Merge "Create Calico host endpoint and policies"
This commit is contained in:
commit
ccd7e5a395
|
@ -21,7 +21,7 @@ include ::platform::config
|
|||
include ::platform::users
|
||||
include ::platform::sysctl::controller
|
||||
include ::platform::filesystem::controller
|
||||
include ::platform::firewall::oam
|
||||
include ::platform::firewall::calico::oam
|
||||
include ::platform::dhclient
|
||||
include ::platform::partitions
|
||||
include ::platform::lvm::controller
|
||||
|
|
|
@ -345,7 +345,143 @@ class platform::firewall::oam (
|
|||
}
|
||||
}
|
||||
|
||||
class platform::firewall::calico::oam::services {
|
||||
include ::platform::params
|
||||
include ::platform::network::oam::params
|
||||
include ::platform::nfv::params
|
||||
include ::platform::fm::params
|
||||
include ::platform::patching::params
|
||||
include ::platform::sysinv::params
|
||||
include ::platform::smapi::params
|
||||
include ::platform::ceph::params
|
||||
include ::openstack::barbican::params
|
||||
include ::openstack::keystone::params
|
||||
include ::openstack::horizon::params
|
||||
include ::platform::dcmanager::params
|
||||
include ::platform::dcorch::params
|
||||
|
||||
$ip_version = $::platform::network::oam::params::subnet_version
|
||||
|
||||
# icmp
|
||||
$t_icmp_proto = $ip_version ? {
|
||||
6 => 'ICMPv6',
|
||||
default => 'ICMP'
|
||||
}
|
||||
|
||||
# udp
|
||||
$sm_port = [2222, 2223]
|
||||
$ntp_port = [123]
|
||||
$snmp_port = [161, 162]
|
||||
$ptp_port = [319, 320]
|
||||
|
||||
# tcp
|
||||
$ssh_port = [22]
|
||||
|
||||
if $::platform::fm::params::service_enabled {
|
||||
$fm_port = [$::platform::fm::params::api_port]
|
||||
} else {
|
||||
$fm_port = []
|
||||
}
|
||||
|
||||
$nfv_vim_port = [$::platform::nfv::params::api_port]
|
||||
$patching_port = [$::platform::patching::params::public_port]
|
||||
$sysinv_port = [$::platform::sysinv::params::api_port]
|
||||
$sm_api_port = [$::platform::smapi::params::port]
|
||||
$kube_apiserver_port = [6443]
|
||||
|
||||
if $::platform::ceph::params::service_enabled {
|
||||
$ceph_radosgw_port = [$::platform::ceph::params::rgw_port]
|
||||
} else {
|
||||
$ceph_radosgw_port = []
|
||||
}
|
||||
|
||||
$barbican_api_port = [$::openstack::barbican::params::api_port]
|
||||
|
||||
if !$::platform::params::region_config {
|
||||
$keystone_port = [$::openstack::keystone::params::api_port]
|
||||
} else {
|
||||
$keystone_port = []
|
||||
}
|
||||
|
||||
if $::platform::params::distributed_cloud_role != 'subcloud' {
|
||||
if $::openstack::horizon::params::enable_https {
|
||||
$horizon_port = [$::openstack::horizon::params::https_port]
|
||||
} else {
|
||||
$horizon_port = [$::openstack::horizon::params::http_port]
|
||||
}
|
||||
} else {
|
||||
$horizon_port = []
|
||||
}
|
||||
|
||||
if $::platform::params::distributed_cloud_role == 'systemcontroller' {
|
||||
$dc_port = [$::platform::dcmanager::params::api_port,
|
||||
$::platform::dcorch::params::sysinv_api_proxy_port,
|
||||
$::platform::dcorch::params::patch_api_proxy_port,
|
||||
$::platform::dcorch::params::identity_api_proxy_port]
|
||||
} else {
|
||||
$dc_port = []
|
||||
}
|
||||
|
||||
$t_ip_version = $ip_version
|
||||
$t_udp_ports = concat($sm_port, $ntp_port, $snmp_port, $ptp_port)
|
||||
$t_tcp_ports = concat($ssh_port,
|
||||
$fm_port, $nfv_vim_port, $patching_port, $sysinv_port, $sm_api_port,
|
||||
$kube_apiserver_port,
|
||||
$ceph_radosgw_port, $barbican_api_port, $keystone_port, $horizon_port,
|
||||
$dc_port)
|
||||
|
||||
$file_name = '/tmp/gnp_all_oam.yaml'
|
||||
file { $file_name:
|
||||
ensure => file,
|
||||
content => template('platform/calico_oam_if_gnp.yaml.erb'),
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
}
|
||||
-> exec { "apply resource ${file_name}":
|
||||
path => '/usr/bin:/usr/sbin:/bin',
|
||||
command => "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f ${file_name}",
|
||||
onlyif => 'kubectl --kubeconfig=/etc/kubernetes/admin.conf get customresourcedefinitions.apiextensions.k8s.io'
|
||||
}
|
||||
}
|
||||
|
||||
class platform::firewall::calico::oam::endpoints {
|
||||
include ::platform::params
|
||||
include ::platform::network::oam::params
|
||||
|
||||
$host = $::platform::params::hostname
|
||||
$oam_if = $::platform::network::oam::params::interface_name
|
||||
$oam_addr = $::platform::network::oam::params::interface_address
|
||||
|
||||
# create/update host endpoint to represent oam interface
|
||||
$file_name_oam = "/tmp/hep_${host}_oam.yaml"
|
||||
file { $file_name_oam:
|
||||
ensure => file,
|
||||
content => template('platform/calico_oam_if_hep.yaml.erb'),
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
}
|
||||
-> exec { "apply resource ${file_name_oam}":
|
||||
path => '/usr/bin:/usr/sbin:/bin',
|
||||
command => "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f ${file_name_oam}",
|
||||
onlyif => 'kubectl --kubeconfig=/etc/kubernetes/admin.conf get customresourcedefinitions.apiextensions.k8s.io'
|
||||
}
|
||||
}
|
||||
|
||||
class platform::firewall::calico::oam {
|
||||
contain ::platform::firewall::calico::oam::endpoints
|
||||
contain ::platform::firewall::calico::oam::services
|
||||
|
||||
Class['::platform::kubernetes::master'] -> Class[$name]
|
||||
Class['::platform::firewall::calico::oam::endpoints']
|
||||
-> Class['::platform::firewall::calico::oam::services']
|
||||
}
|
||||
|
||||
class platform::firewall::runtime {
|
||||
include ::platform::firewall::oam
|
||||
include ::platform::firewall::calico::oam::endpoints
|
||||
include ::platform::firewall::calico::oam::services
|
||||
|
||||
Class['::platform::firewall::calico::oam::endpoints']
|
||||
-> Class['::platform::firewall::calico::oam::services']
|
||||
}
|
||||
|
|
|
@ -588,6 +588,12 @@ spec:
|
|||
- name: calico-node
|
||||
image: <%= @quay_registry %>/calico/node:v3.6.1
|
||||
env:
|
||||
# Configure inbound failsafe rules
|
||||
- name: FELIX_FAILSAFEINBOUNDHOSTPORTS
|
||||
value: "tcp:22, udp:68, tcp:179"
|
||||
# Configure output failsafe rules
|
||||
- name: FELIX_FAILSAFEOUTBOUNDHOSTPORTS
|
||||
value: "udp:53, udp:67, tcp:179"
|
||||
# Use Kubernetes API as the backing datastore.
|
||||
- name: DATASTORE_TYPE
|
||||
value: "kubernetes"
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
# Calico platform service Global Network Policy for OAM interface
|
||||
|
||||
apiVersion: "crd.projectcalico.org/v1"
|
||||
kind: GlobalNetworkPolicy
|
||||
metadata:
|
||||
name: controller-oam-if-gnp
|
||||
spec:
|
||||
selector: "has(iftype) && iftype == 'oam'"
|
||||
order: 100
|
||||
applyOnForward: false
|
||||
types:
|
||||
- Ingress
|
||||
- Egress
|
||||
ingress:
|
||||
- action: Allow
|
||||
ipVersion: <%= @t_ip_version %>
|
||||
protocol: TCP
|
||||
destination:
|
||||
ports: <%= @t_tcp_ports %>
|
||||
- action: Allow
|
||||
ipVersion: <%= @t_ip_version %>
|
||||
protocol: UDP
|
||||
destination:
|
||||
ports: <%= @t_udp_ports %>
|
||||
- action: Allow
|
||||
protocol: <%= @t_icmp_proto %>
|
||||
egress:
|
||||
- action: Allow
|
||||
ipVersion: <%= @t_ip_version %>
|
||||
protocol: TCP
|
||||
- action: Allow
|
||||
ipVersion: <%= @t_ip_version %>
|
||||
protocol: UDP
|
|
@ -0,0 +1,13 @@
|
|||
# Calico HOST ENDPOINT for OAM interface
|
||||
|
||||
apiVersion: "crd.projectcalico.org/v1"
|
||||
kind: HostEndpoint
|
||||
metadata:
|
||||
name: <%= @host %>-oam-if-hep
|
||||
labels:
|
||||
notetype: controller
|
||||
iftype: oam
|
||||
spec:
|
||||
interfaceName: <%= @oam_if %>
|
||||
node: <%= @host %>
|
||||
expectedIPs: ["<%= @oam_addr %>"]
|
|
@ -4515,7 +4515,8 @@ class ConductorManager(service.PeriodicService):
|
|||
config_dict = {
|
||||
"personalities": personalities,
|
||||
"host_uuids": active_host.uuid,
|
||||
"classes": ['openstack::keystone::endpoint::runtime']
|
||||
"classes": ['openstack::keystone::endpoint::runtime',
|
||||
'platform::firewall::runtime']
|
||||
}
|
||||
self._config_apply_runtime_manifest(
|
||||
context, config_uuid, config_dict, host_uuids=[active_host.uuid])
|
||||
|
|
Loading…
Reference in New Issue