debug: True provider_network_type: [] +caas_oam_routing_table_name: caas_oam +caas_oam_routing_table_id: 66 diff --git a/roles/baremetal_interface_config/templates/os_net_config.j2 b/roles/baremetal_interface_config/templates/os_net_config.j2 index 8496ab0..1d1bd04 100644 --- a/roles/baremetal_interface_config/templates/os_net_config.j2 +++ b/roles/baremetal_interface_config/templates/os_net_config.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: True {# This file is written with conditional check and for loop based indentation. It improved code readability. The output json is not pretty. Run cat | python -m json.tool @@ -119,6 +120,7 @@ for pretty printing the same. {%- for route in routes %} { "ip_netmask": "{{ route.to }}", "next_hop": "{{ route.via }}" + {%- if route.table is defined %}, "table": "{{ route.table }}"{% endif %} } {% if not loop.last %},{% endif %} {%- endfor %} ] @@ -257,6 +259,32 @@ Otherwise it gets configured normally on infra iface configuration in the next l {%- if 'routes' in value %} {%- set routes = value['routes'] %} {%- endif %} + {%- if config_phase not in ('setup', 'bootstrapping') -%} + {% if 'gateway' in value %} + {%- set caas_oam_gw = value['gateway'] %} + {% else %} + {# Fall back to most popular self IP as gateway #} + {%- set caas_oam_gw = value['cidr'] | ipaddr(1) | ipaddr('address') %} + {% endif %} + {%- set caas_oam_route = { + "to": '0.0.0.0/0', "via": caas_oam_gw, + "table": caas_oam_routing_table_name} %} + {%- if key == 'caas_oam' %} + {%- set _ = routes.append(caas_oam_route) %} + {%- elif key == 'infra_internal' %} + {% set bound_host_networks = [] %} + {% for host_networks in (host_interface_net_mapping.keys() | map('extract', host_interface_net_mapping)| list) %} + {% set _ = bound_host_networks.extend(host_networks) %} + {% endfor %} + {%- if 'caas_oam' not in bound_host_networks %} + {%- set _ = routes.append(caas_oam_route) %} + {%- endif %} + {%- set caas_oam_internal_route = { + "to": value['cidr'], "via": value['ip'], + "table": caas_oam_routing_table_name} %} + {%- set _ = routes.append(caas_oam_internal_route) %} + {% endif %} + {%- endif -%} {%- if key == 'infra_external' and 'gateway' in value %} {%- if '.' in value['gateway'] %} {% set defaultroute = '0.0.0.0/0'%} @@ -287,6 +315,12 @@ Otherwise it gets configured normally on infra iface configuration in the next l {%- if routes %} "routes": {{ add_static_routes(routes) }}, {%- endif %} + {%- if config_phase not in ('setup', 'bootstrapping') -%} + "rules": [ + {"rule": "from {{ caas.oam_cidr }} lookup {{ caas_oam_routing_table_name }}"}, + {"rule": "to {{ caas.oam_cidr }} lookup main"} + ], + {%- endif -%} "use_dhcp": false } {%- endif %}{#- no dpdk or no cloud tenant -#} @@ -477,6 +511,32 @@ Otherwise it gets configured normally on infra iface configuration in the next l {%- if 'routes' in value %} {%- set routes = value['routes'] %} {%- endif %} + {%- if config_phase not in ('setup', 'bootstrapping') -%} + {% if 'gateway' in value %} + {%- set caas_oam_gw = value['gateway'] %} + {% else %} + {# Fall back to most popular self IP as gateway #} + {%- set caas_oam_gw = value['cidr'] | ipaddr(1) | ipaddr('address') %} + {% endif %} + {%- set caas_oam_route = { + "to": '0.0.0.0/0', "via": caas_oam_gw, + "table": caas_oam_routing_table_name} %} + {%- if key == 'caas_oam' %} + {%- set _ = routes.append(caas_oam_route) %} + {%- elif key == 'infra_internal' %} + {% set bound_host_networks = [] %} + {% for host_networks in (host_interface_net_mapping.keys() | map('extract', host_interface_net_mapping)| list) %} + {% set _ = bound_host_networks.extend(host_networks) %} + {% endfor %} + {%- if 'caas_oam' not in bound_host_networks %} + {%- set _ = routes.append(caas_oam_route) %} + {%- endif %} + {%- set caas_oam_internal_route = { + "to": value['cidr'], "via": value['ip'], + "table": caas_oam_routing_table_name} %} + {%- set _ = routes.append(caas_oam_internal_route) %} + {% endif %} + {%- endif -%} {%- if key == 'infra_external' and 'gateway' in value %} {%- if '.' in value['gateway'] %} {% set defaultroute = '0.0.0.0/0'%} @@ -507,6 +567,12 @@ Otherwise it gets configured normally on infra iface configuration in the next l {%- if routes %} "routes": {{ add_static_routes(routes) }}, {%- endif %} + {%- if config_phase not in ('setup', 'bootstrapping') -%} + "rules": [ + {"rule": "from {{ caas.oam_cidr }} lookup {{ caas_oam_routing_table_name }}"}, + {"rule": "to {{ caas.oam_cidr }} lookup main"} + ], + {%- endif -%} "use_dhcp": false } {%- endif %} @@ -581,5 +647,13 @@ Otherwise it gets configured normally on infra iface configuration in the next l {%- endif %} {%- endfor %} {%- endif %}{#- if config_phase != 'setup' -#} +{%- if config_phase not in ('setup', 'bootstrapping') %} + , + { + "name": "{{ caas_oam_routing_table_name }}", + "type": "route_table", + "table_id": {{ caas_oam_routing_table_id }} + } +{%- endif %} ] }