airship
/
treasuremap
Code Issues Proposed changes
treasuremap/global/software/charts/kubernetes/container-networking/bird-templates.yaml

624 lines
21 KiB
YAML
Raw Blame History

---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: bird-cfg-template
labels:
name: bird-cfg-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
# Generated by confd
# AT&T {
{{- $extensions := json (getv "/global/extensions" "{}") }}
{{- $ipv4AdditionalCIDRs := split (or $extensions.ipv4AdditionalCIDRs "") "," }}
{{- $ipv4CommunityCIDRRef := json (or $extensions.ipv4CommunityCIDRRef "{}") }}
function osh_filters()
{
{{- range $ipv4AdditionalCIDRs }}
{{/* go has annoying behavior where splitting an empty string returns an array of length 1 containing an empty string, so filter out any empty strings */}}
{{- if ne . "" }}
if ( net ~ {{ . }} ) then { accept; }
{{- end }}
{{- end }}
}
function apply_communities ()
{
# Set community value based on dictionary of cidrs
{{- range $ipv4CommunityCIDRRef }}
{{- $community := .community }}
{{- $cidr := .cidr }}
{{- if .prefix }}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ .prefix }}, {{ $community }})); }
{{- else }}
{{/* Add the AS number */}}
{{- $node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}}, {{ $community }})); }
{{- end }}
{{- end }}
}
# } # AT&T
include "bird_aggr.cfg";
include "bird_ipam.cfg";
{{- $node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}
{{- $router_id := getenv "CALICO_ROUTER_ID" ""}}
{{- $node_name := getenv "NODENAME"}}
router id {{if eq "hash" ($router_id) -}}
{{hashToIPv4 $node_name}};
{{- else -}}
{{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}};
{{- end}}
{{- define "LOGGING"}}
{{- $node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}
{{- if exists $node_logging_key}}
{{- $logging := getv $node_logging_key}}
{{- if eq $logging "debug"}}
debug all;
{{- else if ne $logging "none"}}
debug { states };
{{- end}}
{{- else if exists "/global/loglevel"}}
{{- $logging := getv "/global/loglevel"}}
{{- if eq $logging "debug"}}
debug all;
{{- else if ne $logging "none"}}
debug { states };
{{- end}}
{{- else}}
debug { states };
{{- end}}
{{- end}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export filter calico_kernel_programming; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{- template "LOGGING"}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{- template "LOGGING"}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{if eq "" ($node_ip)}}# IPv4 disabled on this node.
{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}
# Template for all BGP clients
template bgp bgp_template {
{{- $as_key := or (and (exists $node_as_key) $node_as_key) "/global/as_num"}}
{{- $node_as_num := getv $as_key}}
{{- template "LOGGING"}}
description "Connection to BGP peer";
local as {{$node_as_num}};
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_export_to_bgp_peers; # Only want to export routes for workloads.
source address {{$node_ip}}; # The local address we use for the TCP connection
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
connect delay time 2;
connect retry time 5;
error wait time 5,30;
}
# ------------- Node-to-node mesh -------------
{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}
{{- $node_cluster_id := getv $node_cid_key}}
{{- if ne "" ($node_cluster_id)}}
# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};
# ignore node-to-node mesh setting.
{{- else}}
{{if (json (getv "/global/node_mesh")).enabled}}
{{range $host := lsdir "/host"}}
{{$onode_as_key := printf "/host/%s/as_num" .}}
{{$onode_ip_key := printf "/host/%s/ip_addr_v4" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}
{{$nums := split $onode_ip "."}}{{$id := join $nums "_"}}
# For peer {{$onode_ip_key}}
{{if eq $onode_ip ($node_ip) }}# Skipping ourselves ({{$node_ip}})
{{else if ne "" $onode_ip}}protocol bgp Mesh_{{$id}} from bgp_template {
neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};
{{- /*
Make the peering unidirectional. This avoids a race where
- peer A opens a connection and begins a graceful restart
- before the restart completes, peer B opens its connection
- peer A sees the new connection and aborts the graceful restart, causing a route flap.
*/ -}}
{{if gt $onode_ip $node_ip}}
passive on; # Mesh is unidirectional, peer will connect to us.
{{- end}}
}{{end}}{{end}}{{end}}
{{else}}
# Node-to-node mesh disabled
{{end}}
{{- end}}
# ------------- Global peers -------------
{{if ls "/global/peer_v4"}}
{{range gets "/global/peer_v4/*"}}{{$data := json .Value}}
{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}
# For peer {{.Key}}
{{- if eq $data.ip ($node_ip) }}
# Skipping ourselves ({{$node_ip}})
{{- else}}
protocol bgp Global_{{$id}} from bgp_template {
neighbor {{$data.ip}} as {{$data.as_num}};
{{- if and (eq $data.as_num $node_as_num) (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}
rr client;
rr cluster id {{$node_cluster_id}};
{{- end}}
}
{{- end}}
{{end}}
{{else}}# No global peers configured.{{end}}
# ------------- Node-specific peers -------------
{{$node_peers_key := printf "/host/%s/peer_v4" (getenv "NODENAME")}}
{{if ls $node_peers_key}}
{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}
{{$nums := split $data.ip "."}}{{$id := join $nums "_"}}
# For peer {{.Key}}
{{- if eq $data.ip ($node_ip) }}
# Skipping ourselves ({{$node_ip}})
{{- else}}
protocol bgp Node_{{$id}} from bgp_template {
neighbor {{$data.ip}} as {{$data.as_num}};
{{- if and (eq $data.as_num $node_as_num) (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}
rr client;
rr cluster id {{$node_cluster_id}};
{{- end}}
}
{{- end}}
{{end}}
{{else}}# No node-specific peers configured.{{end}}
{{end}}{{/* End of IPv4 enable check */}}
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: bird-aggr-cfg-template
labels:
name: bird-aggr-cfg-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
# Generated by confd
{{- $block_key := printf "/calico/ipam/v2/host/%s/ipv4/block" (getenv "NODENAME")}}
{{- $static_key := "/calico/staticroutes"}}
{{if or (ls $block_key) (ls $static_key)}}
protocol static {
{{- if ls $block_key}}
# IP blocks for this host.
{{- range ls $block_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
route {{$cidr}} blackhole;
{{- end}}
{{- end}}
{{- if ls $static_key}}
# Static routes.
{{- range ls $static_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
route {{$cidr}} blackhole;
{{- end}}
{{- end}}
}
{{else}}# No IP blocks or static routes for this host.{{end}}
# Aggregation of routes on this host; export the block, nothing beneath it.
function calico_aggr ()
{
{{- range ls $block_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
{{- $affinity := json (getv (printf "%s/%s" $block_key .))}}
{{- if $affinity.state}}
# Block {{$cidr}} is {{$affinity.state}}
{{- if eq $affinity.state "confirmed"}}
if ( net = {{$cidr}} ) then { accept; }
if ( net ~ {{$cidr}} ) then { reject; }
{{- end}}
{{- else }}
# Block {{$cidr}} is implicitly confirmed.
if ( net = {{$cidr}} ) then { accept; }
if ( net ~ {{$cidr}} ) then { reject; }
{{- end }}
{{- end}}
}
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: bird-ipam-cfg-template
labels:
name: bird-ipam-cfg-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
# Generated by confd
filter calico_export_to_bgp_peers {
# AT&T {
apply_communities();
# } # AT&T
calico_aggr();
# AT&T {
osh_filters();
# } # AT&T
{{- $static_key := "/staticroutes"}}
{{- if ls $static_key}}
# Export static routes.
{{- range ls $static_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
if ( net ~ {{$cidr}} ) then { accept; }
{{- end}}
{{- end}}
{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}
if ( net ~ {{$data.cidr}} ) then {
accept;
}
{{- end}}
reject;
}
{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}{{if exists $network_key}}{{$network := getv $network_key}}
filter calico_kernel_programming {
{{- $reject_key := "/rejectcidrs"}}
{{- if ls $reject_key}}
# Don't program static routes into kernel.
{{- range ls $reject_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
if ( net ~ {{$cidr}} ) then { reject; }
{{- end}}
{{- end}}
{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}
if ( net ~ {{$data.cidr}} ) then {
{{- if $data.vxlan_mode}}
# Don't program VXLAN routes into the kernel - these are handled by Felix.
reject;
}
{{- else if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}
if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then
krt_tunnel = ""; {{/* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}
else
krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}
accept;
} {{else}}
krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}
accept;
} {{end}} {{else}}
krt_tunnel = "{{$data.ipip}}"; {{/* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}
accept;
} {{end}}
{{end}}
accept; {{/* Destination is not in any ipPool, accept */}}
}
{{else}}
filter calico_kernel_programming { accept; }
{{end}}{{/* End of 'exists $network_key' */}}
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: bird6-cfg-template
labels:
name: bird6-cfg-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
# Generated by confd
# AT&T {
{{- $extensions := json (getv "/global/extensions" "{}") }}
{{- $ipv6AdditionalCIDRs := split (or $extensions.ipv6AdditionalCIDRs "") "," }}
{{- $ipv6CommunityCIDRRef := json (or $extensions.ipv6CommunityCIDRRef "{}") }}
function osh_filters()
{
{{- range $ipv6AdditionalCIDRs }}
{{/* go has annoying behavior where splitting an empty string returns an array of length 1 containing an empty string, so filter out any empty strings */}}
{{- if ne . "" }}
if ( net ~ {{ . }} ) then { accept; }
{{- end }}
{{- end }}
}
function apply_communities ()
{
# Set community value based on dictionary of cidrs
{{- range $ipv6CommunityCIDRRef }}
{{- $community := .community }}
{{- $cidr := .cidr }}
{{- if .prefix }}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{ .prefix }}, {{ $community }})); }
{{- else }}
{{/* Add the AS number */}}
{{- $node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}
if ( net ~ {{ $cidr }} ) then { bgp_community.add(({{if exists $node_as_key}}{{getv $node_as_key}}{{else}}{{getv "/global/as_num"}}{{end}}, {{ $community }})); }
{{- end }}
{{- end }}
}
# } # AT&T
include "bird6_aggr.cfg";
include "bird6_ipam.cfg";
{{- $node_ip_key := printf "/host/%s/ip_addr_v4" (getenv "NODENAME")}}{{$node_ip := getv $node_ip_key}}
{{- $node_ip6_key := printf "/host/%s/ip_addr_v6" (getenv "NODENAME")}}{{$node_ip6 := getv $node_ip6_key}}
{{- $router_id := getenv "CALICO_ROUTER_ID" ""}}
{{- $node_name := getenv "NODENAME"}}
router id {{if eq "hash" ($router_id) -}}
{{hashToIPv4 $node_name}}; # Use IP address generated by nodename's hash
{{- else -}}
{{if ne "" ($router_id)}}{{$router_id}}{{else}}{{$node_ip}}{{end}}; # Use IPv4 address since router id is 4 octets, even in MP-BGP
{{- end}}
{{- define "LOGGING"}}
{{- $node_logging_key := printf "/host/%s/loglevel" (getenv "NODENAME")}}
{{- if exists $node_logging_key}}
{{- $logging := getv $node_logging_key}}
{{- if eq $logging "debug"}}
debug all;
{{- else if ne $logging "none"}}
debug { states };
{{- end}}
{{- else if exists "/global/loglevel"}}
{{- $logging := getv "/global/loglevel"}}
{{- if eq $logging "debug"}}
debug all;
{{- else if ne $logging "none"}}
debug { states };
{{- end}}
{{- else}}
debug { states };
{{- end}}
{{- end}}
# Configure synchronization between routing tables and kernel.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 2; # Scan kernel routing table every 2 seconds
import all;
export all; # Default is export none
graceful restart; # Turn on graceful restart to reduce potential flaps in
# routes when reloading BIRD configuration. With a full
# automatic mesh, there is no way to prevent BGP from
# flapping since multiple nodes update their BGP
# configuration at the same time, GR is not guaranteed to
# work correctly in this scenario.
}
# Watch interface up/down events.
protocol device {
{{- template "LOGGING"}}
scan time 2; # Scan interfaces every 2 seconds
}
protocol direct {
{{- template "LOGGING"}}
interface -"cali*", "*"; # Exclude cali* but include everything else.
}
{{if eq "" ($node_ip6)}}# IPv6 disabled on this node.
{{else}}{{$node_as_key := printf "/host/%s/as_num" (getenv "NODENAME")}}
# Template for all BGP clients
template bgp bgp_template {
{{- $as_key := or (and (exists $node_as_key) $node_as_key) "/global/as_num"}}
{{- $node_as_num := getv $as_key}}
{{- template "LOGGING"}}
description "Connection to BGP peer";
local as {{$node_as_num}};
multihop;
gateway recursive; # This should be the default, but just in case.
import all; # Import all routes, since we don't know what the upstream
# topology is and therefore have to trust the ToR/RR.
export filter calico_export_to_bgp_peers; # Only want to export routes for workloads.
source address {{$node_ip6}}; # The local address we use for the TCP connection
add paths on;
graceful restart; # See comment in kernel section about graceful restart.
connect delay time 2;
connect retry time 5;
error wait time 5,30;
}
# ------------- Node-to-node mesh -------------
{{- $node_cid_key := printf "/host/%s/rr_cluster_id" (getenv "NODENAME")}}
{{- $node_cluster_id := getv $node_cid_key}}
{{- if ne "" ($node_cluster_id)}}
# This node is configured as a route reflector with cluster ID {{$node_cluster_id}};
# ignore node-to-node mesh setting.
{{- else}}
{{if (json (getv "/global/node_mesh")).enabled}}
{{range $host := lsdir "/host"}}
{{$onode_as_key := printf "/host/%s/as_num" .}}
{{$onode_ip_key := printf "/host/%s/ip_addr_v6" .}}{{if exists $onode_ip_key}}{{$onode_ip := getv $onode_ip_key}}
{{$nums := split $onode_ip ":"}}{{$id := join $nums "_"}}
# For peer {{$onode_ip_key}}
{{if eq $onode_ip ($node_ip6) }}# Skipping ourselves ({{$node_ip6}})
{{else if eq "" $onode_ip}}# No IPv6 address configured for this node
{{else}}protocol bgp Mesh_{{$id}} from bgp_template {
neighbor {{$onode_ip}} as {{if exists $onode_as_key}}{{getv $onode_as_key}}{{else}}{{getv "/global/as_num"}}{{end}};
{{- /*
Make the peering unidirectional. This avoids a race where
- peer A opens a connection and begins a graceful restart
- before the restart completes, peer B opens its connection
- peer A sees the new connection and aborts the graceful restart, causing a route flap.
*/ -}}
{{if gt $onode_ip $node_ip6 }}
passive on; # Mesh is unidirectional, peer will connect to us.
{{- end}}
}{{end}}{{end}}{{end}}
{{else}}
# Node-to-node mesh disabled
{{end}}
{{- end}}
# ------------- Global peers -------------
{{if ls "/global/peer_v6"}}
{{range gets "/global/peer_v6/*"}}{{$data := json .Value}}
{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}
# For peer {{.Key}}
{{- if eq $data.ip ($node_ip6) }}
# Skipping ourselves ({{$node_ip6}})
{{- else}}
protocol bgp Global_{{$id}} from bgp_template {
neighbor {{$data.ip}} as {{$data.as_num}};
{{- if and (eq $data.as_num $node_as_num) (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}
rr client;
rr cluster id {{$node_cluster_id}};
{{- end}}
}
{{- end}}
{{end}}
{{else}}# No global peers configured.{{end}}
# ------------- Node-specific peers -------------
{{$node_peers_key := printf "/host/%s/peer_v6" (getenv "NODENAME")}}
{{if ls $node_peers_key}}
{{range gets (printf "%s/*" $node_peers_key)}}{{$data := json .Value}}
{{$nums := split $data.ip ":"}}{{$id := join $nums "_"}}
# For peer {{.Key}}
{{- if eq $data.ip ($node_ip6) }}
# Skipping ourselves ({{$node_ip6}})
{{- else}}
protocol bgp Node_{{$id}} from bgp_template {
neighbor {{$data.ip}} as {{$data.as_num}};
{{- if and (eq $data.as_num $node_as_num) (ne "" ($node_cluster_id)) (ne $data.rr_cluster_id ($node_cluster_id))}}
rr client;
rr cluster id {{$node_cluster_id}};
{{- end}}
}
{{- end}}
{{end}}
{{else}}# No node-specific peers configured.{{end}}
{{end}}
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: bird6-aggr-cfg-template
labels:
name: bird6-aggr-cfg-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
# Generated by confd
{{- $block_key := printf "/calico/ipam/v2/host/%s/ipv6/block" (getenv "NODENAME")}}
{{if ls $block_key}}
protocol static {
# IP blocks for this host.
{{- range ls $block_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
route {{$cidr}} blackhole;
{{- end}}
}
{{else}}# No IP blocks or static routes for this host.{{end}}
# Aggregation of routes on this host; export the block, nothing beneath it.
function calico_aggr ()
{
{{- range ls $block_key}}
{{- $parts := split . "-"}}
{{- $cidr := join $parts "/"}}
{{- $affinity := json (getv (printf "%s/%s" $block_key .))}}
{{- if $affinity.state}}
# Block {{$cidr}} is {{$affinity.state}}
{{- if eq $affinity.state "confirmed"}}
if ( net = {{$cidr}} ) then { accept; }
if ( net ~ {{$cidr}} ) then { reject; }
{{- end}}
{{- else }}
# Block {{$cidr}} is implicitly confirmed.
if ( net = {{$cidr}} ) then { accept; }
if ( net ~ {{$cidr}} ) then { reject; }
{{- end }}
{{- end}}
}
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: bird6-ipam-cfg-template
labels:
name: bird6-ipam-cfg-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
# Generated by confd
filter calico_export_to_bgp_peers {
# AT&T {
apply_communities();
# } # AT&T
calico_aggr();
# AT&T {
osh_filters();
# } # AT&T
{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}
if ( net ~ {{$data.cidr}} ) then {
accept;
}
{{end}}
reject;
}
---
schema: deckhand/DataSchema/v1
metadata:
schema: metadata/Document/v1
name: tunl-ip-template
labels:
name: tunl-ip-template
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data: |
We must dump all pool data to this file to trigger a re-run of the tunnel
address allocation code whenever an IP pool changes.
{{range ls "/pool"}}{{$data := json (getv (printf "/pool/%s" .))}}
{{- if or $data.ipip $data.vxlan_mode}}
{{- if not $data.disabled}}{{$data}}{{end}}
{{- end}}
{{end}}
View Git Blame Copy Permalink