Merge "Repurpose vm-infra-bridge functionality to persist iptables rules"

manifests/function/k8scontrol-vm-infra/iptables-setup.yaml

@@ -0,0 +1,38 @@
+- op: add
+  path: "/spec/kubeadmConfigSpec/preKubeadmCommands/-"
+  value:
+     systemctl enable --now iptables-setup.service
+- op: add
+  path: "/spec/kubeadmConfigSpec/files/-"
+  value:
+    path: /etc/systemd/system/iptables-setup.service
+    permissions: "0644"
+    owner: root:root
+    content: |
+      [Unit]
+      Description=Service to setup iptables
+      Wants=network-online.target
+      After=network.target network-online.target
+
+      [Service]
+      User=root
+      WorkingDirectory=/usr/bin
+      ExecStart=/usr/bin/iptables-setup.sh
+
+      [Install]
+      WantedBy=multi-user.target
+- op: add
+  path: "/spec/kubeadmConfigSpec/files/-"
+  value:
+    path: /usr/bin/iptables-setup.sh
+    permissions: "0744"
+    owner: root:root
+    content: |
+      #!/bin/bash
+      export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
+
+      # activate ip_forwarding
+      echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
+      iptables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -j ACCEPT
+      iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE
+      exit 0

manifests/function/k8scontrol-vm-infra/kustomization.yaml

@@ -10,4 +10,4 @@ patchesJson6902:
     version: v1alpha3
     kind: KubeadmControlPlane
     name: cluster-controlplane
-  path:  vm-infra-bridge.yaml
+  path:  iptables-setup.yaml

manifests/function/k8scontrol-vm-infra/replacements/iptables-setup.yaml

@@ -0,0 +1,39 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: iptables-setup-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: vm-networking
+    fieldref: spec.vm_infra.host_oam_interface
+  target:
+    objref:
+      kind: KubeadmControlPlane
+    fieldrefs:
+      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_MGMT_INTF%"
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: vm-networking
+    fieldref: spec.vm_infra.vm_interface
+  target:
+    objref:
+      kind: KubeadmControlPlane
+    fieldrefs:
+      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_INFRA_INTF%"
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: vm-networking
+    fieldref: spec.vm_infra.vm_subnet_cidr
+  target:
+    objref:
+      kind: KubeadmControlPlane
+    fieldrefs:
+      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_SUBNET_CIDR%"

manifests/function/k8scontrol-vm-infra/replacements/kustomization.yaml

@@ -1,3 +1,3 @@
 resources:
   - ../../k8scontrol-ha/replacements
-  - vm-infra-bridge.yaml
+  - iptables-setup.yaml

manifests/function/k8scontrol-vm-infra/replacements/vm-infra-bridge.yaml

@@ -1,49 +0,0 @@
-apiVersion: airshipit.org/v1alpha1
-kind: ReplacementTransformer
-metadata:
-  name: vm-infra-bridge-replacements
-  annotations:
-    config.kubernetes.io/function: |-
-      container:
-        image: localhost/replacement-transformer
-replacements:
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.host_oam_interface
-  target:
-    objref:
-      kind: KubeadmControlPlane
-    fieldrefs:
-      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_MGMT_INTF%"
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.vm_interface
-  target:
-    objref:
-      kind: KubeadmControlPlane
-    fieldrefs:
-      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_INFRA_INTF%"
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.vm_network
-  target:
-    objref:
-      kind: KubeadmControlPlane
-    fieldrefs:
-      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_NETWORK%"
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.vm_network_subnet_mask
-  target:
-    objref:
-      kind: KubeadmControlPlane
-    fieldrefs:
-      -  "spec.kubeadmConfigSpec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VMNETWORK_SUBNET_MASK%"

manifests/function/k8scontrol-vm-infra/vm-infra-bridge.yaml

@@ -1,64 +0,0 @@
-- op: add
-  path: "/spec/kubeadmConfigSpec/preKubeadmCommands/-"
-  value:
-     systemctl enable --now vm-infra-bridge.service
-- op: add
-  path: "/spec/kubeadmConfigSpec/files/-"
-  value:
-    path: /etc/systemd/system/vm-infra-bridge.service
-    permissions: "0644"
-    owner: root:root
-    content: |
-      [Unit]
-      Description=Service to setup vm-infra-bridge and NAT using iptables
-      Wants=network-online.target
-      After=network.target network-online.target
-
-      [Service]
-      User=root
-      WorkingDirectory=/usr/bin
-      ExecStart=/usr/bin/vm-infra-bridge.sh
-
-      [Install]
-      WantedBy=multi-user.target
-- op: add
-  path: "/spec/kubeadmConfigSpec/files/-"
-  value:
-    path: /usr/bin/vm-infra-bridge.sh
-    permissions: "0744"
-    owner: root:root
-    content: |
-      #!/bin/bash
-      export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
-      export DEBCONF_NONINTERACTIVE_SEEN=true
-      export DEBIAN_FRONTEND=noninteractive
-
-      # activate ip_forwarding
-      echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
-
-      # retrieve the last octet as the vm-bridge ip addresses will follow
-      # the pattern of  <first three octet from the VM_NETWORK>:<last octet from the oam
-      # IP's last octet>
-      octet=$(ip addr show dev REPLACEMENT_MGMT_INTF | grep 'inet ' | awk 'NR==1{print $2}' | awk -F "/" '{print $1}' | awk -F "." '{print $4}')
-      # Given the CIDR for oam network is /26 (with 62 possible hosts), the below modulo 44 division
-      # is to ensure that the octet is within the range of the OAM last octet.
-      # TODO : Need to make the modulo value configurable for future release.
-      mgmtoctet=$(($octet % 44))
-      vm_infra_ip_address=$(awk -F"." '{print $1"."$2"."$3"."}'<<<"REPLACEMENT_VM_NETWORK")${mgmtoctet}
-      echo "Going to use ${vm_infra_ip_address}"
-      # convert the subnet information to CIDR format
-      vm_infra_ip_cidr=$(awk -F. '{
-                  split($0, octets)
-                  for (i in octets) {
-                    mask += 8 - log(2**8 - octets[i])/log(2);
-                    }
-                    print "/" mask
-                   }' <<< "REPLACEMENT_VMNETWORK_SUBNET_MASK")
-      # add bridge if it doesn't exist
-      if ! brctl show | grep -q vm-infra-bridge; then
-           brctl addbr vm-infra-bridge
-           ip link set vm-infra-bridge up
-           ip addr add  ${vm_infra_ip_address}${vm_infra_ip_cidr} dev vm-infra-bridge
-           brctl addif vm-infra-bridge REPLACEMENT_VM_INFRA_INTF
-      fi;
-      exit 0

manifests/function/vm-infra-bridge/dataplane/replacements/kustomization.yaml

@@ -1,2 +0,0 @@
-resources:
-  - vm-infra-bridge.yaml

manifests/function/vm-infra-bridge/dataplane/replacements/vm-infra-bridge.yaml

@@ -1,49 +0,0 @@
-apiVersion: airshipit.org/v1alpha1
-kind: ReplacementTransformer
-metadata:
-  name: vm-infra-bridge-replacements
-  annotations:
-    config.kubernetes.io/function: |-
-      container:
-        image: localhost/replacement-transformer
-replacements:
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.host_oam_interface
-  target:
-    objref:
-      kind: KubeadmConfigTemplate
-    fieldrefs:
-      -  "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_MGMT_INTF%"
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.vm_interface
-  target:
-    objref:
-      kind: KubeadmConfigTemplate
-    fieldrefs:
-      -  "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_INFRA_INTF%"
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.vm_network
-  target:
-    objref:
-      kind: KubeadmConfigTemplate
-    fieldrefs:
-      -  "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VM_NETWORK%"
-- source:
-    objref:
-      kind: VariableCatalogue
-      name: vm-networking
-    fieldref: spec.vm_infra_bridge.vm_network_subnet_mask
-  target:
-    objref:
-      kind: KubeadmConfigTemplate
-    fieldrefs:
-      -  "spec.template.spec.files[path=/usr/bin/vm-infra-bridge.sh].content%REPLACEMENT_VMNETWORK_SUBNET_MASK%"

manifests/function/vm-infra-bridge/dataplane/vm-infra-bridge.yaml

@@ -1,64 +0,0 @@
-- op: add
-  path: "/spec/template/spec/preKubeadmCommands/-"
-  value:
-     systemctl enable --now vm-infra-bridge.service
-- op: add
-  path: "/spec/template/spec/files/-"
-  value:
-    path: /etc/systemd/system/vm-infra-bridge.service
-    permissions: "0644"
-    owner: root:root
-    content: |
-      [Unit]
-      Description=Service to setup vm-infra-bridge and NAT using iptables
-      Wants=network-online.target
-      After=network.target network-online.target
-
-      [Service]
-      User=root
-      WorkingDirectory=/usr/bin
-      ExecStart=/usr/bin/vm-infra-bridge.sh
-
-      [Install]
-      WantedBy=multi-user.target
-- op: add
-  path: "/spec/template/spec/files/-"
-  value:
-    path: /usr/bin/vm-infra-bridge.sh
-    permissions: "0744"
-    owner: root:root
-    content: |
-      #!/bin/bash
-      export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
-      export DEBCONF_NONINTERACTIVE_SEEN=true
-      export DEBIAN_FRONTEND=noninteractive
-
-      # activate ip_forwarding
-      echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
-
-      # retrieve the last octet as the vm-bridge ip addresses will follow
-      # the pattern of  <first three octet from the VM_NETWORK>:<last octet from the oam
-      # IP's last octet>
-      octet=$(ip addr show dev REPLACEMENT_MGMT_INTF | grep 'inet ' | awk 'NR==1{print $2}' | awk -F "/" '{print $1}' | awk -F "." '{print $4}')
-      # Given the CIDR for oam network is /26 (with 62 possible hosts), the below modulo 44 division
-      # is to ensure that the octet is within the range of the OAM last octet.
-      # TODO : Need to make the modulo value configurable for future release.
-      mgmtoctet=$(($octet % 44))
-      vm_infra_ip_address=$(awk -F"." '{print $1"."$2"."$3"."}'<<<"REPLACEMENT_VM_NETWORK")${mgmtoctet}
-      echo "Going to use ${vm_infra_ip_address}"
-      # convert the subnet information to CIDR format
-      vm_infra_ip_cidr=$(awk -F. '{
-                  split($0, octets)
-                  for (i in octets) {
-                    mask += 8 - log(2**8 - octets[i])/log(2);
-                    }
-                    print "/" mask
-                   }' <<< "REPLACEMENT_VMNETWORK_SUBNET_MASK")
-      # add bridge if it doesn't exist
-      if ! brctl show | grep -q vm-infra-bridge; then
-           brctl addbr vm-infra-bridge
-           ip link set vm-infra-bridge up
-           ip addr add  ${vm_infra_ip_address}${vm_infra_ip_cidr} dev vm-infra-bridge
-           brctl addif vm-infra-bridge REPLACEMENT_VM_INFRA_INTF
-      fi;
-      exit 0

manifests/function/workers-vm-infra/iptables-setup.yaml

@@ -0,0 +1,37 @@
+- op: add
+  path: "/spec/template/spec/preKubeadmCommands/-"
+  value:
+     systemctl enable --now iptables-setup.service
+- op: add
+  path: "/spec/template/spec/files/-"
+  value:
+    path: /etc/systemd/system/iptables-setup.service
+    permissions: "0644"
+    owner: root:root
+    content: |
+      [Unit]
+      Description=Service to setup iptables
+      Wants=network-online.target
+      After=network.target network-online.target
+
+      [Service]
+      User=root
+      WorkingDirectory=/usr/bin
+      ExecStart=/usr/bin/iptables-setup.sh
+
+      [Install]
+      WantedBy=multi-user.target
+- op: add
+  path: "/spec/template/spec/files/-"
+  value:
+    path: /usr/bin/iptables-setup.sh
+    permissions: "0744"
+    owner: root:root
+    content: |
+      #!/bin/bash
+      export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
+
+      # activate ip_forwarding
+      echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
+      iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE
+      exit 0

manifests/function/workers-vm-infra/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ../../../../../airshipctl/manifests/function/workers-capm3
+- ../../../../airshipctl/manifests/function/workers-capm3
 
 patchesJson6902:
 - target:
@@ -10,4 +10,4 @@ patchesJson6902:
     version: v1alpha3
     kind: KubeadmConfigTemplate
     name: worker-1
-  path: vm-infra-bridge.yaml
+  path: iptables-setup.yaml

manifests/function/workers-vm-infra/replacements/iptables-setup.yaml

@@ -0,0 +1,39 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: iptables-setup-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: vm-networking
+    fieldref: spec.vm_infra.host_oam_interface
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+    fieldrefs:
+      -  "spec.template.spec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_MGMT_INTF%"
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: vm-networking
+    fieldref: spec.vm_infra.vm_interface
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+    fieldrefs:
+      -  "spec.template.spec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_INFRA_INTF%"
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: vm-networking
+    fieldref: spec.vm_infra.vm_subnet_cidr
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+    fieldrefs:
+      -  "spec.template.spec.files[path=/usr/bin/iptables-setup.sh].content%REPLACEMENT_VM_SUBNET_CIDR%"

manifests/function/workers-vm-infra/replacements/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - iptables-setup.yaml

manifests/site/virtual-network-cloud/target/workers/provision/kustomization.yaml

@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../catalogues
-  - ../../../../../function/vm-infra-bridge/dataplane
+  - ../../../../../function/workers-vm-infra
 
 transformers:
-  - ../../../../../function/vm-infra-bridge/dataplane/replacements
+  - ../../../../../function/workers-vm-infra/replacements
   - ../../../../../function/workers-capm3/replacements

manifests/type/multi-tenant/shared/catalogues/vm-networking.yaml

@@ -5,8 +5,7 @@ metadata:
   labels:
     airshipit.org/deploy-k8s: "false"
 spec:
-  vm_infra_bridge:
+  vm_infra:
      host_oam_interface:  bond0.61
      vm_interface: bond0.66
-     vm_network: 192.168.0.0
-     vm_network_subnet_mask: 255.255.240.0
+     vm_subnet_cidr: 192.168.0.0/20