Repurpose vm-infra-bridge functionality to persist iptables rules
Change-Id: I8983b19124c5e15d18d3442195c919a6da5ef5e2 Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
This commit is contained in:
parent
16c0c5080e
commit
025991a2d6
|
@ -0,0 +1,38 @@
|
|||
- op: add
|
||||
path: "/spec/kubeadmConfigSpec/preKubeadmCommands/-"
|
||||
value:
|
||||
systemctl enable --now iptables-setup.service
|
||||
- op: add
|
||||
path: "/spec/kubeadmConfigSpec/files/-"
|
||||
value:
|
||||
path: /etc/systemd/system/iptables-setup.service
|
||||
permissions: "0644"
|
||||
owner: root:root
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Service to setup iptables
|
||||
Wants=network-online.target
|
||||
After=network.target network-online.target
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
WorkingDirectory=/usr/bin
|
||||
ExecStart=/usr/bin/iptables-setup.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- op: add
|
||||
path: "/spec/kubeadmConfigSpec/files/-"
|
||||
value:
|
||||
path: /usr/bin/iptables-setup.sh
|
||||
permissions: "0744"
|
||||
owner: root:root
|
||||
content: |
|
||||
#!/bin/bash
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
||||
|
||||
# activate ip_forwarding
|
||||
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
|
||||
iptables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -j ACCEPT
|
||||
iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE
|
||||
exit 0
|
|
@ -10,4 +10,4 @@ patchesJson6902:
|
|||
version: v1alpha3
|
||||
kind: KubeadmControlPlane
|
||||
name: cluster-controlplane
|
||||
path: vm-infra-bridge.yaml
|
||||
path: iptables-setup.yaml
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: airshipit.org/v1alpha1
|
||||
kind: ReplacementTransformer
|
||||
metadata:
|
||||
name: iptables-setup-replacements
|
||||
annotations:
|
||||
config.kubernetes.io/function: |-
|
||||
container:
|
||||
image: localhost/replacement-transformer
|
||||
replacements:
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra.host_oam_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_MGMT_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra.vm_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_INFRA_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra.vm_subnet_cidr
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_SUBNET_CIDR%"
|
|
@ -1,3 +1,3 @@
|
|||
resources:
|
||||
- ../../k8scontrol-ha/replacements
|
||||
- vm-infra-bridge.yaml
|
||||
- iptables-setup.yaml
|
||||
|
|
|
@ -1,49 +0,0 @@
|
|||
apiVersion: airshipit.org/v1alpha1
|
||||
kind: ReplacementTransformer
|
||||
metadata:
|
||||
name: vm-infra-bridge-replacements
|
||||
annotations:
|
||||
config.kubernetes.io/function: |-
|
||||
container:
|
||||
image: localhost/replacement-transformer
|
||||
replacements:
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.host_oam_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_MGMT_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.vm_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_INFRA_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.vm_network
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_NETWORK%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.vm_network_subnet_mask
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmControlPlane
|
||||
fieldrefs:
|
||||
- "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VMNETWORK_SUBNET_MASK%"
|
|
@ -1,64 +0,0 @@
|
|||
- op: add
|
||||
path: "/spec/kubeadmConfigSpec/preKubeadmCommands/-"
|
||||
value:
|
||||
systemctl enable --now vm-infra-bridge.service
|
||||
- op: add
|
||||
path: "/spec/kubeadmConfigSpec/files/-"
|
||||
value:
|
||||
path: /etc/systemd/system/vm-infra-bridge.service
|
||||
permissions: "0644"
|
||||
owner: root:root
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Service to setup vm-infra-bridge and NAT using iptables
|
||||
Wants=network-online.target
|
||||
After=network.target network-online.target
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
WorkingDirectory=/usr/bin
|
||||
ExecStart=/usr/bin/vm-infra-bridge.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- op: add
|
||||
path: "/spec/kubeadmConfigSpec/files/-"
|
||||
value:
|
||||
path: /usr/bin/vm-infra-bridge.sh
|
||||
permissions: "0744"
|
||||
owner: root:root
|
||||
content: |
|
||||
#!/bin/bash
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
||||
export DEBCONF_NONINTERACTIVE_SEEN=true
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
# activate ip_forwarding
|
||||
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# retrieve the last octet as the vm-bridge ip addresses will follow
|
||||
# the pattern of <first three octet from the VM_NETWORK>:<last octet from the oam
|
||||
# IP's last octet>
|
||||
octet=$(ip addr show dev REPLACEMENT_MGMT_INTF | grep 'inet ' | awk 'NR==1{print $2}' | awk -F "/" '{print $1}' | awk -F "." '{print $4}')
|
||||
# Given the CIDR for oam network is /26 (with 62 possible hosts), the below modulo 44 division
|
||||
# is to ensure that the octet is within the range of the OAM last octet.
|
||||
# TODO : Need to make the modulo value configurable for future release.
|
||||
mgmtoctet=$(($octet % 44))
|
||||
vm_infra_ip_address=$(awk -F"." '{print $1"."$2"."$3"."}'<<<"REPLACEMENT_VM_NETWORK")${mgmtoctet}
|
||||
echo "Going to use ${vm_infra_ip_address}"
|
||||
# convert the subnet information to CIDR format
|
||||
vm_infra_ip_cidr=$(awk -F. '{
|
||||
split($0, octets)
|
||||
for (i in octets) {
|
||||
mask += 8 - log(2**8 - octets[i])/log(2);
|
||||
}
|
||||
print "/" mask
|
||||
}' <<< "REPLACEMENT_VMNETWORK_SUBNET_MASK")
|
||||
# add bridge if it doesn't exist
|
||||
if ! brctl show | grep -q vm-infra-bridge; then
|
||||
brctl addbr vm-infra-bridge
|
||||
ip link set vm-infra-bridge up
|
||||
ip addr add ${vm_infra_ip_address}${vm_infra_ip_cidr} dev vm-infra-bridge
|
||||
brctl addif vm-infra-bridge REPLACEMENT_VM_INFRA_INTF
|
||||
fi;
|
||||
exit 0
|
|
@ -1,2 +0,0 @@
|
|||
resources:
|
||||
- vm-infra-bridge.yaml
|
|
@ -1,49 +0,0 @@
|
|||
apiVersion: airshipit.org/v1alpha1
|
||||
kind: ReplacementTransformer
|
||||
metadata:
|
||||
name: vm-infra-bridge-replacements
|
||||
annotations:
|
||||
config.kubernetes.io/function: |-
|
||||
container:
|
||||
image: localhost/replacement-transformer
|
||||
replacements:
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.host_oam_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_MGMT_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.vm_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_INFRA_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.vm_network
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_NETWORK%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra_bridge.vm_network_subnet_mask
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VMNETWORK_SUBNET_MASK%"
|
|
@ -1,64 +0,0 @@
|
|||
- op: add
|
||||
path: "/spec/template/spec/preKubeadmCommands/-"
|
||||
value:
|
||||
systemctl enable --now vm-infra-bridge.service
|
||||
- op: add
|
||||
path: "/spec/template/spec/files/-"
|
||||
value:
|
||||
path: /etc/systemd/system/vm-infra-bridge.service
|
||||
permissions: "0644"
|
||||
owner: root:root
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Service to setup vm-infra-bridge and NAT using iptables
|
||||
Wants=network-online.target
|
||||
After=network.target network-online.target
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
WorkingDirectory=/usr/bin
|
||||
ExecStart=/usr/bin/vm-infra-bridge.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- op: add
|
||||
path: "/spec/template/spec/files/-"
|
||||
value:
|
||||
path: /usr/bin/vm-infra-bridge.sh
|
||||
permissions: "0744"
|
||||
owner: root:root
|
||||
content: |
|
||||
#!/bin/bash
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
||||
export DEBCONF_NONINTERACTIVE_SEEN=true
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
# activate ip_forwarding
|
||||
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# retrieve the last octet as the vm-bridge ip addresses will follow
|
||||
# the pattern of <first three octet from the VM_NETWORK>:<last octet from the oam
|
||||
# IP's last octet>
|
||||
octet=$(ip addr show dev REPLACEMENT_MGMT_INTF | grep 'inet ' | awk 'NR==1{print $2}' | awk -F "/" '{print $1}' | awk -F "." '{print $4}')
|
||||
# Given the CIDR for oam network is /26 (with 62 possible hosts), the below modulo 44 division
|
||||
# is to ensure that the octet is within the range of the OAM last octet.
|
||||
# TODO : Need to make the modulo value configurable for future release.
|
||||
mgmtoctet=$(($octet % 44))
|
||||
vm_infra_ip_address=$(awk -F"." '{print $1"."$2"."$3"."}'<<<"REPLACEMENT_VM_NETWORK")${mgmtoctet}
|
||||
echo "Going to use ${vm_infra_ip_address}"
|
||||
# convert the subnet information to CIDR format
|
||||
vm_infra_ip_cidr=$(awk -F. '{
|
||||
split($0, octets)
|
||||
for (i in octets) {
|
||||
mask += 8 - log(2**8 - octets[i])/log(2);
|
||||
}
|
||||
print "/" mask
|
||||
}' <<< "REPLACEMENT_VMNETWORK_SUBNET_MASK")
|
||||
# add bridge if it doesn't exist
|
||||
if ! brctl show | grep -q vm-infra-bridge; then
|
||||
brctl addbr vm-infra-bridge
|
||||
ip link set vm-infra-bridge up
|
||||
ip addr add ${vm_infra_ip_address}${vm_infra_ip_cidr} dev vm-infra-bridge
|
||||
brctl addif vm-infra-bridge REPLACEMENT_VM_INFRA_INTF
|
||||
fi;
|
||||
exit 0
|
|
@ -0,0 +1,37 @@
|
|||
- op: add
|
||||
path: "/spec/template/spec/preKubeadmCommands/-"
|
||||
value:
|
||||
systemctl enable --now iptables-setup.service
|
||||
- op: add
|
||||
path: "/spec/template/spec/files/-"
|
||||
value:
|
||||
path: /etc/systemd/system/iptables-setup.service
|
||||
permissions: "0644"
|
||||
owner: root:root
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Service to setup iptables
|
||||
Wants=network-online.target
|
||||
After=network.target network-online.target
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
WorkingDirectory=/usr/bin
|
||||
ExecStart=/usr/bin/iptables-setup.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- op: add
|
||||
path: "/spec/template/spec/files/-"
|
||||
value:
|
||||
path: /usr/bin/iptables-setup.sh
|
||||
permissions: "0744"
|
||||
owner: root:root
|
||||
content: |
|
||||
#!/bin/bash
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
||||
|
||||
# activate ip_forwarding
|
||||
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
|
||||
iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE
|
||||
exit 0
|
|
@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ../../../../../airshipctl/manifests/function/workers-capm3
|
||||
- ../../../../airshipctl/manifests/function/workers-capm3
|
||||
|
||||
patchesJson6902:
|
||||
- target:
|
||||
|
@ -10,4 +10,4 @@ patchesJson6902:
|
|||
version: v1alpha3
|
||||
kind: KubeadmConfigTemplate
|
||||
name: worker-1
|
||||
path: vm-infra-bridge.yaml
|
||||
path: iptables-setup.yaml
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: airshipit.org/v1alpha1
|
||||
kind: ReplacementTransformer
|
||||
metadata:
|
||||
name: iptables-setup-replacements
|
||||
annotations:
|
||||
config.kubernetes.io/function: |-
|
||||
container:
|
||||
image: localhost/replacement-transformer
|
||||
replacements:
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra.host_oam_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_MGMT_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra.vm_interface
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_INFRA_INTF%"
|
||||
- source:
|
||||
objref:
|
||||
kind: VariableCatalogue
|
||||
name: vm-networking
|
||||
fieldref: spec.vm_infra.vm_subnet_cidr
|
||||
target:
|
||||
objref:
|
||||
kind: KubeadmConfigTemplate
|
||||
fieldrefs:
|
||||
- "spec.template.spec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_SUBNET_CIDR%"
|
|
@ -0,0 +1,2 @@
|
|||
resources:
|
||||
- iptables-setup.yaml
|
|
@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
resources:
|
||||
- ../../catalogues
|
||||
- ../../../../../function/vm-infra-bridge/dataplane
|
||||
- ../../../../../function/workers-vm-infra
|
||||
|
||||
transformers:
|
||||
- ../../../../../function/vm-infra-bridge/dataplane/replacements
|
||||
- ../../../../../function/workers-vm-infra/replacements
|
||||
- ../../../../../function/workers-capm3/replacements
|
||||
|
|
|
@ -5,8 +5,7 @@ metadata:
|
|||
labels:
|
||||
airshipit.org/deploy-k8s: "false"
|
||||
spec:
|
||||
vm_infra_bridge:
|
||||
vm_infra:
|
||||
host_oam_interface: bond0.61
|
||||
vm_interface: bond0.66
|
||||
vm_network: 192.168.0.0
|
||||
vm_network_subnet_mask: 255.255.240.0
|
||||
vm_subnet_cidr: 192.168.0.0/20
|
||||
|
|
Loading…
Reference in New Issue