From 7d467ef4282ee0c0a11fa5cd8da187eea307afb4 Mon Sep 17 00:00:00 2001 From: Robert Volkmann <20912167+robertvolkmann@users.noreply.github.com> Date: Thu, 18 Apr 2024 13:42:00 +0200 Subject: [PATCH 01/49] Support sonic-vs (#277) --- partition/roles/sonic/defaults/main.yaml | 5 +- partition/roles/sonic/tasks/main.yaml | 10 ++- partition/roles/sonic/templates/metal.yaml.j2 | 8 +- .../roles/sonic/test/data/exit/metal.yaml | 2 +- .../roles/sonic/test/data/mgmtleaf/metal.yaml | 2 +- .../roles/sonic/test/data/sonic-vs/frr.conf | 29 +++++++ .../roles/sonic/test/data/sonic-vs/input.yaml | 46 ++++++++++ .../roles/sonic/test/data/sonic-vs/metal.yaml | 87 +++++++++++++++++++ .../roles/sonic/test/data/spine/metal.yaml | 2 +- 9 files changed, 184 insertions(+), 7 deletions(-) create mode 100644 partition/roles/sonic/test/data/sonic-vs/frr.conf create mode 100644 partition/roles/sonic/test/data/sonic-vs/input.yaml create mode 100644 partition/roles/sonic/test/data/sonic-vs/metal.yaml diff --git a/partition/roles/sonic/defaults/main.yaml b/partition/roles/sonic/defaults/main.yaml index 67f92ef4..93f7be59 100644 --- a/partition/roles/sonic/defaults/main.yaml +++ b/partition/roles/sonic/defaults/main.yaml @@ -7,7 +7,6 @@ sonic_timezone: Europe/Berlin sonic_config_action: load ## Physical settings -sonic_breakouts: {} sonic_ports: [] sonic_ports_dict: {} sonic_ports_default_fec: none @@ -38,6 +37,10 @@ sonic_vteps: [] # LLDP Hello timer is 30s by default on the switch, but metal-hammer expects 10s or so sonic_lldp_hello_timer: 10 +# BGP container configuration +sonic_docker_routing_config_mode: split +sonic_frr_mgmt_framework_config: true + sonic_frr_static_routes_mgmt: [] sonic_interconnects: {} diff --git a/partition/roles/sonic/tasks/main.yaml b/partition/roles/sonic/tasks/main.yaml index 6939b41a..82aec600 100644 --- a/partition/roles/sonic/tasks/main.yaml +++ b/partition/roles/sonic/tasks/main.yaml @@ -84,12 +84,18 @@ - name: Fail if running configuration doesn't contain required information ansible.builtin.assert: that: - - sonic_running_cfg_breakouts - sonic_running_cfg_hwsku - sonic_running_cfg_mac - sonic_running_cfg_platform - sonic_running_cfg_ports - fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG', 'PORT', or complete 'DEVICE_METADATA'. + fail_msg: The running configuration is incomplete because it does not contain 'PORT' or complete 'DEVICE_METADATA'. + +- name: Fail if running configuration doesn't contain breakout configuration + ansible.builtin.assert: + that: + - sonic_running_cfg_breakouts + fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG'. + when: sonic_breakouts is defined - name: Render config_db set_fact: diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index 4204a4c2..d759aa64 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -2,13 +2,15 @@ --- DEVICE_METADATA: localhost: - docker_routing_config_mode: split + docker_routing_config_mode: "{{ sonic_docker_routing_config_mode }}" hostname: "{{ inventory_hostname }}" hwsku: "{{ sonic_running_cfg_hwsku }}" mac: "{{ sonic_running_cfg_mac }}" platform: "{{ sonic_running_cfg_platform }}" type: "LeafRouter" + {% if sonic_frr_mgmt_framework_config %} frr_mgmt_framework_config: "true" + {% endif %} FEATURE: dhcp_relay: @@ -67,12 +69,14 @@ INTERFACE: {% endfor %} {% endfor %} {% endif %} +{% if sonic_running_cfg_breakouts %} BREAKOUT_CFG: {% for name, cfg in sonic_running_cfg_breakouts.items() %} {{ name }}: brkout_mode: "{{ cfg.brkout_mode }}" {% endfor %} +{% endif %} PORT: {% for name, running_cfg in sonic_running_cfg_ports.items() %} @@ -81,7 +85,9 @@ PORT: autoneg: "{{ running_cfg.autoneg|default("off")|string|lower }}" index: "{{ running_cfg.index }}" lanes: "{{ running_cfg.lanes }}" + {% if 'parent_port' in running_cfg %} parent_port: {{ running_cfg.parent_port }} + {% endif %} {% if sonic_ports_dict[name] is defined %} {% set port = sonic_ports_dict[name] %} admin_status: up diff --git a/partition/roles/sonic/test/data/exit/metal.yaml b/partition/roles/sonic/test/data/exit/metal.yaml index 2b57deb1..086542b1 100644 --- a/partition/roles/sonic/test/data/exit/metal.yaml +++ b/partition/roles/sonic/test/data/exit/metal.yaml @@ -1,7 +1,7 @@ --- DEVICE_METADATA: localhost: - docker_routing_config_mode: split + docker_routing_config_mode: "split" hostname: "exit01" hwsku: "Accton-AS7726-32X" mac: "e0:01:a6:e3:29:3c" diff --git a/partition/roles/sonic/test/data/mgmtleaf/metal.yaml b/partition/roles/sonic/test/data/mgmtleaf/metal.yaml index 13375a14..aee38b48 100644 --- a/partition/roles/sonic/test/data/mgmtleaf/metal.yaml +++ b/partition/roles/sonic/test/data/mgmtleaf/metal.yaml @@ -1,7 +1,7 @@ --- DEVICE_METADATA: localhost: - docker_routing_config_mode: split + docker_routing_config_mode: "split" hostname: "r01mgmtleaf" hwsku: "Accton-AS7726-32X" mac: "e0:01:a6:e3:29:3c" diff --git a/partition/roles/sonic/test/data/sonic-vs/frr.conf b/partition/roles/sonic/test/data/sonic-vs/frr.conf new file mode 100644 index 00000000..120ac33e --- /dev/null +++ b/partition/roles/sonic/test/data/sonic-vs/frr.conf @@ -0,0 +1,29 @@ +frr defaults datacenter +hostname sonic-vs +! +service integrated-vtysh-config +! +log syslog informational +! +interface Ethernet0 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +router bgp 4200000000 + bgp router-id 10.0.0.1 + bgp bestpath as-path multipath-relax + neighbor FABRIC peer-group + neighbor FABRIC remote-as external + neighbor FABRIC timers 1 3 + neighbor Ethernet0 interface peer-group FABRIC + ! + address-family ipv4 unicast + redistribute connected route-map DENY_MGMT + exit-address-family +! +route-map DENY_MGMT deny 10 + match interface eth0 +route-map DENY_MGMT permit 20 +! +line vty +! \ No newline at end of file diff --git a/partition/roles/sonic/test/data/sonic-vs/input.yaml b/partition/roles/sonic/test/data/sonic-vs/input.yaml new file mode 100644 index 00000000..79dc138e --- /dev/null +++ b/partition/roles/sonic/test/data/sonic-vs/input.yaml @@ -0,0 +1,46 @@ +--- +inventory_hostname: sonic-vs +sonic_asn: 4200000000 +sonic_loopback_address: 10.0.0.1 + +sonic_mgmtif_ip: 172.17.0.2/16 +sonic_mgmtif_gateway: 172.17.0.1 +sonic_mgmt_vrf: false + +sonic_docker_routing_config_mode: split-unified +sonic_frr_mgmt_framework_config: false + +sonic_ports_default_mtu: 9000 +sonic_ports_default_speed: 40000 +sonic_ports_dict: + Ethernet0: + +sonic_running_cfg_breakouts: +sonic_running_cfg_hwsku: Force10-S6000 +sonic_running_cfg_mac: e0:01:a6:e3:29:3c +sonic_running_cfg_platform: x86_64-kvm_x86_64-r0 + +sonic_running_cfg_ports: + Ethernet0: + alias: fortyGigE0/0 + index: "0" + lanes: "25,26,27,28" + speed: "40000" + Ethernet4: + alias: fortyGigE0/4 + index: "1" + lanes: "29,30,31,32" + speed: "40000" + +sonic_bgp_ports: + Ethernet0: + +sonic_vlans: + - id: 4000 + ip: 10.0.1.1/25 + +# Dummy VTEP so that basic VXLAN config will be deployed by sonic role: +sonic_vteps: +- comment: Dummy + vlan: Vlan3999 + vni: 103999 diff --git a/partition/roles/sonic/test/data/sonic-vs/metal.yaml b/partition/roles/sonic/test/data/sonic-vs/metal.yaml new file mode 100644 index 00000000..20b0ab56 --- /dev/null +++ b/partition/roles/sonic/test/data/sonic-vs/metal.yaml @@ -0,0 +1,87 @@ +--- +DEVICE_METADATA: + localhost: + docker_routing_config_mode: "split-unified" + hostname: "sonic-vs" + hwsku: "Force10-S6000" + mac: "e0:01:a6:e3:29:3c" + platform: "x86_64-kvm_x86_64-r0" + type: "LeafRouter" + +FEATURE: + dhcp_relay: + auto_restart: enabled + state: enabled + +NTP: + global: + src_intf: "eth0" + +NTP_SERVER: + +LOOPBACK_INTERFACE: + Loopback0: {} + Loopback0|10.0.0.1/32: {} + +MGMT_INTERFACE: + eth0|172.17.0.2/16: + gwaddr: "172.17.0.1" + +MGMT_PORT: + eth0: + alias: "eth0" + admin_status: "up" + description: "Management Port" + +MGMT_VRF_CONFIG: + vrf_global: + mgmtVrfEnabled: "false" + +INTERFACE: + Ethernet0: + ipv6_use_link_local_only: enable + +PORT: + Ethernet0: + alias: fortyGigE0/0 + autoneg: "off" + index: "0" + lanes: "25,26,27,28" + admin_status: up + speed: "40000" + mtu: "9000" + fec: "none" + Ethernet4: + alias: fortyGigE0/4 + autoneg: "off" + index: "1" + lanes: "29,30,31,32" + speed: "40000" + +VLAN: + Vlan4000: + vlanid: 4000 + +VLAN_INTERFACE: + Vlan4000: {} + Vlan4000|10.0.1.1/25: {} + +VLAN_MEMBER: + +VXLAN_EVPN_NVO: + nvo: + source_vtep: vtep + +VXLAN_TUNNEL: + vtep: + src_ip: "10.0.0.1" + +VXLAN_TUNNEL_MAP: + # Dummy + "vtep|map_103999_Vlan3999": + vlan: "Vlan3999" + vni: "103999" + +LLDP: + Global: + hello_timer: 10 diff --git a/partition/roles/sonic/test/data/spine/metal.yaml b/partition/roles/sonic/test/data/spine/metal.yaml index 6c63856e..155855bb 100644 --- a/partition/roles/sonic/test/data/spine/metal.yaml +++ b/partition/roles/sonic/test/data/spine/metal.yaml @@ -1,7 +1,7 @@ --- DEVICE_METADATA: localhost: - docker_routing_config_mode: split + docker_routing_config_mode: "split" hostname: "spine01" hwsku: "Accton-AS7726-32X" mac: "e0:01:a6:e3:29:3c" From 0b8ba83fae4f7791edb50ade24e8f89647bc276c Mon Sep 17 00:00:00 2001 From: mreiger Date: Fri, 26 Apr 2024 13:15:21 +0200 Subject: [PATCH 02/49] Allow unauthenticated apt packages from cumulus repo because the key expired --- partition/roles/docker-on-cumulus/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/partition/roles/docker-on-cumulus/tasks/main.yaml b/partition/roles/docker-on-cumulus/tasks/main.yaml index 8d1768a5..f8c8ea03 100644 --- a/partition/roles/docker-on-cumulus/tasks/main.yaml +++ b/partition/roles/docker-on-cumulus/tasks/main.yaml @@ -2,6 +2,7 @@ - name: ensure dependencies are installed apt: update_cache: yes + allow_unauthenticated: yes name: - apt-transport-https - ca-certificates From b47af6bb0057dc8c04f97e63c939efa9b68b7f2f Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 29 Apr 2024 13:41:04 +0200 Subject: [PATCH 03/49] OIDC flags for API server still not working. (#280) --- .../roles/gardener/templates/kube-apiserver-values.j2 | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/control-plane/roles/gardener/templates/kube-apiserver-values.j2 b/control-plane/roles/gardener/templates/kube-apiserver-values.j2 index 07acada9..418d5b66 100644 --- a/control-plane/roles/gardener/templates/kube-apiserver-values.j2 +++ b/control-plane/roles/gardener/templates/kube-apiserver-values.j2 @@ -8,12 +8,10 @@ apiServer: serviceName: garden-kube-apiserver oidc: -{% if gardener_virtual_api_oidc_issuer_url %} - issuerURL: {{ gardener_virtual_api_oidc_issuer_url }} -{% endif %} -{% if gardener_virtual_api_oidc_client_id %} - clientID: {{ gardener_virtual_api_oidc_client_id }} -{% endif %} + issuerURL: {% if gardener_virtual_api_oidc_issuer_url %}{{ gardener_virtual_api_oidc_issuer_url }}{% endif %} + + clientID: {% if gardener_virtual_api_oidc_client_id %}{{ gardener_virtual_api_oidc_client_id }}{% endif %} + {% if gardener_virtual_api_oidc_username_claim %} usernameClaim: {{ gardener_virtual_api_oidc_username_claim }} {% endif %} From 413af51e291c32c8149ddf01091b1d1cfc13754d Mon Sep 17 00:00:00 2001 From: mreiger Date: Mon, 29 Apr 2024 18:24:23 +0200 Subject: [PATCH 04/49] Add additional docker dependency --- partition/roles/docker-on-cumulus/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/partition/roles/docker-on-cumulus/tasks/main.yaml b/partition/roles/docker-on-cumulus/tasks/main.yaml index f8c8ea03..b705a6c7 100644 --- a/partition/roles/docker-on-cumulus/tasks/main.yaml +++ b/partition/roles/docker-on-cumulus/tasks/main.yaml @@ -8,6 +8,7 @@ - ca-certificates - curl - gnupg2 + - libltdl7 when: ansible_distribution_major_version == "3" - name: setup key for docker From 4d69c3f5390ec6a1ba61a6f8acdad343d59169ae Mon Sep 17 00:00:00 2001 From: Gerrit Date: Thu, 2 May 2024 16:15:26 +0200 Subject: [PATCH 05/49] Allow setting ETCD storage class explicitly. (#283) --- control-plane/roles/gardener/README.md | 5 +++-- control-plane/roles/gardener/defaults/main/extensions.yaml | 1 + .../extension-provider-metal/controller-deployment.yaml | 4 ++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 4ad5a18f..be3e3b13 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -96,8 +96,9 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_provider_metal_cluster_audit_enabled | | Enables the audit functionality of the GEPM | | gardener_extension_provider_metal_audit_to_splunk_enabled | | Enables the audit to splunk feature gate of the GEPM | | gardener_extension_provider_metal_audit_to_splunk | | Configuration for the audit to splunk feature gate of the GEPM | -| gardener_extension_provider_metal_etcd_backup_schedule | | The ETCD backup schedule for metal-stack shoot ETCDs | -| gardener_extension_provider_metal_etcd_delta_snapshot_period | | The ETCD delta snapshot period for metal-stack shoot ETCDs | +| gardener_extension_provider_metal_etcd_storage_class_name | | The storage class used for metal-stack shoot ETCDs | +| gardener_extension_provider_metal_etcd_backup_schedule | | The backup schedule for metal-stack shoot ETCDs | +| gardener_extension_provider_metal_etcd_delta_snapshot_period | | The delta snapshot period for metal-stack shoot ETCDs | | gardener_extension_provider_metal_egress_destinations | | Sets allowed egress destinations for the `RestrictEgress` control plane feature gate of the GEPM | | gardener_extension_provider_metal_duros_storage_enabled | | Enables the duros storage integration feature gate of the GEPM (Lightbits storage) | | gardener_extension_provider_metal_duros_storage_config | | Configuration for the duros storage integration | diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 6b3cb0c7..002c8050 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -18,6 +18,7 @@ gardener_extension_provider_metal_audit_to_splunk: # tlsEnabled: true # hecCAFile: "" +gardener_extension_provider_metal_etcd_storage_class_name: gardener_extension_provider_metal_etcd_backup_schedule: "0 */2 * * *" gardener_extension_provider_metal_etcd_delta_snapshot_period: "5m" diff --git a/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml b/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml index 4061346e..c9132ccd 100644 --- a/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml @@ -36,6 +36,10 @@ providerConfig: {% endif %} etcd: +{% if gardener_extension_provider_metal_etcd_storage_class_name is not none %} + storage: + className: {{ gardener_extension_provider_metal_etcd_storage_class_name }} +{% endif %} backup: schedule: "{{ gardener_extension_provider_metal_etcd_backup_schedule }}" deltaSnapshotPeriod: "{{ gardener_extension_provider_metal_etcd_delta_snapshot_period }}" From e0101267eec8d7ac084ed654bc2217451d6dde4f Mon Sep 17 00:00:00 2001 From: Michael Reiger <47994873+mreiger@users.noreply.github.com> Date: Thu, 6 Jun 2024 12:58:37 +0200 Subject: [PATCH 06/49] L2 leaves (#278) --- partition/roles/sonic/README.md | 19 + partition/roles/sonic/tasks/main.yaml | 8 + partition/roles/sonic/templates/frr.conf.j2 | 16 +- partition/roles/sonic/templates/metal.yaml.j2 | 60 +++ partition/roles/sonic/test/data/exit/frr.conf | 2 +- .../roles/sonic/test/data/l2_leaf/frr.conf | 65 ++++ .../roles/sonic/test/data/l2_leaf/input.yaml | 215 +++++++++++ .../roles/sonic/test/data/l2_leaf/metal.yaml | 346 ++++++++++++++++++ 8 files changed, 726 insertions(+), 5 deletions(-) create mode 100644 partition/roles/sonic/test/data/l2_leaf/frr.conf create mode 100644 partition/roles/sonic/test/data/l2_leaf/input.yaml create mode 100644 partition/roles/sonic/test/data/l2_leaf/metal.yaml diff --git a/partition/roles/sonic/README.md b/partition/roles/sonic/README.md index 3c1b3791..66463935 100644 --- a/partition/roles/sonic/README.md +++ b/partition/roles/sonic/README.md @@ -60,12 +60,31 @@ It depends on the `switch_facts` module from `ansible-common`, so make sure modu | sonic_interconnects.neighbors | | Connect to this BGP neighbors - supports multiple neighbors and also BGP unnumbered by giving `Ethernet0 interface`. | | sonic_interconnects.unnumbered_interfaces | | Connect with BGP unnumbered on these interfaces - also sets IPv6 options to make unnumbered work right. | | sonic_interconnects.peer_group | | Put the neighbor in this peer group. | +| sonic_interconnects.evpn_peer | | Whether the peer should take part in evpn routing (address-family l2vpn evpn) | | sonic_interconnects.prefixlists | | BGP prefix lists to configure. | | sonic_interconnects.remote_as | | The AS of the BGP neighbor. | | sonic_interconnects.routemap_in | | Apply an incoming routemap for this BGP session. | | sonic_interconnects.routemap_out | | Apply an outgoing routemap for this BGP session. | | sonic_interconnects.vni | | This BGP session will connect the specified VNI within the CLOS topology with the given peer. | | sonic_interconnects.vrf | | Use a dedicated BGP session fenced with an VRF for this connection. Also it declares the virtual network as layer-3. | +| sonic_mclag | | MCLAG (Multi-Chassis LAG / VPC) configuration for a switch connecting a machine with a LAG bond interface | +| sonic_mclag.system_mac | | The shared virtual MAC address used for MCLAG connections | +| sonic_mclag.peer_ip | | The IP of the remote switch on the MCLAG peer-link. Corresponds to source_ip. | +| sonic_mclag.peer_link | | The PortChannel interface connecting the switch pair. | +| sonic_mclag.source_ip | | The IP of this switch on the MCLAG peer-link. Corresponds to peer_ip. | +| sonic_mclag.keepalive_vlan | | The VLAN used for keepalive messages between the MCLAG pair over the peer-link. | +| sonic_mclag.member_port_channels | | A list of the PortChannel numbers that take part in the MCLAG domain. | +| sonic_portchannels_default_mtu | | MTU default value for portchannels | +| sonic_portchannels | | Configuration for portchannels. These will be up by default. | +| sonic_portchannels.number | | The portchannel number | +| sonic_portchannels.mtu | | The MTU of the portchannel. Must match the MTU of the member ports. | +| sonic_portchannels.fallback | | Whether to fallback to single port when LAG negotiation fails. Defaults to false in Sonic; does not work with MCLAG. | +| sonic_portchannels.members | | The list of the interfaces taking part in the portchannel. | +| sonic_sag | | Configuration for SAG (Static Anycast Gateway) | +| sonic_sag.mac | | The virtual MAC used for the SAG address | +| sonic_sag.vlans | | A list of VLANs that use SAG | +| sonic_sag.vlans.id | | The VLAN ID of this VLAN | +| sonic_sag.vlans.ip | | The SAG IP of this VLAN | | sonic_ssh_sourceranges | | The source ranges from which the switch should be reachable over SSH on its prod (non-management) addresses | | sonic_extended_cacl.ipv4 | | Iptables ipv4 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | | sonic_extended_cacl.ipv6 | | Iptables ipv6 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | diff --git a/partition/roles/sonic/tasks/main.yaml b/partition/roles/sonic/tasks/main.yaml index 82aec600..1bae92e4 100644 --- a/partition/roles/sonic/tasks/main.yaml +++ b/partition/roles/sonic/tasks/main.yaml @@ -24,6 +24,14 @@ - sonic_ports_default_mtu when: sonic_ports +- name: Check mandatory variables on non-empty sonic_portchannels are set + assert: + fail_msg: "default configuration is necessary on non-empty sonic_portchannels" + quiet: yes + that: + - sonic_portchannels_default_mtu + when: sonic_portchannels + - name: Populate sonic_ports_dict set_fact: sonic_ports_dict: "{{ sonic_ports_dict|default({}) | combine( {item.name: item} ) }}" diff --git a/partition/roles/sonic/templates/frr.conf.j2 b/partition/roles/sonic/templates/frr.conf.j2 index 7226b4ef..e903786e 100644 --- a/partition/roles/sonic/templates/frr.conf.j2 +++ b/partition/roles/sonic/templates/frr.conf.j2 @@ -37,7 +37,7 @@ router bgp {{ sonic_asn }} bgp router-id {{ sonic_loopback_address }} bgp bestpath as-path multipath-relax neighbor FABRIC peer-group - neighbor FABRIC remote-as external + neighbor FABRIC remote-as {{ i.remote_as | default("external") }} neighbor FABRIC timers 1 3 {% for port in sonic_bgp_ports %} neighbor {{ port }} interface peer-group FABRIC @@ -45,7 +45,7 @@ router bgp {{ sonic_asn }} {% for k, i in sonic_interconnects.items() %} {% if i.vrf is not defined %} neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} peer-group - neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} remote-as external + neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} remote-as {{ i.remote_as | default("external") }} neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} timers {{ i.bgp_timers | default(sonic_interconnects_default_bgp_timers) }} {% if i.bfd_parameters is defined %} neighbor {{ i.peer_group }} bfd {{ i.bfd_parameters }} @@ -94,6 +94,14 @@ router bgp {{ sonic_asn }} {% endif %} neighbor FABRIC activate neighbor FABRIC allowas-in 2 +{% for k, i in sonic_interconnects.items() %} +{% if i.vrf is not defined %} +{% if i.peer_group is defined and i.evpn_peer|default(false) %} + neighbor {{ i.peer_group }} activate + neighbor {{ i.peer_group }} allowas-in 2 +{% endif %} +{% endif %} +{% endfor %} exit-address-family {% endif %} {% for k, i in sonic_interconnects.items() %} @@ -103,7 +111,7 @@ router bgp {{ sonic_asn }} vrf {{ i.vrf }} bgp router-id {{ sonic_loopback_address }} bgp bestpath as-path multipath-relax neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} peer-group - neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} remote-as external + neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} remote-as {{ i.remote_as | default("external") }} neighbor {{ i.peer_group | default(sonic_interconnects_default_peer_group) }} timers {{ i.bgp_timers | default(sonic_interconnects_default_bgp_timers) }} {% if i.bfd_parameters is defined %} neighbor {{ i.peer_group }} bfd {{ i.bfd_parameters }} @@ -189,4 +197,4 @@ ip route {{ route }} {% endif %} ! line vty -! \ No newline at end of file +! diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index d759aa64..9102bc71 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -30,6 +30,25 @@ LOOPBACK_INTERFACE: Loopback0: {} Loopback0|{{ sonic_loopback_address }}/32: {} +{% if sonic_mclag is defined and sonic_mclag|length > 0 %} +MCLAG_DOMAIN: + "1": + mclag_system_id: "{{ sonic_mclag.system_mac }}" + peer_ip: "{{ sonic_mclag.peer_ip }}" + peer_link: "{{ sonic_mclag.peer_link }}" + source_ip: "{{ sonic_mclag.source_ip }}" + +MCLAG_INTERFACE: +{% for po in sonic_mclag.member_port_channels %} + "1|PortChannel{{ po }}": + if_type: "PortChannel" +{% endfor %} + +MCLAG_UNIQUE_IP: + "Vlan{{ sonic_mclag.keepalive_vlan }}": + unique_ip: "enable" + +{% endif %} {% if sonic_mgmtif_ip is defined %} MGMT_INTERFACE: {% if sonic_mgmtif_gateway is defined %} @@ -98,6 +117,45 @@ PORT: speed: "{{ running_cfg.speed }}" {% endif %} {% endfor %} +{% if sonic_portchannels is defined and sonic_portchannels|length > 0 %} + +PORTCHANNEL: +{% for po in sonic_portchannels %} + PortChannel{{ po.number }}: + admin_status: "up" +{% if po.fallback is defined %} + fallback: "{{ po.fallback|bool }}" +{% endif %} + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "{{ po.mtu|default(sonic_portchannels_default_mtu) }}" +{% endfor %} + +PORTCHANNEL_MEMBER: +{% for po in sonic_portchannels %} +{% for member in po.members %} + PortChannel{{ po.number }}|{{ member }}: {} +{% endfor %} +{% endfor %} +{% endif %} +{% if sonic_sag is defined and sonic_sag|length > 0 %} +{% if sonic_sag.vlans is defined and sonic_sag.vlans|length > 0 %} + +SAG: +{% for vlan in sonic_sag.vlans %} + "Vlan{{ vlan.id }}|IPv4": + gwip: + - "{{ vlan.ip }}" +{% endfor %} +{% endif %} + +SAG_GLOBAL: + IP: + IPv4: "enable" + gwmac: "{{ sonic_sag.mac }}" +{% endif %} {% if sonic_vlans is defined and sonic_vlans|length > 0 %} VLAN: @@ -159,6 +217,8 @@ VXLAN_TUNNEL_MAP: {% if sonic_interconnects is defined and sonic_interconnects|length > 0 %} VRF: +{% endif %} +{% if sonic_interconnects is defined and sonic_interconnects|length > 0 %} {% for k, i in sonic_interconnects.items() %} {% if i.vrf is defined %} {% if i.vni is defined %} diff --git a/partition/roles/sonic/test/data/exit/frr.conf b/partition/roles/sonic/test/data/exit/frr.conf index bace1ba3..d6e31f66 100644 --- a/partition/roles/sonic/test/data/exit/frr.conf +++ b/partition/roles/sonic/test/data/exit/frr.conf @@ -57,7 +57,7 @@ router bgp 4200000000 vrf VrfMpls bgp router-id 10.0.0.1 bgp bestpath as-path multipath-relax neighbor MPLS peer-group - neighbor MPLS remote-as external + neighbor MPLS remote-as 65000 neighbor MPLS timers 1 3 neighbor 10.0.0.3 peer-group MPLS neighbor 10.0.0.3 password test diff --git a/partition/roles/sonic/test/data/l2_leaf/frr.conf b/partition/roles/sonic/test/data/l2_leaf/frr.conf new file mode 100644 index 00000000..e4e1b838 --- /dev/null +++ b/partition/roles/sonic/test/data/l2_leaf/frr.conf @@ -0,0 +1,65 @@ +frr defaults datacenter +hostname l2leaf01 +! +service integrated-vtysh-config +! +log syslog informational +! +vrf Vrf46 + vni 46 +exit-vrf +! +interface Ethernet120 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +interface Ethernet124 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +router bgp 4200000000 + bgp router-id 10.0.0.1 + bgp bestpath as-path multipath-relax + neighbor FABRIC peer-group + neighbor FABRIC remote-as external + neighbor FABRIC timers 1 3 + neighbor Ethernet120 interface peer-group FABRIC + neighbor Ethernet124 interface peer-group FABRIC + neighbor XCONNECT peer-group + neighbor XCONNECT remote-as 4200000000 + neighbor XCONNECT timers 1 3 + neighbor 192.168.255.2 peer-group XCONNECT + ! + address-family ipv4 unicast + redistribute connected route-map LOOPBACKS + exit-address-family + ! + address-family l2vpn evpn + advertise-all-vni + neighbor FABRIC activate + neighbor FABRIC allowas-in 2 + neighbor XCONNECT activate + neighbor XCONNECT allowas-in 2 + exit-address-family +! +router bgp 4200000000 vrf Vrf46 + bgp router-id 10.0.0.1 + bgp bestpath as-path multipath-relax + neighbor EXTERNAL peer-group + neighbor EXTERNAL remote-as external + neighbor EXTERNAL timers 1 3 + ! + address-family ipv4 unicast + redistribute connected + neighbor EXTERNAL remove-private-AS all + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + exit-address-family +! +route-map LOOPBACKS permit 10 + match interface Loopback0 +! +line vty +! \ No newline at end of file diff --git a/partition/roles/sonic/test/data/l2_leaf/input.yaml b/partition/roles/sonic/test/data/l2_leaf/input.yaml new file mode 100644 index 00000000..1e348c43 --- /dev/null +++ b/partition/roles/sonic/test/data/l2_leaf/input.yaml @@ -0,0 +1,215 @@ +--- +inventory_hostname: l2leaf01 +sonic_asn: 4200000000 +sonic_loopback_address: 10.0.0.1 + +sonic_breakouts: + Ethernet0: "4x25G" + Ethernet4: "4x25G" + +sonic_ports_default_mtu: 9000 +sonic_ports_default_speed: 25000 +sonic_ports_dict: + Ethernet0: + Ethernet1: + Ethernet2: + Ethernet4: + Ethernet5: +# L2 interconnects + Ethernet112: + speed: 100000 + mtu: 9216 + Ethernet116: + speed: 100000 + mtu: 9216 +# Spine uplinks + Ethernet120: + speed: 100000 + mtu: 9216 + Ethernet124: + speed: 100000 + mtu: 9216 + +sonic_running_cfg_breakouts: + Ethernet0: + brkout_mode: "4x25G" + Ethernet4: + brkout_mode: "4x25G" + Ethernet112: + brkout_mode: "1x100G[40G]" + Ethernet116: + brkout_mode: "1x100G[40G]" + Ethernet120: + brkout_mode: "1x100G[40G]" + Ethernet124: + brkout_mode: "1x100G[40G]" + +sonic_running_cfg_hwsku: Accton-AS7726-32X +sonic_running_cfg_mac: e0:01:a6:e3:29:3c +sonic_running_cfg_platform: x86_64-accton_as7726_32x-r0 + +sonic_running_cfg_ports: + Ethernet0: + alias: Eth1/1(Port1) + index: "1" + lanes: "1" + parent_port: Ethernet0 + speed: "25000" + Ethernet1: + alias: Eth1/2(Port1) + index: "1" + lanes: "2" + parent_port: Ethernet0 + speed: "25000" + Ethernet2: + alias: Eth1/3(Port1) + index: "1" + lanes: "3" + parent_port: Ethernet0 + speed: "25000" + Ethernet3: + alias: Eth1/4(Port1) + index: "1" + lanes: "4" + parent_port: Ethernet0 + speed: "25000" + Ethernet4: + alias: Eth2/1(Port2) + index: "2" + lanes: "1" + parent_port: Ethernet4 + speed: "25000" + Ethernet5: + alias: Eth2/2(Port2) + index: "2" + lanes: "2" + parent_port: Ethernet4 + speed: "25000" + Ethernet6: + alias: Eth2/3(Port2) + index: "2" + lanes: "3" + parent_port: Ethernet4 + speed: "25000" + Ethernet7: + alias: Eth2/4(Port2) + index: "2" + lanes: "4" + parent_port: Ethernet4 + speed: "25000" + Ethernet112: + alias: Eth29(Port29) + index: "29" + lanes: "113,114,115,116" + parent_port: Ethernet112 + speed: "100000" + Ethernet116: + alias: Eth30(Port30) + index: "30" + lanes: "117,118,119,120" + parent_port: Ethernet116 + speed: "100000" + Ethernet120: + alias: Eth31(Port31) + index: "31" + lanes: "121,122,123,124" + parent_port: Ethernet120 + speed: "100000" + Ethernet124: + alias: Eth32(Port32) + index: "32" + lanes: "125,126,127,128" + parent_port: Ethernet124 + speed: "100000" + +sonic_bgp_ports: +- Ethernet120 +- Ethernet124 + +sonic_vlans: +- id: 1000 + ip: "192.168.255.1/24" + tagged_ports: + - PortChannel01 +- id: 1001 + vrf: Vrf46 + tagged_ports: + - PortChannel01 + untagged_ports: + - PortChannel11 + - PortChannel12 + - PortChannel21 + - PortChannel22 + - PortChannel23 + +sonic_vteps: +- comment: "Croit storage" + vlan: Vlan1001 + vni: 46 + +sonic_interconnects: + croit: + vrf: Vrf46 + vni: 46 + announcements: + - redistribute connected + xconnect: + peer_group: XCONNECT + evpn_peer: true + neighbor_ip: "192.168.255.2" + remote_as: "4200000000" + +sonic_mclag: + system_mac: 00:11:22:33:44:55 + peer_ip: "192.168.255.2" + peer_link: PortChannel01 + source_ip: "192.168.255.1" + keepalive_vlan: "1000" + member_port_channels: + - "11" + - "12" + - "21" + - "22" + - "23" + +sonic_portchannels_default_mtu: 9000 +sonic_portchannels: +- number: "01" + mtu: "9216" + members: + - Ethernet112 + - Ethernet116 +- number: "11" + fallback: true + members: + - Ethernet4 +- number: "12" + fallback: "true" + members: + - Ethernet5 +- number: "21" + fallback: "True" + members: + - Ethernet0 +- number: "22" + fallback: false + members: + - Ethernet1 +- number: "23" + members: + - Ethernet2 + +sonic_sag: + mac: 00:11:22:33:44:66 + vlans: + - id: 1001 + ip: 10.3.2.1/27 + +sonic_frr_l2vpn_evpn: true +sonic_frr_route_map: + name: LOOPBACKS + match: interface Loopback0 + +sonic_ssh_sourceranges: +- "1.2.3.4/32" +- "10.11.0.0/16" diff --git a/partition/roles/sonic/test/data/l2_leaf/metal.yaml b/partition/roles/sonic/test/data/l2_leaf/metal.yaml new file mode 100644 index 00000000..e1f05736 --- /dev/null +++ b/partition/roles/sonic/test/data/l2_leaf/metal.yaml @@ -0,0 +1,346 @@ +--- +DEVICE_METADATA: + localhost: + docker_routing_config_mode: "split" + hostname: "l2leaf01" + hwsku: "Accton-AS7726-32X" + mac: "e0:01:a6:e3:29:3c" + platform: "x86_64-accton_as7726_32x-r0" + type: "LeafRouter" + frr_mgmt_framework_config: "true" + +FEATURE: + dhcp_relay: + auto_restart: enabled + state: enabled + +NTP: + global: + src_intf: "eth0" + +NTP_SERVER: + +LOOPBACK_INTERFACE: + Loopback0: {} + Loopback0|10.0.0.1/32: {} + +MCLAG_DOMAIN: + "1": + mclag_system_id: "00:11:22:33:44:55" + peer_ip: "192.168.255.2" + peer_link: "PortChannel01" + source_ip: "192.168.255.1" + +MCLAG_INTERFACE: + "1|PortChannel11": + if_type: "PortChannel" + "1|PortChannel12": + if_type: "PortChannel" + "1|PortChannel21": + if_type: "PortChannel" + "1|PortChannel22": + if_type: "PortChannel" + "1|PortChannel23": + if_type: "PortChannel" + +MCLAG_UNIQUE_IP: + "Vlan1000": + unique_ip: "enable" + +MGMT_PORT: + eth0: + alias: "eth0" + admin_status: "up" + description: "Management Port" + +MGMT_VRF_CONFIG: + vrf_global: + mgmtVrfEnabled: "true" + +INTERFACE: + Ethernet120: + ipv6_use_link_local_only: enable + Ethernet124: + ipv6_use_link_local_only: enable + +BREAKOUT_CFG: + Ethernet0: + brkout_mode: "4x25G" + Ethernet4: + brkout_mode: "4x25G" + Ethernet112: + brkout_mode: "1x100G[40G]" + Ethernet116: + brkout_mode: "1x100G[40G]" + Ethernet120: + brkout_mode: "1x100G[40G]" + Ethernet124: + brkout_mode: "1x100G[40G]" + +PORT: + Ethernet0: + alias: Eth1/1(Port1) + autoneg: "off" + index: "1" + lanes: "1" + parent_port: Ethernet0 + admin_status: up + speed: "25000" + mtu: "9000" + fec: "none" + Ethernet1: + alias: Eth1/2(Port1) + autoneg: "off" + index: "1" + lanes: "2" + parent_port: Ethernet0 + admin_status: up + speed: "25000" + mtu: "9000" + fec: "none" + Ethernet2: + alias: Eth1/3(Port1) + autoneg: "off" + index: "1" + lanes: "3" + parent_port: Ethernet0 + admin_status: up + speed: "25000" + mtu: "9000" + fec: "none" + Ethernet3: + alias: Eth1/4(Port1) + autoneg: "off" + index: "1" + lanes: "4" + parent_port: Ethernet0 + speed: "25000" + Ethernet4: + alias: Eth2/1(Port2) + autoneg: "off" + index: "2" + lanes: "1" + parent_port: Ethernet4 + admin_status: up + speed: "25000" + mtu: "9000" + fec: "none" + Ethernet5: + alias: Eth2/2(Port2) + autoneg: "off" + index: "2" + lanes: "2" + parent_port: Ethernet4 + admin_status: up + speed: "25000" + mtu: "9000" + fec: "none" + Ethernet6: + alias: Eth2/3(Port2) + autoneg: "off" + index: "2" + lanes: "3" + parent_port: Ethernet4 + speed: "25000" + Ethernet7: + alias: Eth2/4(Port2) + autoneg: "off" + index: "2" + lanes: "4" + parent_port: Ethernet4 + speed: "25000" + Ethernet112: + alias: Eth29(Port29) + autoneg: "off" + index: "29" + lanes: "113,114,115,116" + parent_port: Ethernet112 + admin_status: up + speed: "100000" + mtu: "9216" + fec: "none" + Ethernet116: + alias: Eth30(Port30) + autoneg: "off" + index: "30" + lanes: "117,118,119,120" + parent_port: Ethernet116 + admin_status: up + speed: "100000" + mtu: "9216" + fec: "none" + Ethernet120: + alias: Eth31(Port31) + autoneg: "off" + index: "31" + lanes: "121,122,123,124" + parent_port: Ethernet120 + admin_status: up + speed: "100000" + mtu: "9216" + fec: "none" + Ethernet124: + alias: Eth32(Port32) + autoneg: "off" + index: "32" + lanes: "125,126,127,128" + parent_port: Ethernet124 + admin_status: up + speed: "100000" + mtu: "9216" + fec: "none" + +PORTCHANNEL: + PortChannel01: + admin_status: "up" + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "9216" + PortChannel11: + admin_status: "up" + fallback: "True" + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "9000" + PortChannel12: + admin_status: "up" + fallback: "True" + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "9000" + PortChannel21: + admin_status: "up" + fallback: "True" + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "9000" + PortChannel22: + admin_status: "up" + fallback: "False" + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "9000" + PortChannel23: + admin_status: "up" + fast_rate: "false" + lacp_key: "auto" + min_links: "1" + mix_speed: "false" + mtu: "9000" + +PORTCHANNEL_MEMBER: + PortChannel01|Ethernet112: {} + PortChannel01|Ethernet116: {} + PortChannel11|Ethernet4: {} + PortChannel12|Ethernet5: {} + PortChannel21|Ethernet0: {} + PortChannel22|Ethernet1: {} + PortChannel23|Ethernet2: {} + +SAG: + "Vlan1001|IPv4": + gwip: + - "10.3.2.1/27" + +SAG_GLOBAL: + IP: + IPv4: "enable" + gwmac: "00:11:22:33:44:66" + +VLAN: + Vlan1000: + vlanid: 1000 + Vlan1001: + vlanid: 1001 + +VLAN_INTERFACE: + Vlan1000: {} + Vlan1000|192.168.255.1/24: {} + Vlan1001: + vrf_name: "Vrf46" + +VLAN_MEMBER: + Vlan1000|PortChannel01: + tagging_mode: tagged + Vlan1001|PortChannel11: + tagging_mode: untagged + Vlan1001|PortChannel12: + tagging_mode: untagged + Vlan1001|PortChannel21: + tagging_mode: untagged + Vlan1001|PortChannel22: + tagging_mode: untagged + Vlan1001|PortChannel23: + tagging_mode: untagged + Vlan1001|PortChannel01: + tagging_mode: tagged + +VXLAN_EVPN_NVO: + nvo: + source_vtep: vtep + +VXLAN_TUNNEL: + vtep: + src_ip: "10.0.0.1" + +VXLAN_TUNNEL_MAP: + # Croit storage + "vtep|map_46_Vlan1001": + vlan: "Vlan1001" + vni: "46" + +VRF: + Vrf46: + vni: "46" + +LLDP: + Global: + hello_timer: 10 + +ACL_RULE: + ALLOW_SSH|DEFAULT_RULE: + ETHER_TYPE: "2048" + PACKET_ACTION: "DROP" + PRIORITY: "1" + ALLOW_SSH|RULE_1: + PACKET_ACTION: "ACCEPT" + PRIORITY: "91" + SRC_IP: "1.2.3.4/32" + ALLOW_SSH|RULE_2: + PACKET_ACTION: "ACCEPT" + PRIORITY: "92" + SRC_IP: "10.11.0.0/16" + ALLOW_NTP|DEFAULT_RULE: + ETHER_TYPE: "2048" + PACKET_ACTION: "DROP" + PRIORITY: "1" + ALLOW_NTP|RULE_1: + PACKET_ACTION: "ACCEPT" + PRIORITY: "99" + SRC_IP: "0.0.0.0/0" + +ACL_TABLE: + ALLOW_SSH: + policy_desc: "Allow SSH access" + ports: [] + services: + - "SSH" + stage: "ingress" + type: "CTRLPLANE" + ALLOW_NTP: + policy_desc: "Allow NTP" + ports: [] + services: + - "NTP" + stage: "ingress" + type: "CTRLPLANE" From 94a4261e8ac1dafc0a1dfb59a8825359b74f2510 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Thu, 6 Jun 2024 13:01:13 +0200 Subject: [PATCH 07/49] Move `leaf` and `router` role from metal-roles into mini-lab. (#281) --- partition/README.md | 2 - partition/roles/leaf/files/bridgemac.json | 7 -- partition/roles/leaf/handlers/main.yaml | 13 --- partition/roles/leaf/tasks/main.yaml | 33 ------- .../roles/leaf/templates/bak/frr.conf.j2.bak | 1 - .../leaf/templates/bak/interfaces.j2.bak | 1 - partition/roles/leaf/templates/frr.conf.j2 | 41 --------- partition/roles/leaf/templates/interfaces.j2 | 57 ------------- partition/roles/router/defaults/main.yaml | 5 -- .../files/99control_plane_catch_all.rules | 36 -------- partition/roles/router/files/daemons | 2 - .../router/files/frr-validation@.service | 10 --- partition/roles/router/files/ifreload.service | 10 --- .../files/interfaces-validation@.service | 10 --- .../router/files/lldpd.d/portsubtype.conf | 2 - .../router/files/lldpd.d/tx-interval.conf | 1 - partition/roles/router/handlers/main.yaml | 50 ----------- partition/roles/router/tasks/main.yaml | 85 ------------------- partition/roles/router/tasks/mgmt_vrf.yaml | 22 ----- .../roles/router/tasks/switch_plane.yaml | 14 --- .../roles/router/templates/ports.conf.j2 | 5 -- .../roles/router/templates/resolv.conf.j2 | 3 - 22 files changed, 410 deletions(-) delete mode 100644 partition/roles/leaf/files/bridgemac.json delete mode 100644 partition/roles/leaf/handlers/main.yaml delete mode 100644 partition/roles/leaf/tasks/main.yaml delete mode 100644 partition/roles/leaf/templates/bak/frr.conf.j2.bak delete mode 100644 partition/roles/leaf/templates/bak/interfaces.j2.bak delete mode 100644 partition/roles/leaf/templates/frr.conf.j2 delete mode 100644 partition/roles/leaf/templates/interfaces.j2 delete mode 100644 partition/roles/router/defaults/main.yaml delete mode 100644 partition/roles/router/files/99control_plane_catch_all.rules delete mode 100644 partition/roles/router/files/daemons delete mode 100644 partition/roles/router/files/frr-validation@.service delete mode 100644 partition/roles/router/files/ifreload.service delete mode 100644 partition/roles/router/files/interfaces-validation@.service delete mode 100644 partition/roles/router/files/lldpd.d/portsubtype.conf delete mode 100644 partition/roles/router/files/lldpd.d/tx-interval.conf delete mode 100644 partition/roles/router/handlers/main.yaml delete mode 100644 partition/roles/router/tasks/main.yaml delete mode 100644 partition/roles/router/tasks/mgmt_vrf.yaml delete mode 100644 partition/roles/router/tasks/switch_plane.yaml delete mode 100644 partition/roles/router/templates/ports.conf.j2 delete mode 100644 partition/roles/router/templates/resolv.conf.j2 diff --git a/partition/README.md b/partition/README.md index be05f469..d61154e8 100644 --- a/partition/README.md +++ b/partition/README.md @@ -38,11 +38,9 @@ You can look up all the default values [here](partition-defaults/main.yaml). | [dhcp-relay](roles/dhcp-relay) | Deploys a dhcp-relay | | [docker-on-cumulus](roles/docker-on-cumulus) | Deploys docker on cumulus | | [metal-bmc](roles/metal-bmc) | Deploys metal-bmc | -| [leaf](roles/leaf) | Deploys network config for cumulus switches | | [metal-core](roles/metal-core) | Deploys metal-core | | [pixiecore](roles/pixiecore) | Deploys pixiecore | | [promtail](roles/promtail) | Deploys promtail | -| [router](roles/router) | Deploys router config on cumulus switches | ## Examples diff --git a/partition/roles/leaf/files/bridgemac.json b/partition/roles/leaf/files/bridgemac.json deleted file mode 100644 index 14b83eda..00000000 --- a/partition/roles/leaf/files/bridgemac.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "bridge": { - "module_globals": { - "bridge_mac_iface": ["eth0", "eth1"] - } - } -} diff --git a/partition/roles/leaf/handlers/main.yaml b/partition/roles/leaf/handlers/main.yaml deleted file mode 100644 index 86eca2de..00000000 --- a/partition/roles/leaf/handlers/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: reload interfaces - shell: sleep 3; ifreload -a - async: 1 - poll: 0 - notify: wait for new connection - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 5 - delay: 5 - timeout: 300 diff --git a/partition/roles/leaf/tasks/main.yaml b/partition/roles/leaf/tasks/main.yaml deleted file mode 100644 index c7af3fb3..00000000 --- a/partition/roles/leaf/tasks/main.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: configure leaf - include_role: - name: metal-roles/partition/roles/router - vars: - router_enable_static_route_leak: true - -- name: flush handlers - meta: flush_handlers - -- name: masquerade for eth0 - iptables: - table: nat - chain: POSTROUTING - out_interface: eth0 - jump: MASQUERADE - -- name: check for static route in mgmt vrf - command: ip r s vrf mgmt - register: route_check - changed_when: false - -- name: ensure that static route for return path to pxe network is present - command: "ip r a 10.0.1.0/24 vrf mgmt via {{ dhcp_server_ip }} dev vlan4000" - when: - - '"10.0.1.0/24" not in route_check.stdout' - - dhcp_server_ip is defined - -- name: create bridgemac.json - copy: - src: bridgemac.json - dest: /etc/network/ifupdown2/policy.d/bridgemac.json - notify: reload interfaces diff --git a/partition/roles/leaf/templates/bak/frr.conf.j2.bak b/partition/roles/leaf/templates/bak/frr.conf.j2.bak deleted file mode 100644 index 8b137891..00000000 --- a/partition/roles/leaf/templates/bak/frr.conf.j2.bak +++ /dev/null @@ -1 +0,0 @@ - diff --git a/partition/roles/leaf/templates/bak/interfaces.j2.bak b/partition/roles/leaf/templates/bak/interfaces.j2.bak deleted file mode 100644 index 8b137891..00000000 --- a/partition/roles/leaf/templates/bak/interfaces.j2.bak +++ /dev/null @@ -1 +0,0 @@ - diff --git a/partition/roles/leaf/templates/frr.conf.j2 b/partition/roles/leaf/templates/frr.conf.j2 deleted file mode 100644 index 384314af..00000000 --- a/partition/roles/leaf/templates/frr.conf.j2 +++ /dev/null @@ -1,41 +0,0 @@ -#jinja2: lstrip_blocks: "True", trim_blocks: "True" -frr version 4.0+cl3u9 -frr defaults datacenter -hostname {{ ansible_hostname }} -username cumulus nopassword -! -service integrated-vtysh-config -! -log syslog informational -! -vrf mgmt - ip route 10.0.1.0/24 {{ ansible_host }} nexthop-vrf default - exit-vrf -! -router bgp {{ asn }} - bgp router-id {{ lo }} - neighbor FABRIC peer-group - neighbor FABRIC remote-as external - {% for iface in uplinks %} - neighbor {{ iface.name }} interface peer-group FABRIC - {% endfor %} - ! - address-family ipv4 unicast - neighbor FABRIC activate - redistribute connected route-map LOOPBACKS - exit-address-family - ! - address-family l2vpn evpn - neighbor FABRIC activate - advertise-all-vni - exit-address-family -! -route-map LOOPBACKS permit 10 - match interface lo -! -{% if metal_partition_mgmt_gateway %} -ip route 0.0.0.0/0 {{ metal_partition_mgmt_gateway }} nexthop-vrf mgmt -! -{% endif %} -line vty -! diff --git a/partition/roles/leaf/templates/interfaces.j2 b/partition/roles/leaf/templates/interfaces.j2 deleted file mode 100644 index b65f7590..00000000 --- a/partition/roles/leaf/templates/interfaces.j2 +++ /dev/null @@ -1,57 +0,0 @@ -# This file describes the network interfaces available on your system -# and how to activate them. For more information, see interfaces(5). - -source /etc/network/interfaces.d/*.intf - -# The loopback network interface -auto lo -iface lo inet loopback - address {{ lo }}/32 - -# The primary network interface -auto eth0 -iface eth0 inet dhcp - vrf mgmt - -auto mgmt -iface mgmt - address 127.0.0.1/8 - vrf-table auto - -{% for iface in interfaces %} -auto {{ iface.name }} -iface {{ iface.name }} - mtu {{ mtu.default }} - bridge-access 4000 - -{% endfor %} -{% for iface in uplinks %} -auto {{ iface.name }} -iface {{ iface.name }} - mtu {{ mtu.vxlan }} - -{% endfor %} - -auto bridge -iface bridge - bridge-ports {% for iface in interfaces %}{{ iface.name }} {% endfor %}vni104000 - bridge-vids 4000 - bridge-vlan-aware yes - -auto vlan4000 -iface vlan4000 - mtu {{ mtu.default }} - address {{ metal_core_cidr }} - vlan-id 4000 - vlan-raw-device bridge - -auto vni104000 -iface vni104000 - mtu {{ mtu.default }} - bridge-access 4000 - bridge-learning off - mstpctl-bpduguard yes - mstpctl-portbpdufilter yes - vxlan-id 104000 - vxlan-local-tunnelip {{ lo }} - diff --git a/partition/roles/router/defaults/main.yaml b/partition/roles/router/defaults/main.yaml deleted file mode 100644 index 8d7b1500..00000000 --- a/partition/roles/router/defaults/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -router_enable_mgmt_vrf: true -router_enable_static_route_leak: false - -router_nameservers: [] diff --git a/partition/roles/router/files/99control_plane_catch_all.rules b/partition/roles/router/files/99control_plane_catch_all.rules deleted file mode 100644 index d469ae8e..00000000 --- a/partition/roles/router/files/99control_plane_catch_all.rules +++ /dev/null @@ -1,36 +0,0 @@ -# -# Note: These are catch-all rules that shall be last in the over all rule set. -# - -INGRESS_INTF = swp+ - -INGRESS_CHAIN = INPUT - - - -[iptables] - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 10000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 30000 --set-burst 70000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 - - -[ip6tables] - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 2 - --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0 - - -[ebtables] - --A $INGRESS_CHAIN -p ipv4 --in-interface $INGRESS_INTF -j ACCEPT --A $INGRESS_CHAIN -p ipv6 --in-interface $INGRESS_INTF -j ACCEPT --A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j setclass --class 0 -# ipv4 multicast misses --A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100 --A $INGRESS_CHAIN -j police --set-mode pkt --set-rate 100 --set-burst 100 diff --git a/partition/roles/router/files/daemons b/partition/roles/router/files/daemons deleted file mode 100644 index c86f9822..00000000 --- a/partition/roles/router/files/daemons +++ /dev/null @@ -1,2 +0,0 @@ -bgpd=yes -zebra=yes \ No newline at end of file diff --git a/partition/roles/router/files/frr-validation@.service b/partition/roles/router/files/frr-validation@.service deleted file mode 100644 index d2e9e276..00000000 --- a/partition/roles/router/files/frr-validation@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger a validation run of a frr configuration file %I - -[Service] -Type=oneshot -ExecStart=/usr/bin/vtysh --dryrun --inputfile %I -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/ifreload.service b/partition/roles/router/files/ifreload.service deleted file mode 100644 index a71205a4..00000000 --- a/partition/roles/router/files/ifreload.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger Interface Reload with ifreload - -[Service] -Type=oneshot -ExecStart=/sbin/ifreload -v -a -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/interfaces-validation@.service b/partition/roles/router/files/interfaces-validation@.service deleted file mode 100644 index 9df7795b..00000000 --- a/partition/roles/router/files/interfaces-validation@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Trigger a validation of a network interfaces file %I - -[Service] -Type=oneshot -ExecStart=/sbin/ifup --syntax-check --verbose --all --interfaces %I -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/partition/roles/router/files/lldpd.d/portsubtype.conf b/partition/roles/router/files/lldpd.d/portsubtype.conf deleted file mode 100644 index c54ba139..00000000 --- a/partition/roles/router/files/lldpd.d/portsubtype.conf +++ /dev/null @@ -1,2 +0,0 @@ -configure lldp portidsubtype macaddress - diff --git a/partition/roles/router/files/lldpd.d/tx-interval.conf b/partition/roles/router/files/lldpd.d/tx-interval.conf deleted file mode 100644 index 44c7ec2b..00000000 --- a/partition/roles/router/files/lldpd.d/tx-interval.conf +++ /dev/null @@ -1 +0,0 @@ -configure lldp tx-interval 10 diff --git a/partition/roles/router/handlers/main.yaml b/partition/roles/router/handlers/main.yaml deleted file mode 100644 index b4c228f3..00000000 --- a/partition/roles/router/handlers/main.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes - -- name: reload sysctl - command: sysctl --system - -- name: restart switchd - service: - name: switchd.service - enabled: true - state: restarted - -- name: reload interfaces - shell: sleep 3; ifreload -a - async: 1 - poll: 0 - notify: wait for new connection - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 5 - delay: 5 - timeout: 300 - -- name: reload frr - service: - name: frr - enabled: true - state: reloaded - -- name: restart frr - service: - name: frr - enabled: true - state: restarted - -- name: lldpd restart - service: - name: lldpd - enabled: true - state: restarted - -- name: restart ntp@mgmt - service: - name: ntp@mgmt - enabled: true - state: restarted diff --git a/partition/roles/router/tasks/main.yaml b/partition/roles/router/tasks/main.yaml deleted file mode 100644 index 734a48d6..00000000 --- a/partition/roles/router/tasks/main.yaml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: configure mgmt vrf - import_tasks: mgmt_vrf.yaml - when: router_enable_mgmt_vrf - -- name: configure switch plane - import_tasks: switch_plane.yaml - when: ports is defined - -- name: flush handlers - meta: flush_handlers - -- name: install services - copy: - src: "{{ item }}" - dest: "/etc/systemd/system/{{ item }}" - notify: reload systemd - with_items: - - frr-validation@.service - - interfaces-validation@.service - - ifreload.service - -- name: copy lldpd configs - copy: - src: lldpd.d/ - dest: /etc/lldpd.d/ - notify: lldpd restart - -- name: check if lldpd has the correct portidsubtype setting - shell: lldpcli show configuration | grep subtype - register: lldpd_subtype_check - changed_when: false - -- name: trigger lldpd restart if portidsubtype setting is wrong - service: - name: lldpd - state: restarted - when: ("macaddress" not in lldpd_subtype_check.stdout) - -- name: populate service facts - service_facts: - -- name: render interfaces configuration - template: - src: interfaces.j2 - dest: /etc/network/interfaces - validate: '/sbin/ifup --syntax-check --all --interfaces %s' - notify: reload interfaces - when: "ansible_facts.services['metal-core.service'] is not defined" - -- name: render custom interfaces configuration section - copy: - content: "{{ custom_interface_section }}" - dest: /etc/network/interfaces.d/99_custom.intf - validate: '/sbin/ifup --syntax-check --all --interfaces %s' - notify: reload interfaces - when: custom_interface_section is defined - -- name: render resolv.conf - template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - notify: reload interfaces - -- name: enable frr daemons - copy: - src: daemons - dest: /etc/frr/daemons - notify: restart frr - -- name: render frr configuration - template: - src: frr.conf.j2 - dest: /etc/frr/frr.conf - validate: '/usr/bin/vtysh --dryrun --inputfile %s' - tags: frr - register: frr_rendered - notify: reload frr - when: "ansible_facts.services['metal-core.service'] is not defined" - -- name: set hostname - nclu: - commands: - - add hostname {{ metal_partition_id }}-{{ inventory_hostname }} - commit: true diff --git a/partition/roles/router/tasks/mgmt_vrf.yaml b/partition/roles/router/tasks/mgmt_vrf.yaml deleted file mode 100644 index 5451e7bd..00000000 --- a/partition/roles/router/tasks/mgmt_vrf.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: check if mgmt vrf is active - shell: vrf list | grep mgmt - changed_when: false - failed_when: false - register: mgmt_vrf_exists - -- name: activate mgmt vrf; drops connections - nclu: - commands: - - add vrf mgmt - commit: true - async: 1 - poll: 0 - when: mgmt_vrf_exists.rc != 0 - -- name: wait for new connection - wait_for_connection: - connect_timeout: 20 - sleep: 2 - delay: 6 - timeout: 60 diff --git a/partition/roles/router/tasks/switch_plane.yaml b/partition/roles/router/tasks/switch_plane.yaml deleted file mode 100644 index 6ccb1203..00000000 --- a/partition/roles/router/tasks/switch_plane.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: render ports.conf - template: - src: ports.conf.j2 - dest: /etc/cumulus/ports.conf - notify: restart switchd - -- name: enable static route leak to apply hardware support - replace: - path: /etc/cumulus/switchd.conf - regexp: '#vrf_route_leak_enable = FALSE' - replace: 'vrf_route_leak_enable = TRUE' - when: router_enable_static_route_leak - notify: restart switchd diff --git a/partition/roles/router/templates/ports.conf.j2 b/partition/roles/router/templates/ports.conf.j2 deleted file mode 100644 index 238f4970..00000000 --- a/partition/roles/router/templates/ports.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# ports.conf -- -# = [4x10G|4x25G|2x50G|40G|50G|100G] -{% for key, value in ports|dictsort %} -{{ key }}={{ value }} -{% endfor %} diff --git a/partition/roles/router/templates/resolv.conf.j2 b/partition/roles/router/templates/resolv.conf.j2 deleted file mode 100644 index 41c31ff2..00000000 --- a/partition/roles/router/templates/resolv.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for ns in router_nameservers %} -nameserver {{ ns }} -{% endfor %} From baeb80b57c87a5f9149b59c7a86cba3aadb93e4b Mon Sep 17 00:00:00 2001 From: Gerrit Date: Thu, 6 Jun 2024 14:22:52 +0200 Subject: [PATCH 08/49] Provide default for sonic portchannels. (#284) --- partition/roles/sonic/defaults/main.yaml | 5 ++++- partition/roles/sonic/templates/metal.yaml.j2 | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/partition/roles/sonic/defaults/main.yaml b/partition/roles/sonic/defaults/main.yaml index 93f7be59..1506557c 100644 --- a/partition/roles/sonic/defaults/main.yaml +++ b/partition/roles/sonic/defaults/main.yaml @@ -11,9 +11,12 @@ sonic_ports: [] sonic_ports_dict: {} sonic_ports_default_fec: none +## Layer 2 +sonic_portchannels: [] + ## BGP related settings sonic_loopback_address: -sonic_asn: +sonic_asn: sonic_bgp_ports: [] sonic_frr_render: true sonic_frr_debug_options: [] diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index 9102bc71..64c05914 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -117,7 +117,7 @@ PORT: speed: "{{ running_cfg.speed }}" {% endif %} {% endfor %} -{% if sonic_portchannels is defined and sonic_portchannels|length > 0 %} +{% if sonic_portchannels %} PORTCHANNEL: {% for po in sonic_portchannels %} From 96535afd7e132a4899e550e72229fd3013825ecf Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 3 Jul 2024 13:52:34 +0200 Subject: [PATCH 09/49] ipam grpc server (#99) --- control-plane/roles/metal/README.md | 23 +++++++++++++------ .../roles/metal/defaults/main/main.yaml | 15 ++++++++---- control-plane/roles/metal/tasks/main.yaml | 2 ++ .../roles/metal/templates/metal-values.j2 | 19 +++++++++++---- defaults/main.yaml | 2 ++ 5 files changed, 44 insertions(+), 17 deletions(-) diff --git a/control-plane/roles/metal/README.md b/control-plane/roles/metal/README.md index 760e79ad..39f88be8 100644 --- a/control-plane/roles/metal/README.md +++ b/control-plane/roles/metal/README.md @@ -25,7 +25,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya ### Images | Name | Mandatory | Description | -|----------------------------------------|-----------|-----------------------------------------| +| -------------------------------------- | --------- | --------------------------------------- | | metal_api_image_name | yes | Image version of the metal-api | | metal_api_image_tag | yes | Image tag of the metal-api | | metal_api_image_pull_policy | | Image pull policy of the metal-api | @@ -38,6 +38,8 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_masterdata_api_image_name | yes | Image version of the masterdata-api | | metal_masterdata_api_image_tag | yes | Image tag of the masterdata-api | | metal_masterdata_api_image_pull_policy | | Image pull policy of the masterdata-api | +| metal_ipam_image_name | yes | Image version of the ipam | +| metal_ipam_image_tag | yes | Image tag of the ipam | ### Service Ports @@ -52,7 +54,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya ### metal-api | Name | Mandatory | Description | -|-------------------------------------|-----------|------------------------------------------------------------------------------------------------| +| ----------------------------------- | --------- | ---------------------------------------------------------------------------------------------- | | metal_api_replicas | | The number of deployed replicas of the metal-api | | metal_api_hpa_enabled | | Enables horizontal pod autoscaling for the metal-api | | metal_api_hpa_max | | Max amount of replicas for the HPA of the metal-api | @@ -63,11 +65,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_api_dex_clientid | | The trusted dex clientid | | metal_api_db_address | | The URL of the metal-db | | metal_api_db_password | | The password of the metal-db | -| metal_api_ipam_db_address | | The URL to the ipam database | -| metal_api_ipam_db_port | | The port of the ipam database | -| metal_api_ipam_db_name | | The database name of the ipam database | -| metal_api_ipam_db_user | | The user of the ipam database | -| metal_api_ipam_db_password | | The password of the ipam database | +| metal_api_ipam_grpc_server_endpoint | | The grpc endpoint address of the ipam grpc service (requires scheme) | | metal_api_nsq_lookupd_address | | The http address of nsqlookupd (only used for in-cluster traffic) | | metal_api_nsq_tcp_address | | The tcp address of nsqd | | metal_api_nsq_http_address | | The http address of nsqd (only used for in-cluster traffic) | @@ -131,6 +129,17 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_console_bmc_proxy_certs_client_cert | | The bmc-proxy client certificate as a string (required if enabled) | | metal_console_bmc_proxy_certs_client_key | | The bmc-proxy client key as a string (required if enabled) | +### ipam + +| Name | Mandatory | Description | +| ---------------------- | --------- | --------------------------------------------------------------------------------- | +| metal_ipam_db_address | | The hostname of the ipam service | +| metal_ipam_db_port | | The port of the ipam service | +| metal_ipam_db_name | | The database name of the ipam service | +| metal_ipam_db_user | | The user of the ipam service | +| metal_ipam_db_password | | The password of the ipam service | +| metal_ipam_log_level | | The log level for the ipam service (metal_log_level is not used for this service) | + ### Ingress | Name | Mandatory | Description | diff --git a/control-plane/roles/metal/defaults/main/main.yaml b/control-plane/roles/metal/defaults/main/main.yaml index e6ea4f98..08813d8c 100644 --- a/control-plane/roles/metal/defaults/main/main.yaml +++ b/control-plane/roles/metal/defaults/main/main.yaml @@ -34,11 +34,7 @@ metal_api_dex_address: "" metal_api_dex_clientid: "" metal_api_db_address: metal-db metal_api_db_password: change-me -metal_api_ipam_db_address: ipam-db -metal_api_ipam_db_port: 5432 -metal_api_ipam_db_name: ipam -metal_api_ipam_db_user: postgres -metal_api_ipam_db_password: change-me +metal_api_ipam_grpc_server_endpoint: http://ipam:9090 metal_api_nsq_tcp_address: "{{ metal_control_plane_ingress_dns }}:4150" metal_api_nsq_http_address: "nsqd:4151" metal_api_nsq_lookupd_address: "nsq-lookupd:4161" @@ -80,6 +76,15 @@ metal_masterdata_api_resources: metal_masterdata_api_tenants: [] metal_masterdata_api_projects: [] +# ipam +metal_ipam_image_pull_policy: "{{ metal_control_plane_image_pull_policy }}" +metal_ipam_db_address: ipam-db +metal_ipam_db_port: 5432 +metal_ipam_db_name: ipam +metal_ipam_db_user: postgres +metal_ipam_db_password: change-me +metal_ipam_log_level: debug + # metal-console metal_console_image_pull_policy: "{{ metal_control_plane_image_pull_policy }}" metal_console_enabled: false diff --git a/control-plane/roles/metal/tasks/main.yaml b/control-plane/roles/metal/tasks/main.yaml index 29b95047..34bfc911 100644 --- a/control-plane/roles/metal/tasks/main.yaml +++ b/control-plane/roles/metal/tasks/main.yaml @@ -18,6 +18,8 @@ - metal_masterdata_api_tls_cert_key is defined - metal_masterdata_api_tls_client_cert is defined - metal_masterdata_api_tls_client_key is defined + - metal_ipam_image_name is defined + - metal_ipam_image_tag is defined - metal_console_image_name is defined - metal_console_image_tag is defined - metal_helm_chart_local_path is not none or metal_helm_chart_repo is defined diff --git a/control-plane/roles/metal/templates/metal-values.j2 b/control-plane/roles/metal/templates/metal-values.j2 index 5aad510c..25c475f5 100644 --- a/control-plane/roles/metal/templates/metal-values.j2 +++ b/control-plane/roles/metal/templates/metal-values.j2 @@ -21,6 +21,10 @@ images: image: "{{ metal_masterdata_api_image_name }}" imagePullPolicy: "{{ metal_masterdata_api_image_pull_policy }}" tag: "{{ metal_masterdata_api_image_tag }}" + ipam: + image: "{{ metal_ipam_image_name }}" + imagePullPolicy: "{{ metal_console_image_pull_policy }}" + tag: "{{ metal_ipam_image_tag }}" resources: {% if metal_api_resources %} @@ -59,14 +63,19 @@ ports: masterdata_api_metrics: {{ metal_masterdata_api_metrics_port }} metal_console: {{ metal_console_port }} +ipam: + db_host: "{{ metal_ipam_db_address }}" + db_port: "{{ metal_ipam_db_port }}" + db_name: "{{ metal_ipam_db_name }}" + db_user: "{{ metal_ipam_db_user }}" + db_password: "{{ metal_ipam_db_password }}" + log_level: "{{ metal_ipam_log_level }}" + metal_api: db_address: "{{ metal_api_db_address }}" db_password: "{{ metal_api_db_password }}" - ipam_db_address: "{{ metal_api_ipam_db_address }}" - ipam_db_port: "{{ metal_api_ipam_db_port }}" - ipam_db_name: "{{ metal_api_ipam_db_name }}" - ipam_db_user: "{{ metal_api_ipam_db_user }}" - ipam_db_password: "{{ metal_api_ipam_db_password }}" + ipam_grpc_server_endpoint: "{{ metal_api_ipam_grpc_server_endpoint }}" + nsq: lookupd_address: "{{ metal_api_nsq_lookupd_address }}" tcp_address: "{{ metal_api_nsq_tcp_address }}" diff --git a/defaults/main.yaml b/defaults/main.yaml index 2dc4d1e2..6e80bf87 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -20,6 +20,8 @@ metal_stack_release: metal_masterdata_api_image_name: "docker-images.metal-stack.control-plane.masterdata-api.name" metal_console_image_tag: "docker-images.metal-stack.control-plane.metal-console.tag" metal_console_image_name: "docker-images.metal-stack.control-plane.metal-console.name" + metal_ipam_image_tag: "docker-images.metal-stack.control-plane.ipam.tag" + metal_ipam_image_name: "docker-images.metal-stack.control-plane.ipam.name" metal_metrics_exporter_image_tag: "docker-images.metal-stack.control-plane.metal-metrics-exporter.tag" metal_metrics_exporter_image_name: "docker-images.metal-stack.control-plane.metal-metrics-exporter.name" rethinkdb_exporter_name: "docker-images.metal-stack.control-plane.rethinkdb-exporter.name" From aa86dfb5eb7edf852c5084244b9c3a5d71cf864c Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 9 Jul 2024 11:00:17 +0200 Subject: [PATCH 10/49] Allow providing metal-stack release version. (#289) --- control-plane/roles/metal/README.md | 1 + control-plane/roles/metal/defaults/main/main.yaml | 1 + control-plane/roles/metal/templates/metal-values.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/control-plane/roles/metal/README.md b/control-plane/roles/metal/README.md index 39f88be8..6e7eb92c 100644 --- a/control-plane/roles/metal/README.md +++ b/control-plane/roles/metal/README.md @@ -94,6 +94,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_api_s3_secret | | The secret of the S3 server that serves firmwares | | metal_api_s3_firmware_bucket | | The S3 bucket name that contains the firmwares | | metal_api_password_reason_minlength | | If machine console password is requested this defines if and how long the given reason must be | +| metal_api_release_version | | The release version of metal-stack | | minimum_client_version | | minimum metalctl version which is required to talk to this metal-api instance | ### masterdata-api diff --git a/control-plane/roles/metal/defaults/main/main.yaml b/control-plane/roles/metal/defaults/main/main.yaml index 08813d8c..9d47129e 100644 --- a/control-plane/roles/metal/defaults/main/main.yaml +++ b/control-plane/roles/metal/defaults/main/main.yaml @@ -60,6 +60,7 @@ metal_api_s3_key: metal_api_s3_secret: metal_api_s3_firmware_bucket: metal_api_password_reason_minlength: +metal_api_release_version: "{{ metal_stack_release_version }}" minimum_client_version: "{{ metalctl_version }}" # masterdata-api diff --git a/control-plane/roles/metal/templates/metal-values.j2 b/control-plane/roles/metal/templates/metal-values.j2 index 25c475f5..e825a1c1 100644 --- a/control-plane/roles/metal/templates/metal-values.j2 +++ b/control-plane/roles/metal/templates/metal-values.j2 @@ -111,6 +111,7 @@ metal_api: view_key: "{{ metal_api_view_key }}" edit_key: "{{ metal_api_edit_key }}" admin_key: "{{ metal_api_admin_key }}" + release_version: "{{ metal_api_release_version }}" minimum_client_version: "{{ metalctl_version }}" {% if metal_api_password_reason_minlength %} password_reason_minlength: "{{ metal_api_password_reason_minlength }}" From c654c4f34d2b1ae00fc71575cef64d0f31842eba Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:00:10 +0200 Subject: [PATCH 11/49] Configure metal core vlan (#288) --- partition/roles/metal-core/README.md | 3 ++- partition/roles/metal-core/defaults/main/main.yaml | 2 ++ partition/roles/metal-core/templates/metal-core-env.j2 | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/partition/roles/metal-core/README.md b/partition/roles/metal-core/README.md index 67defc39..130d0701 100644 --- a/partition/roles/metal-core/README.md +++ b/partition/roles/metal-core/README.md @@ -15,7 +15,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_core_image_name | yes | Image name of metal-core | | metal_core_image_tag | yes | Image tag of metal-core | | metal_core_cidr | | | -| metal_core_log_driver | | The log driver used for the metal-core container log | +| metal_core_log_driver | | The log driver used for the metal-core container log | | metal_core_log_level | | The metal-core log level | | metal_core_rack_id | yes | The rack id describing the rack in which the leaf switches are contained. Can be a logical rack name and is used by the metal-api to identify the switch pair | | metal_core_reconfigure_switch | | If set to true, metal-core will automatically reconfigure files on the switch | @@ -31,3 +31,4 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_core_consider_hosts_file_resolution | | If set to true mounts `/etc/nsswitch.conf` into the container to enable dns resolution with the hosts file (see [go#22846](https://github.com/golang/go/issues/22846)) | | metal_core_interfaces_tpl_file | | The golang template file to use for rendering `/etc/network/interfaces`. If this is left blank the default template shipped with metal-core will be used. | | metal_core_frr_tpl_file | | The golang template file to use for rendering `/etc/frr/frr.conf`. If this is left blank the default template shipped with metal-core will be used. | +| metal_core_pxe_vlan_id | | The VLAN ID for the PXE machines. Defaults to `4000`. | diff --git a/partition/roles/metal-core/defaults/main/main.yaml b/partition/roles/metal-core/defaults/main/main.yaml index 4c1ae4b3..fb5a1ee4 100644 --- a/partition/roles/metal-core/defaults/main/main.yaml +++ b/partition/roles/metal-core/defaults/main/main.yaml @@ -20,3 +20,5 @@ metal_core_consider_hosts_file_resolution: false metal_core_interfaces_tpl_file: "" metal_core_frr_tpl_file: "" + +metal_core_pxe_vlan_id: 4000 diff --git a/partition/roles/metal-core/templates/metal-core-env.j2 b/partition/roles/metal-core/templates/metal-core-env.j2 index 9692093b..68409280 100644 --- a/partition/roles/metal-core/templates/metal-core-env.j2 +++ b/partition/roles/metal-core/templates/metal-core-env.j2 @@ -28,3 +28,4 @@ METAL_CORE_SPINE_UPLINKS: "{{ metal_core_spine_uplinks | join(',') }}" {% endif %} METAL_CORE_INTERFACES_TPL_FILE: "{{ metal_core_interfaces_tpl_file }}" METAL_CORE_FRR_TPL_FILE: "{{ metal_core_frr_tpl_file }}" +METAL_CORE_PXE_VLAN_ID: "{{ metal_core_pxe_vlan_id }}" From 5a425a63089f4c09560aec5ffeff2b220b2802b0 Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:07:27 +0200 Subject: [PATCH 12/49] Allow configuring members of the gardener soil project (#286) --- control-plane/roles/gardener/README.md | 61 ++++++++++--------- .../gardener/defaults/main/gardener.yaml | 1 + control-plane/roles/gardener/tasks/main.yaml | 31 +--------- .../templates/gardener-soil-project.yaml.j2 | 41 +++++++++++++ .../gardener_soil_project_template_test.py | 38 ++++++++++++ .../test/mock/gardener_soil_project.yaml | 40 ++++++++++++ 6 files changed, 153 insertions(+), 59 deletions(-) create mode 100644 control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2 create mode 100644 control-plane/roles/gardener/test/gardener_soil_project_template_test.py create mode 100644 control-plane/roles/gardener/test/mock/gardener_soil_project.yaml diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index be3e3b13..ded66fe3 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -8,35 +8,36 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt ## Variables -| Name | Mandatory | Description | -| ------------------------------------------------------ | --------- | ----------------------------------------------------------------------------------------------------------------------------- | -| gardener_image_vector_overwrite | | Allows overriding the image vector to set custom image versions for gardener | -| gardener_component_image_vector_overwrite | | Allows overriding the image vector to set custom image versions for gardenlet components | -| gardener_apiserver_replicas | | Specifies the amount of gardener-apiserver replicas | -| gardener_apiserver_vpa | | Enables the VPA for the gardener-apiserver | -| gardener_apiserver_resources | | Set custom resource definitions for the gardener-apiserver | -| gardener_apiserver_feature_gates | | Sets features gates for the gardener-apiserver | -| gardener_apiserver_shoot_kubeconfig_max_expiration | | Max shoot kubeconfig expiration for the gardener-apiserver | -| gardener_controller_manager_resources | | Set custom resource definitions for the gardener-controller-manager | -| gardener_scheduler_resources | | Set custom resource definitions for the gardener-scheduler | -| gardener_dns_domain | | Specifies the DNS domain on which the Gardener will manage DNS entries | -| gardener_dns_provider | yes | Specifies the DNS provider | -| gardener_backup_infrastructure | | Specifies the Gardener backup infrastructure | -| gardener_backup_infrastructure_secret | | Specifies the secret for the backup infrastructure | -| gardener_soil_name | | The name of the initial `Seed` (used for spinning up shooted seeds) | -| gardener_soil_kubeconfig_file_path | | The kubeconfig path to the initial seed cluster | -| gardener_soil_vertical_pod_autoscaler_enabled | | Enables the VPA for the intial seed cluster | -| gardener_soil_project_owner_name | | Specifies the owner name for the project that the initial seed uses to set up shooted seeds | -| gardener_gardenlet_shoot_concurrent_syncs | | Specifies the amount of concurrent shoot syncs for the Gardenlet | -| gardener_gardenlet_shoot_reconcile_in_maintenance_only | | Specifies whether to reconcile shoots only in their maintenance time windows for the Gardenlet | -| gardener_gardenlet_shoot_respect_sync_period_overwrite | | Specifies whether to allow sync period overwrites for shoot resources | -| gardener_shooted_seeds | | A list of definitions for shooted seeds reconcile by the initial seed cluster, will be turned into `ManagedSeeds` | -| gardener_shooted_seed_max_pods | | The max pods amount for the shooted seeds | -| gardener_shooted_seed_node_cidr_mask_size | | The node CIDR mask size used for the kubelets of the shooted seeds | -| gardener_shooted_seed_rollout_delay_minutes | | An optional delay between shooted seed rollouts (can be used to calm down bigger environments during an update) | -| gardener_kube_api_server_kubeconfig | | The kubeconfig for the Gardener Kubernetes API (virtual garden apiserver) | -| gardener_kube_apiserver_kubeconfig_path | | The acts on multiple Kubernetes APIs, this is where it puts the kubeconfig of the Gardener Kubernetes API | -| gardener_local_tmp_dir | | The acts on multiple Kubernetes APIs, this is a local folder in the deployment container to store the kubeconfigs (ephemeral) | +| Name | Mandatory | Description | +| ------------------------------------------------------ | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| gardener_image_vector_overwrite | | Allows overriding the image vector to set custom image versions for gardener | +| gardener_component_image_vector_overwrite | | Allows overriding the image vector to set custom image versions for gardenlet components | +| gardener_apiserver_replicas | | Specifies the amount of gardener-apiserver replicas | +| gardener_apiserver_vpa | | Enables the VPA for the gardener-apiserver | +| gardener_apiserver_resources | | Set custom resource definitions for the gardener-apiserver | +| gardener_apiserver_feature_gates | | Sets features gates for the gardener-apiserver | +| gardener_apiserver_shoot_kubeconfig_max_expiration | | Max shoot kubeconfig expiration for the gardener-apiserver | +| gardener_controller_manager_resources | | Set custom resource definitions for the gardener-controller-manager | +| gardener_scheduler_resources | | Set custom resource definitions for the gardener-scheduler | +| gardener_dns_domain | | Specifies the DNS domain on which the Gardener will manage DNS entries | +| gardener_dns_provider | yes | Specifies the DNS provider | +| gardener_backup_infrastructure | | Specifies the Gardener backup infrastructure | +| gardener_backup_infrastructure_secret | | Specifies the secret for the backup infrastructure | +| gardener_soil_name | | The name of the initial `Seed` (used for spinning up shooted seeds) | +| gardener_soil_kubeconfig_file_path | | The kubeconfig path to the initial seed cluster | +| gardener_soil_vertical_pod_autoscaler_enabled | | Enables the VPA for the intial seed cluster | +| gardener_soil_project_owner_name | | Specifies the owner name for the project that the initial seed uses to set up shooted seeds | +| gardener_soil_project_members | | Specifies the members of the soil project. Each member requires a `name` and a `role`. Optionally, and array of `roles` can be specified. Example: `{"name": "admin", "role": "admin", "roles": ["owner"]}` | +| gardener_gardenlet_shoot_concurrent_syncs | | Specifies the amount of concurrent shoot syncs for the Gardenlet | +| gardener_gardenlet_shoot_reconcile_in_maintenance_only | | Specifies whether to reconcile shoots only in their maintenance time windows for the Gardenlet | +| gardener_gardenlet_shoot_respect_sync_period_overwrite | | Specifies whether to allow sync period overwrites for shoot resources | +| gardener_shooted_seeds | | A list of definitions for shooted seeds reconcile by the initial seed cluster, will be turned into `ManagedSeeds` | +| gardener_shooted_seed_max_pods | | The max pods amount for the shooted seeds | +| gardener_shooted_seed_node_cidr_mask_size | | The node CIDR mask size used for the kubelets of the shooted seeds | +| gardener_shooted_seed_rollout_delay_minutes | | An optional delay between shooted seed rollouts (can be used to calm down bigger environments during an update) | +| gardener_kube_api_server_kubeconfig | | The kubeconfig for the Gardener Kubernetes API (virtual garden apiserver) | +| gardener_kube_apiserver_kubeconfig_path | | The acts on multiple Kubernetes APIs, this is where it puts the kubeconfig of the Gardener Kubernetes API | +| gardener_local_tmp_dir | | The acts on multiple Kubernetes APIs, this is a local folder in the deployment container to store the kubeconfigs (ephemeral) | ### Virtual Garden @@ -45,7 +46,7 @@ These variables are related to spinning up the virtual garden, a dedicated kube- The deployment chart is taken from [garden-setup](https://github.com/gardener/garden-setup) and follows the same deployment approach. | Name | Mandatory | Description | -|------------------------------------------------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ---------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | gardener_virtual_api_server_svc_cluster_ip_add | | An integer to "guess" a free IP for the service that allows the soil to internally communicate with the virtual garden | | gardener_virtual_api_server_public_dns | | The DNS domain to reach the virtual garden API server on | | gardener_virtual_api_server_healthcheck_static_token | yes | A static token for healthchecking the virtual garden API server | diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml index 3bd07929..dc94a021 100644 --- a/control-plane/roles/gardener/defaults/main/gardener.yaml +++ b/control-plane/roles/gardener/defaults/main/gardener.yaml @@ -41,6 +41,7 @@ gardener_soil_name: "{{ metal_control_plane_stage_name }}" gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}" gardener_soil_vertical_pod_autoscaler_enabled: false gardener_soil_project_owner_name: admin +gardener_soil_project_members: [] gardener_gardenlet_shoot_concurrent_syncs: 20 gardener_gardenlet_shoot_reconcile_in_maintenance_only: false diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index 2d0b0be3..9448e520 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -121,36 +121,9 @@ - name: Create Gardener project for shooted seeds k8s: - definition: - apiVersion: core.gardener.cloud/v1beta1 - kind: Project - metadata: - name: "{{ gardener_soil_name }}" - labels: - gardener.cloud/role: "project" - project.gardener.cloud/name: "{{ gardener_soil_name }}" - spec: - namespace: garden - tolerations: - defaults: - - key: seed.gardener.cloud/protected - - key: seed.gardener.cloud/invisible - - key: seed.gardener.cloud/disable-capacity-reservation - whitelist: - - key: seed.gardener.cloud/protected - - key: seed.gardener.cloud/invisible - - key: seed.gardener.cloud/disable-capacity-reservation - owner: - apiGroup: rbac.authorization.k8s.io - kind: User - name: "{{ gardener_soil_project_owner_name }}" - members: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: "{{ gardener_soil_project_owner_name }}" - role: admin + definition: "{{ lookup('template', 'gardener-soil-project.yaml.j2') }}" kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}" - when: not lookup('k8s', kubeconfig=gardener_kube_apiserver_kubeconfig_path, api_version='core.gardener.cloud/v1beta1', kind='Project', resource_name=gardener_soil_name) + apply: true - name: Add project labels to garden namespace k8s: diff --git a/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2 b/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2 new file mode 100644 index 00000000..7ef33753 --- /dev/null +++ b/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2 @@ -0,0 +1,41 @@ +apiVersion: core.gardener.cloud/v1beta1 +kind: Project +metadata: + name: "{{ gardener_soil_name }}" + labels: + gardener.cloud/role: "project" + project.gardener.cloud/name: "{{ gardener_soil_name }}" +spec: + namespace: garden + tolerations: + defaults: + - key: seed.gardener.cloud/protected + - key: seed.gardener.cloud/invisible + - key: seed.gardener.cloud/disable-capacity-reservation + whitelist: + - key: seed.gardener.cloud/protected + - key: seed.gardener.cloud/invisible + - key: seed.gardener.cloud/disable-capacity-reservation + owner: + apiGroup: rbac.authorization.k8s.io + kind: User + name: "{{ gardener_soil_project_owner_name }}" + members: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: "{{ gardener_soil_project_owner_name }}" + role: admin + roles: + - owner +{% for member in gardener_soil_project_members %} + - apiGroup: rbac.authorization.k8s.io + kind: User + name: "{{ member.name }}" + role: "{{ member.role }}" +{% if member.roles is defined %} + roles: +{% for role in member.roles %} + - "{{ role }}" +{% endfor %} +{% endif %} +{% endfor %} diff --git a/control-plane/roles/gardener/test/gardener_soil_project_template_test.py b/control-plane/roles/gardener/test/gardener_soil_project_template_test.py new file mode 100644 index 00000000..de80907f --- /dev/null +++ b/control-plane/roles/gardener/test/gardener_soil_project_template_test.py @@ -0,0 +1,38 @@ +import unittest +import sys +import yaml + +from test import FILTER_PLUGINS_PATH,read_template_file,read_mock_file + +from ansible.template import Templar + +sys.path.insert(0, FILTER_PLUGINS_PATH) + +class GardenerSoilProjectTemplate(unittest.TestCase): + def test_gardener_soil_project_template(self): + t = read_template_file("gardener-soil-project.yaml.j2") + + templar = Templar(loader=None, variables={ + "gardener_soil_name": "test-project", + "gardener_soil_project_owner_name": "test-owner", + "gardener_soil_project_members": [ + { + "name": "test-member1", + "role": "viewer", + }, + { + "name": "test-member2", + "role": "admin", + "roles": [ + "editor", + "owner", + ], + }, + ], + }) + + res = templar.template(t) + expected = read_mock_file("gardener_soil_project.yaml") + + self.maxDiff = None + self.assertDictEqual(yaml.safe_load(expected), yaml.safe_load(res)) diff --git a/control-plane/roles/gardener/test/mock/gardener_soil_project.yaml b/control-plane/roles/gardener/test/mock/gardener_soil_project.yaml new file mode 100644 index 00000000..4ce04f54 --- /dev/null +++ b/control-plane/roles/gardener/test/mock/gardener_soil_project.yaml @@ -0,0 +1,40 @@ +apiVersion: core.gardener.cloud/v1beta1 +kind: Project +metadata: + name: test-project + labels: + gardener.cloud/role: project + project.gardener.cloud/name: test-project +spec: + namespace: garden + tolerations: + defaults: + - key: seed.gardener.cloud/protected + - key: seed.gardener.cloud/invisible + - key: seed.gardener.cloud/disable-capacity-reservation + whitelist: + - key: seed.gardener.cloud/protected + - key: seed.gardener.cloud/invisible + - key: seed.gardener.cloud/disable-capacity-reservation + owner: + apiGroup: rbac.authorization.k8s.io + kind: User + name: test-owner + members: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: test-owner + role: admin + roles: + - owner + - apiGroup: rbac.authorization.k8s.io + kind: User + name: test-member1 + role: viewer + - apiGroup: rbac.authorization.k8s.io + kind: User + name: test-member2 + role: admin + roles: + - editor + - owner From 2069fffb3001166497babd8ed91d8f53962b2cdb Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 23 Jul 2024 09:29:27 +0200 Subject: [PATCH 13/49] Add metal-ipam-resources (#291) --- control-plane/roles/metal/README.md | 7 ++++--- control-plane/roles/metal/defaults/main/main.yaml | 1 + control-plane/roles/metal/templates/metal-values.j2 | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/control-plane/roles/metal/README.md b/control-plane/roles/metal/README.md index 6e7eb92c..f6ca6f12 100644 --- a/control-plane/roles/metal/README.md +++ b/control-plane/roles/metal/README.md @@ -25,7 +25,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya ### Images | Name | Mandatory | Description | -| -------------------------------------- | --------- | --------------------------------------- | +|----------------------------------------|-----------|-----------------------------------------| | metal_api_image_name | yes | Image version of the metal-api | | metal_api_image_tag | yes | Image tag of the metal-api | | metal_api_image_pull_policy | | Image pull policy of the metal-api | @@ -54,7 +54,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya ### metal-api | Name | Mandatory | Description | -| ----------------------------------- | --------- | ---------------------------------------------------------------------------------------------- | +|-------------------------------------|-----------|------------------------------------------------------------------------------------------------| | metal_api_replicas | | The number of deployed replicas of the metal-api | | metal_api_hpa_enabled | | Enables horizontal pod autoscaling for the metal-api | | metal_api_hpa_max | | Max amount of replicas for the HPA of the metal-api | @@ -133,13 +133,14 @@ You can look up all the default values of this role [here](defaults/main/main.ya ### ipam | Name | Mandatory | Description | -| ---------------------- | --------- | --------------------------------------------------------------------------------- | +|------------------------|-----------|-----------------------------------------------------------------------------------| | metal_ipam_db_address | | The hostname of the ipam service | | metal_ipam_db_port | | The port of the ipam service | | metal_ipam_db_name | | The database name of the ipam service | | metal_ipam_db_user | | The user of the ipam service | | metal_ipam_db_password | | The password of the ipam service | | metal_ipam_log_level | | The log level for the ipam service (metal_log_level is not used for this service) | +| metal_ipam_resources | | Sets the given container resources | ### Ingress diff --git a/control-plane/roles/metal/defaults/main/main.yaml b/control-plane/roles/metal/defaults/main/main.yaml index 9d47129e..b3efe59a 100644 --- a/control-plane/roles/metal/defaults/main/main.yaml +++ b/control-plane/roles/metal/defaults/main/main.yaml @@ -85,6 +85,7 @@ metal_ipam_db_name: ipam metal_ipam_db_user: postgres metal_ipam_db_password: change-me metal_ipam_log_level: debug +metal_ipam_resources: # metal-console metal_console_image_pull_policy: "{{ metal_control_plane_image_pull_policy }}" diff --git a/control-plane/roles/metal/templates/metal-values.j2 b/control-plane/roles/metal/templates/metal-values.j2 index e825a1c1..7321a954 100644 --- a/control-plane/roles/metal/templates/metal-values.j2 +++ b/control-plane/roles/metal/templates/metal-values.j2 @@ -36,6 +36,9 @@ resources: {% if metal_console_resources %} metal_console: {{ metal_console_resources | to_json }} {% endif %} +{% if metal_ipam_resources %} + ipam: {{ metal_ipam_resources | to_json }} +{% endif %} hpa: metal_api: From 6319bc71331451d4c95ae3969432c0a80ac4dbe9 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 26 Jul 2024 11:21:32 +0200 Subject: [PATCH 14/49] Update of partition image-cache components. (#293) --- partition/roles/image-cache/README.md | 1 + partition/roles/image-cache/defaults/main/main.yaml | 2 ++ partition/roles/image-cache/tasks/coredns.yaml | 4 ++-- partition/roles/image-cache/templates/haproxy.j2 | 9 ++++----- .../roles/image-cache/templates/metal-image-cache.j2 | 2 +- 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/partition/roles/image-cache/README.md b/partition/roles/image-cache/README.md index 513d7b29..4d7589b6 100644 --- a/partition/roles/image-cache/README.md +++ b/partition/roles/image-cache/README.md @@ -72,6 +72,7 @@ Introducing a partition-local cache for machine images brings the following adva | image_cache_coredns_host_dir_path | | The host path for CoreDNS configuration | | image_cache_kernel_route_prefix | | The route prefix to distinguish whether the kernel cache backend is used or not | | image_cache_boot_image_route_prefix | | The route prefix to distinguish whether the boot image cache backend is used or not | +| image_cache_backend_hosts | | The hosts that are considered for load balancing, defaults to matched play hosts | | image_cache_haproxy_host_dir_path | | The host path for haproxy configuration | | image_cache_haproxy_fallback_backend_server | | The domain name of the "global image store" (internet, must have valid HTTPS) | | image_cache_haproxy_fallback_backend_server_health_endpoint | | The health endpoint which is expected to return 200 of the "global image store" | diff --git a/partition/roles/image-cache/defaults/main/main.yaml b/partition/roles/image-cache/defaults/main/main.yaml index a8e121a3..2581e135 100644 --- a/partition/roles/image-cache/defaults/main/main.yaml +++ b/partition/roles/image-cache/defaults/main/main.yaml @@ -16,6 +16,8 @@ image_cache_external_dns_servers: - name: cloudflare02 ip: 1.0.0.1 +image_cache_backend_hosts: "{{ play_hosts }}" + # coredns image_cache_coredns_host_dir_path: /coredns diff --git a/partition/roles/image-cache/tasks/coredns.yaml b/partition/roles/image-cache/tasks/coredns.yaml index f91f4f5b..91c3856f 100644 --- a/partition/roles/image-cache/tasks/coredns.yaml +++ b/partition/roles/image-cache/tasks/coredns.yaml @@ -12,7 +12,7 @@ dest: "{{ image_cache_coredns_host_dir_path }}/config/{{ item.dest }}" owner: "root" group: "root" - mode: "0750" + mode: "0666" loop: - src: corefile.j2 dest: Corefile @@ -31,7 +31,7 @@ systemd_docker_volumes: - "{{ image_cache_coredns_host_dir_path }}/config:/root/" systemd_docker_ports: - - host_port: "{{ switch_mgmt_ip }}:53" + - host_port: "{{ image_cache_internal_ip | default(ansible_host) }}:53" target_port: "53/udp" systemd_docker_command: - -conf diff --git a/partition/roles/image-cache/templates/haproxy.j2 b/partition/roles/image-cache/templates/haproxy.j2 index 84b9242c..716a90c1 100644 --- a/partition/roles/image-cache/templates/haproxy.j2 +++ b/partition/roles/image-cache/templates/haproxy.j2 @@ -24,7 +24,6 @@ defaults listen stats bind :65534 - option http-use-htx http-request use-service prometheus-exporter if { path /metrics } mode http stats enable @@ -84,7 +83,7 @@ backend partition_local_image_cache http-check send meth GET uri /health ver HTTP/1.1 hdr host www http-check expect status 200 balance roundrobin -{% for host in play_hosts %} +{% for host in image_cache_backend_hosts %} server {{ hostvars[host]['inventory_hostname'] }} {{ hostvars[host]['image_cache_internal_ip'] if 'image_cache_internal_ip' in hostvars[host] else hostvars[host]['ansible_host'] }}:{{ image_cache_sync_port }} check {{ 'backup' if inventory_hostname != hostvars[host]['inventory_hostname'] else '' }} {% endfor %} @@ -94,7 +93,7 @@ backend partition_local_kernel_cache http-check send meth GET uri /health ver HTTP/1.1 hdr host www http-check expect status 200 balance roundrobin -{% for host in play_hosts %} +{% for host in image_cache_backend_hosts %} server {{ hostvars[host]['inventory_hostname'] }} {{ hostvars[host]['image_cache_internal_ip'] if 'image_cache_internal_ip' in hostvars[host] else hostvars[host]['ansible_host'] }}:{{ image_cache_sync_kernel_port }} check {{ 'backup' if inventory_hostname != hostvars[host]['inventory_hostname'] else '' }} {% endfor %} {% endif %} @@ -105,7 +104,7 @@ backend partition_local_boot_image_cache http-check send meth GET uri /health ver HTTP/1.1 hdr host www http-check expect status 200 balance roundrobin -{% for host in play_hosts %} +{% for host in image_cache_backend_hosts %} server {{ hostvars[host]['inventory_hostname'] }} {{ hostvars[host]['image_cache_internal_ip'] if 'image_cache_internal_ip' in hostvars[host] else hostvars[host]['ansible_host'] }}:{{ image_cache_sync_boot_image_port }} check {{ 'backup' if inventory_hostname != hostvars[host]['inventory_hostname'] else '' }} {% endfor %} {% endif %} @@ -113,6 +112,6 @@ backend partition_local_boot_image_cache {% for domain in image_cache_intercept_domains %} backend global_https_passthrough_{{ loop.index }} mode tcp - server {{ domain }} {{ domain}}:443 + server {{ domain }} {{ domain }}:443 {% endfor %} diff --git a/partition/roles/image-cache/templates/metal-image-cache.j2 b/partition/roles/image-cache/templates/metal-image-cache.j2 index d0553236..8c20891f 100644 --- a/partition/roles/image-cache/templates/metal-image-cache.j2 +++ b/partition/roles/image-cache/templates/metal-image-cache.j2 @@ -1,6 +1,6 @@ {% for cache in image_cache_intercept_domains %} {{ cache }}. IN SOA {{ cache }}. {{ cache }}. 2015082541 7200 3600 1209600 3600 -{% for host in play_hosts %} +{% for host in image_cache_backend_hosts %} {{ cache }}. IN A {{ hostvars[host]['image_cache_internal_ip'] if 'image_cache_internal_ip' in hostvars[host] else hostvars[host]['ansible_host'] }} {% endfor %} {% endfor %} From ca47bba4d54b6b9ff3733368a075e687af5e7027 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 26 Jul 2024 11:25:12 +0200 Subject: [PATCH 15/49] Allow serving additional files along with ztp.sh. (#294) --- partition/roles/ztp/README.md | 1 + partition/roles/ztp/defaults/main/main.yaml | 4 ++++ partition/roles/ztp/tasks/main.yaml | 10 ++++++++++ 3 files changed, 15 insertions(+) diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 610833ec..2de4b68a 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -12,3 +12,4 @@ Configures a server for providing zero-touch-provisioning scripts for switches. | ztp_port | | the port to serve ztp scripts on. | | ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | | ztp_admin_user | | the user for which the authorized keys will be provisioned. | +| ztp_additional_files | | puts additional files into serve directory. | diff --git a/partition/roles/ztp/defaults/main/main.yaml b/partition/roles/ztp/defaults/main/main.yaml index dd06cd71..8cff09c2 100644 --- a/partition/roles/ztp/defaults/main/main.yaml +++ b/partition/roles/ztp/defaults/main/main.yaml @@ -5,3 +5,7 @@ ztp_authorized_keys: ztp_admin_user: admin ztp_port: 8080 + +ztp_additional_files: [] +# - name: foo.sh +# data: echo diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index 9b62e94f..780c2956 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -10,6 +10,7 @@ - ztp_nginx_image_name is defined - ztp_nginx_image_tag is defined - ztp_authorized_keys is not none + - "'ztp.sh' not in ztp_additional_files | map(attribute='name')" - name: create ztp config directory file: @@ -22,6 +23,15 @@ dest: "{{ ztp_host_dir_path }}/config/ztp.sh" mode: 0644 +- name: copy additional contents + copy: + dest: "{{ ztp_host_dir_path }}/config/{{ item.name }}" + content: "{{ item.data }}" + mode: 0644 + loop: "{{ ztp_additional_files }}" + loop_control: + label: "{{ item.name }}" + - name: deploy server for serving ztp.sh include_role: name: ansible-common/roles/systemd-docker-service From baed6f7ea59c190a6b819417af617e05d09b54a3 Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:12:38 +0200 Subject: [PATCH 16/49] Allow providing pre-generated keys for `wireguard` role (#295) --- partition/roles/wireguard/README.md | 10 ++-- partition/roles/wireguard/defaults/main.yaml | 10 +++- partition/roles/wireguard/tasks/main.yaml | 54 ++++++++++++------- .../templates/wireguard_server.conf.j2 | 2 +- 4 files changed, 52 insertions(+), 24 deletions(-) diff --git a/partition/roles/wireguard/README.md b/partition/roles/wireguard/README.md index 1f89dcb4..6bd3fe54 100644 --- a/partition/roles/wireguard/README.md +++ b/partition/roles/wireguard/README.md @@ -5,13 +5,15 @@ Configures a wireguard-server. ## Variables | Name | Mandatory | Description | -|------------------------------|-----------|-----------------------------------------------------------------------------------------------------------| +| ---------------------------- | --------- | --------------------------------------------------------------------------------------------------------- | | wireguard_cert_directory | | the directory to store wireguard certs. | | wireguard_cert_owner | | the user that should own the cert. | | wireguard_cert_group | | the group that should own the cert. | | wireguard_ip | yes | the ip where wireguard should bind to. e.g. (`100.1.2.1/24`) | -| wireguard_listen_port | | the port wireguard should listen on (default ist 51820) | -| wireguard_clients | yes | array of clients to be configured at the server side | +| wireguard_listen_port | | the port wireguard should listen on (default is 51820) | +| wireguard_clients | | array of clients to be configured at the server side | | wireguard_clients.name | yes | a speaking name for this client as description. | | wireguard_clients.public_key | yes | the public key that identifies this client. | -| wireguard_clients.client_id | yes | a unique id for this client - is used to automatically generate client IP out of the `wireguard_ip` CIDR. | \ No newline at end of file +| wireguard_clients.client_id | yes | a unique id for this client - is used to automatically generate client IP out of the `wireguard_ip` CIDR. | +| wireguard_public_key | | optional pre-generated public for wireguard | +| wireguard_private_key | | optional pre-generated private for wireguard | diff --git a/partition/roles/wireguard/defaults/main.yaml b/partition/roles/wireguard/defaults/main.yaml index f49c417f..618ed80c 100644 --- a/partition/roles/wireguard/defaults/main.yaml +++ b/partition/roles/wireguard/defaults/main.yaml @@ -1,5 +1,13 @@ --- +wireguard_ip: +wireguard_public_key: +wireguard_private_key: wireguard_cert_directory: /etc/pki/wireguard wireguard_cert_owner: root wireguard_cert_group: root -wireguard_listen_port: 51820 \ No newline at end of file +wireguard_listen_port: 51820 + +wireguard_clients: [] +# - name: my-name +# public_key: my-pub-key +# client_id: id diff --git a/partition/roles/wireguard/tasks/main.yaml b/partition/roles/wireguard/tasks/main.yaml index 262b1c65..1bf2c765 100644 --- a/partition/roles/wireguard/tasks/main.yaml +++ b/partition/roles/wireguard/tasks/main.yaml @@ -5,8 +5,6 @@ quiet: yes that: - wireguard_ip is not none - - wireguard_clients is not none - - wireguard_clients|length > 0 - name: install wireguard apt: @@ -28,7 +26,7 @@ reload: yes tags: wg-install -- name: create WireGuard certificates directory +- name: create wireguard certificates directory file: dest: "{{ wireguard_cert_directory }}" state: directory @@ -39,43 +37,63 @@ - name: set path to private key file set_fact: - private_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.private.key" - public_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.public.key" + _private_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.private.key" + _public_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.public.key" tags: wg-generate-keys +- name: use pre-generated keys if defined + block: + - name: store public key file + copy: + content: "{{ wireguard_public_key }}" + dest: "{{ _public_key_file_path }}" + mode: 0600 + - name: store private key file + copy: + content: "{{ wireguard_private_key }}" + dest: "{{ _private_key_file_path }}" + mode: 0600 + when: + - wireguard_public_key + - wireguard_private_key + - name: register if private key already exists stat: - path: "{{ private_key_file_path }}" + path: "{{ _private_key_file_path }}" register: private_key_file_stat tags: wg-generate-keys -- name: generate WireGuard key pair +- name: generate wireguard key pair block: - - name: generate WireGuard private key - shell: "wg genkey | tee {{ private_key_file_path }}" - register: wg_private_key_result + - name: generate wireguard private key + shell: "wg genkey | tee {{ _private_key_file_path }}" + register: _wg_private_key_result tags: skip_ansible_lint - name: set private key fact set_fact: - wg_private_key: "{{ wg_private_key_result.stdout }}" + _wg_private_key: "{{ _wg_private_key_result.stdout }}" - - name: generate WireGuard public key - shell: "echo {{ wg_private_key }} | wg pubkey | tee {{ public_key_file_path }}" - register: wg_public_key_result + - name: generate wireguard public key + shell: "echo {{ _wg_private_key }} | wg pubkey | tee {{ _public_key_file_path }}" + register: _wg_public_key_result - name: set public key fact set_fact: - wg_public_key: "{{ wg_public_key_result.stdout }}" + _wg_public_key: "{{ _wg_public_key_result.stdout }}" + + - name: print out public key + debug: + msg: "generated wireguard public key: {{ _wg_public_key }}" when: not private_key_file_stat.stat.exists tags: wg-generate-keys -- name: write WireGuard configuration +- name: write wireguard configuration block: - name: slurp private key file slurp: - src: "{{ private_key_file_path }}" + src: "{{ _private_key_file_path }}" register: slurped_private_key - name: read private key @@ -92,7 +110,7 @@ notify: enable and restart wireguard tags: wg-config -- name: start WireGuard +- name: start wireguard service: name: wg-quick@wg0 enabled: true diff --git a/partition/roles/wireguard/templates/wireguard_server.conf.j2 b/partition/roles/wireguard/templates/wireguard_server.conf.j2 index e254f17a..e5788322 100644 --- a/partition/roles/wireguard/templates/wireguard_server.conf.j2 +++ b/partition/roles/wireguard/templates/wireguard_server.conf.j2 @@ -7,5 +7,5 @@ ListenPort = {{ wireguard_listen_port }} [Peer] # {{ peer.name }} PublicKey = {{ peer.public_key }} -AllowedIPs = {{ wireguard_ip | next_nth_usable(peer.client_id-1) }}/32 +AllowedIPs = {{ wireguard_ip | ansible.utils.next_nth_usable(peer.client_id-1) }}/32 {% endfor %} From 21bd2f1d97d06d69f4ee5d43439198ab5a31ed66 Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:16:36 +0200 Subject: [PATCH 17/49] Support mgmt-servers that do not use systemd-resolved (#292) --- partition/roles/mgmt-server/tasks/main.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/partition/roles/mgmt-server/tasks/main.yaml b/partition/roles/mgmt-server/tasks/main.yaml index 0dca5988..d64d605b 100644 --- a/partition/roles/mgmt-server/tasks/main.yaml +++ b/partition/roles/mgmt-server/tasks/main.yaml @@ -23,12 +23,16 @@ timezone: name: UTC +- name: collect facts about system services + service_facts: + - name: set name servers to resolve dns template: src: resolved.conf.j2 dest: /etc/systemd/resolved.conf notify: - restart systemd-resolved + when: "'systemd-resolved.service' in services" - name: install required packages to have the network stack in place apt: @@ -94,6 +98,7 @@ mode: "{{ item.mode}}" owner: metal group: metal + no_log: true loop: - content: "{{ mgmt_server_metal_ssh_privkey }}" dest: /home/metal/.ssh/id_rsa @@ -101,6 +106,8 @@ - content: "{{ mgmt_server_metal_ssh_pubkey }}" dest: /home/metal/.ssh/id_rsa.pub mode: "0644" + loop_control: + label: "{{ item.dest }}" # This is so that self connect and cross connect to the other mgmtserver is possible - name: Add own ssh key to authorized_keys From 7d0af499aacd3ada4d9014a8e07dcf629cc88750 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 31 Jul 2024 12:58:09 +0200 Subject: [PATCH 18/49] Update gardener container images (#298) --- .../defaults/main/images.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/control-plane/roles/isolated-clusters/defaults/main/images.yaml b/control-plane/roles/isolated-clusters/defaults/main/images.yaml index f6a7f2cb..52013b5b 100644 --- a/control-plane/roles/isolated-clusters/defaults/main/images.yaml +++ b/control-plane/roles/isolated-clusters/defaults/main/images.yaml @@ -33,22 +33,42 @@ isolated_clusters_registry_oci_mirror_config: destination: http://registry:5000/gardener-project/3rd/alpine match: semver: ">= 3.15.8" + - source: europe-docker.pkg.dev/gardener-project/releases/3rd/alpine + destination: http://registry:5000/gardener-project/releases/3rd/alpine + match: + semver: ">= 3.19.0" - source: eu.gcr.io/gardener-project/3rd/coredns/coredns destination: http://registry:5000/gardener-project/3rd/coredns/coredns match: semver: ">= 1.10.0" + - source: registry.k8s.io/coredns/coredns + destination: http://registry:5000/coredns/coredns + match: + semver: ">= 1.11.0" - source: eu.gcr.io/gardener-project/3rd/envoyproxy/envoy-distroless destination: http://registry:5000/gardener-project/3rd/envoyproxy/envoy-distroless match: semver: ">= v1.24.1" + - source: europe-docker.pkg.dev/gardener-project/releases/3rd/envoyproxy/envoy-distroless + destination: http://registry:5000/gardener-project/releases/3rd/envoyproxy/envoy-distroless + match: + semver: ">= v1.31.0" - source: eu.gcr.io/gardener-project/gardener/apiserver-proxy destination: http://registry:5000/gardener-project/gardener/apiserver-proxy match: semver: ">= v0.12.0" + - source: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver-proxy + destination: http://registry:5000/gardener-project/releases/gardener/apiserver-proxy + match: + semver: ">= v0.16.0" - source: eu.gcr.io/gardener-project/gardener/vpn-shoot-client destination: http://registry:5000/gardener-project/gardener/vpn-shoot-client match: semver: ">= 0.16.0" + - source: europe-docker.pkg.dev/gardener-project/releases/gardener/vpn-shoot-client + destination: http://registry:5000/gardener-project/releases/gardener/vpn-shoot-client + match: + semver: ">= 0.22.0" - source: ghcr.io/metal-stack/metallb-health-sidecar destination: http://registry:5000/metal-stack/metallb-health-sidecar match: From 04ac322afe6c6b4057ab3caecaeb1e2f10fbc7cc Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 31 Jul 2024 13:14:48 +0200 Subject: [PATCH 19/49] Remove duplicate coredns entry (#299) --- .../roles/isolated-clusters/defaults/main/images.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/control-plane/roles/isolated-clusters/defaults/main/images.yaml b/control-plane/roles/isolated-clusters/defaults/main/images.yaml index 52013b5b..d4460741 100644 --- a/control-plane/roles/isolated-clusters/defaults/main/images.yaml +++ b/control-plane/roles/isolated-clusters/defaults/main/images.yaml @@ -41,10 +41,6 @@ isolated_clusters_registry_oci_mirror_config: destination: http://registry:5000/gardener-project/3rd/coredns/coredns match: semver: ">= 1.10.0" - - source: registry.k8s.io/coredns/coredns - destination: http://registry:5000/coredns/coredns - match: - semver: ">= 1.11.0" - source: eu.gcr.io/gardener-project/3rd/envoyproxy/envoy-distroless destination: http://registry:5000/gardener-project/3rd/envoyproxy/envoy-distroless match: From 26a91ed57f4912684e4fb30896fc20ffabe3cc6d Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Thu, 1 Aug 2024 15:52:10 +0200 Subject: [PATCH 20/49] Allow different ssh key file names than the default id_rsa (#300) --- partition/roles/mgmt-server/defaults/main.yaml | 1 + partition/roles/mgmt-server/tasks/main.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/partition/roles/mgmt-server/defaults/main.yaml b/partition/roles/mgmt-server/defaults/main.yaml index a67a28a6..cb467ef5 100644 --- a/partition/roles/mgmt-server/defaults/main.yaml +++ b/partition/roles/mgmt-server/defaults/main.yaml @@ -22,3 +22,4 @@ mgmt_server_frr_repo: frr-8 mgmt_server_provide_default_route: false mgmt_server_metal_ssh_groups: "{{ groups.all }}" +mgmt_server_metal_ssh_key_filename: id_rsa diff --git a/partition/roles/mgmt-server/tasks/main.yaml b/partition/roles/mgmt-server/tasks/main.yaml index d64d605b..6fe51392 100644 --- a/partition/roles/mgmt-server/tasks/main.yaml +++ b/partition/roles/mgmt-server/tasks/main.yaml @@ -101,10 +101,10 @@ no_log: true loop: - content: "{{ mgmt_server_metal_ssh_privkey }}" - dest: /home/metal/.ssh/id_rsa + dest: "/home/metal/.ssh/{{ mgmt_server_metal_ssh_key_filename }}" mode: "0600" - content: "{{ mgmt_server_metal_ssh_pubkey }}" - dest: /home/metal/.ssh/id_rsa.pub + dest: "/home/metal/.ssh/{{ mgmt_server_metal_ssh_key_filename }}.pub" mode: "0644" loop_control: label: "{{ item.dest }}" From 20d60e271e385b13b331379ab26bdef0b0c0d8d2 Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Fri, 2 Aug 2024 13:25:12 +0200 Subject: [PATCH 21/49] Install docker from official repository (#301) --- partition/roles/mgmt-server/tasks/main.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/partition/roles/mgmt-server/tasks/main.yaml b/partition/roles/mgmt-server/tasks/main.yaml index 6fe51392..ac8a12cd 100644 --- a/partition/roles/mgmt-server/tasks/main.yaml +++ b/partition/roles/mgmt-server/tasks/main.yaml @@ -39,11 +39,27 @@ name: - net-tools - ipmitool - - docker.io - iptables-persistent update_cache : yes force_apt_get: yes +- name: install docker + block: + - name: add docker gpg key + get_url: + url: "https://download.docker.com/linux/{{ ansible_distribution|lower }}/gpg" + dest: /etc/apt/keyrings/docker.asc + + - name: add docker repository + apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release|lower }} stable" + + - name: install docker + apt: + name: + - docker-ce + when: "'docker.service' not in services" + - name: copy docker daemon.json template: src: daemon.json.j2 From 2b0bc31832b4aa2defb23165ce9c5bfde6f8372e Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 5 Aug 2024 13:02:05 +0200 Subject: [PATCH 22/49] Add missing images (#302) --- .../roles/isolated-clusters/defaults/main/images.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/control-plane/roles/isolated-clusters/defaults/main/images.yaml b/control-plane/roles/isolated-clusters/defaults/main/images.yaml index d4460741..202fbcb3 100644 --- a/control-plane/roles/isolated-clusters/defaults/main/images.yaml +++ b/control-plane/roles/isolated-clusters/defaults/main/images.yaml @@ -37,6 +37,10 @@ isolated_clusters_registry_oci_mirror_config: destination: http://registry:5000/gardener-project/releases/3rd/alpine match: semver: ">= 3.19.0" + - source: europe-docker.pkg.dev/gardener-project/releases/gardener/alpine-conntrack + destination: http://registry:5000/gardener-project/releases/gardener/alpine-conntrack + match: + semver: ">= 3.19.0" - source: eu.gcr.io/gardener-project/3rd/coredns/coredns destination: http://registry:5000/gardener-project/3rd/coredns/coredns match: @@ -56,7 +60,7 @@ isolated_clusters_registry_oci_mirror_config: - source: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver-proxy destination: http://registry:5000/gardener-project/releases/gardener/apiserver-proxy match: - semver: ">= v0.16.0" + semver: ">= v0.15.0" - source: eu.gcr.io/gardener-project/gardener/vpn-shoot-client destination: http://registry:5000/gardener-project/gardener/vpn-shoot-client match: From 8960403adc994a54c7cd71fc73afe9e818f91fc6 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 5 Aug 2024 13:38:07 +0200 Subject: [PATCH 23/49] Add missing images part II. (#303) --- control-plane/roles/isolated-clusters/defaults/main/images.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/control-plane/roles/isolated-clusters/defaults/main/images.yaml b/control-plane/roles/isolated-clusters/defaults/main/images.yaml index 202fbcb3..95da6706 100644 --- a/control-plane/roles/isolated-clusters/defaults/main/images.yaml +++ b/control-plane/roles/isolated-clusters/defaults/main/images.yaml @@ -52,7 +52,7 @@ isolated_clusters_registry_oci_mirror_config: - source: europe-docker.pkg.dev/gardener-project/releases/3rd/envoyproxy/envoy-distroless destination: http://registry:5000/gardener-project/releases/3rd/envoyproxy/envoy-distroless match: - semver: ">= v1.31.0" + semver: ">= v1.26.4" - source: eu.gcr.io/gardener-project/gardener/apiserver-proxy destination: http://registry:5000/gardener-project/gardener/apiserver-proxy match: From 03043367e6a6e1557f9ce276c64959535928da9a Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 7 Aug 2024 10:58:00 +0200 Subject: [PATCH 24/49] Cleanup deprecated metal admission webhook certs. (#305) --- control-plane/roles/gardener/README.md | 3 --- control-plane/roles/gardener/defaults/main/certs.yaml | 4 ---- .../gardener/templates/extension-admission-metal-values.j2 | 7 ------- 3 files changed, 14 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index ded66fe3..dc045af2 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -138,9 +138,6 @@ We use a small shell script as in the [mini-lab](https://github.com/metal-stack/ | gardener_controller_manager_ca | yes | - | | gardener_controller_manager_cert | yes | - | | gardener_controller_manager_key | yes | - | -| gardener_metal_admission_controller_ca | yes | - | -| gardener_metal_admission_controller_cert | yes | - | -| gardener_metal_admission_controller_key | yes | - | | gardener_etcd_ca_cert | yes | - | | gardener_etcd_cert | yes | - | | gardener_etcd_cert_key | yes | - | diff --git a/control-plane/roles/gardener/defaults/main/certs.yaml b/control-plane/roles/gardener/defaults/main/certs.yaml index bee53edd..08a05a3d 100644 --- a/control-plane/roles/gardener/defaults/main/certs.yaml +++ b/control-plane/roles/gardener/defaults/main/certs.yaml @@ -26,10 +26,6 @@ gardener_controller_manager_ca: gardener_controller_manager_cert: gardener_controller_manager_key: -gardener_metal_admission_controller_ca: -gardener_metal_admission_controller_cert: -gardener_metal_admission_controller_key: - gardener_etcd_ca_cert: gardener_etcd_cert: gardener_etcd_cert_key: diff --git a/control-plane/roles/gardener/templates/extension-admission-metal-values.j2 b/control-plane/roles/gardener/templates/extension-admission-metal-values.j2 index 71b40590..8c9957c1 100644 --- a/control-plane/roles/gardener/templates/extension-admission-metal-values.j2 +++ b/control-plane/roles/gardener/templates/extension-admission-metal-values.j2 @@ -4,14 +4,7 @@ global: tag: "{{ gardener_extension_provider_metal_image_tag }}" pullPolicy: {{ metal_control_plane_image_pull_policy }} webhookConfig: - caBundle: | - {{ gardener_metal_admission_controller_ca | indent(width=6, first=false) }} serverPort: 443 - tls: - crt: | - {{ gardener_metal_admission_controller_cert | indent(width=8, first=false) }} - key: | - {{ gardener_metal_admission_controller_key | indent(width=8, first=false) }} kubeconfig: | {{ gardener_kube_api_server_kubeconfig | indent(width=4, first=false) }} virtualGarden: From 7c97d93550dec19398d17d6642dd03c495bcc3bb Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 7 Aug 2024 14:50:16 +0200 Subject: [PATCH 25/49] Gardener v1.88 (#306) --- control-plane/roles/gardener/README.md | 1 - .../gardener/defaults/main/cloud_profile.yaml | 4 --- .../roles/gardener/tasks/extensions.yaml | 13 ---------- control-plane/roles/gardener/tasks/main.yaml | 1 - .../templates/dns/controller-deployment.yaml | 26 ------------------- .../dns/controller-registration.yaml | 11 -------- defaults/main.yaml | 2 -- 7 files changed, 58 deletions(-) delete mode 100644 control-plane/roles/gardener/templates/dns/controller-deployment.yaml delete mode 100644 control-plane/roles/gardener/templates/dns/controller-registration.yaml diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index dc045af2..da8c3deb 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -106,7 +106,6 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_provider_metal_image_pull_policy | | Sets the image pull policy for components deployed through this extension controller. | | gardener_extension_provider_metal_image_pull_secret | | Provide image pull secrets for deployed containers | | gardener_cert_management_issuer_private_key | | The Let's Encrypt private key used by the cert-management extension controller to setup signed certificates | -| gardener_extension_dns_external_controller_registration_url | | Allows to define a URL to the controller registration yaml | ### Certificates diff --git a/control-plane/roles/gardener/defaults/main/cloud_profile.yaml b/control-plane/roles/gardener/defaults/main/cloud_profile.yaml index f1ce66e5..141588bd 100644 --- a/control-plane/roles/gardener/defaults/main/cloud_profile.yaml +++ b/control-plane/roles/gardener/defaults/main/cloud_profile.yaml @@ -21,12 +21,8 @@ gardener_os_cri_mapping: cris: - name: containerd containerRuntimes: [] - - name: docker - containerRuntimes: [] debian: when: cris: - name: containerd containerRuntimes: [] - - name: docker - containerRuntimes: [] diff --git a/control-plane/roles/gardener/tasks/extensions.yaml b/control-plane/roles/gardener/tasks/extensions.yaml index 2f4df867..8fbb2772 100644 --- a/control-plane/roles/gardener/tasks/extensions.yaml +++ b/control-plane/roles/gardener/tasks/extensions.yaml @@ -27,19 +27,6 @@ - controller-deployment.yaml - controller-registration.yaml -- name: "Register controller: external-dns" - k8s: - definition: "{{ lookup('template', 'dns/{{ item }}', split_lines=False) }}" - kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}" - apply: yes - register: result - until: result is success - retries: 10 - delay: 6 - loop: - - controller-deployment.yaml - - controller-registration.yaml - - name: "Register controller: os extension provider metal" k8s: definition: "{{ lookup('template', 'os-metal-extension/{{ item }}', split_lines=False) }}" diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index 9448e520..dccd291a 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -20,7 +20,6 @@ - gardener_os_controller_image_tag is defined - metal_cloud_controller_manager_image_tag is defined - gardener_networking_calico_image_tag is defined - - gardener_external_dns_image_tag is defined - csi_lvm_controller_image_tag is defined - csi_lvm_provisioner_image_tag is defined - gardener_api_server_ca is not none diff --git a/control-plane/roles/gardener/templates/dns/controller-deployment.yaml b/control-plane/roles/gardener/templates/dns/controller-deployment.yaml deleted file mode 100644 index bcddbe1c..00000000 --- a/control-plane/roles/gardener/templates/dns/controller-deployment.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: core.gardener.cloud/v1beta1 -kind: ControllerDeployment -metadata: - name: dns-external -type: helm -providerConfig: -{% if gardener_extension_dns_external_controller_registration_url %} - chart: "{{ (lookup('url', gardener_extension_dns_external_controller_registration_url, split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}" -{% else %} - chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/external-dns-management/' + gardener_external_dns_image_tag + '/examples/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}" -{% endif %} - values: - createCRDs: false - image: - repository: "{{ gardener_external_dns_image_name }}" - tag: "{{ gardener_external_dns_image_tag }}" - configuration: - serverPortHttp: 8080 - controllers: compound - providerTypes: "{{ gardener_dns_provider }}" - leaseDuration: 30s - vpa: - minAllowed: - cpu: 50m - memory: 50Mi diff --git a/control-plane/roles/gardener/templates/dns/controller-registration.yaml b/control-plane/roles/gardener/templates/dns/controller-registration.yaml deleted file mode 100644 index f2fa377e..00000000 --- a/control-plane/roles/gardener/templates/dns/controller-registration.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: core.gardener.cloud/v1beta1 -kind: ControllerRegistration -metadata: - name: dns-external -spec: - deployment: - policy: Always - deploymentRefs: - - name: dns-external - resources: [] diff --git a/defaults/main.yaml b/defaults/main.yaml index 6e80bf87..5b8d4421 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -119,8 +119,6 @@ metal_stack_release: gardener_virtual_controller_manager_image_name: "docker-images.third-party.gardener.virtual-controller-manager.name" gardener_extension_provider_gcp_image_tag: "docker-images.third-party.gardener.extension-provider-gcp.tag" gardener_extension_provider_gcp_image_name: "docker-images.third-party.gardener.extension-provider-gcp.name" - gardener_external_dns_image_tag: "docker-images.third-party.gardener.external-dns.tag" - gardener_external_dns_image_name: "docker-images.third-party.gardener.external-dns.name" gardener_networking_calico_image_tag: "docker-images.third-party.gardener.networking-calico.tag" gardener_networking_calico_image_name: "docker-images.third-party.gardener.networking-calico.name" gardener_networking_cilium_image_tag: "docker-images.third-party.gardener.networking-cilium.tag" From 16974422936e134a909902e2c04c9c5ef5cdc6d9 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Mon, 12 Aug 2024 08:39:57 +0200 Subject: [PATCH 26/49] Add additional volume mounts for metal-bmc metal-core and pixiecore (#307) --- partition/roles/metal-bmc/README.md | 43 ++++++++++--------- .../roles/metal-bmc/defaults/main/main.yaml | 2 + partition/roles/metal-bmc/tasks/main.yaml | 7 +-- .../metal-bmc/templates/metal-bmc-volumes.j2 | 6 +++ partition/roles/metal-core/README.md | 1 + .../roles/metal-core/defaults/main/main.yaml | 1 + .../templates/metal-core-volumes.j2 | 3 ++ partition/roles/pixiecore/README.md | 3 +- .../roles/pixiecore/defaults/main/main.yaml | 2 + partition/roles/pixiecore/tasks/main.yaml | 3 +- .../pixiecore/templates/pixie-volumes.j2 | 4 ++ 11 files changed, 46 insertions(+), 29 deletions(-) create mode 100644 partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 create mode 100644 partition/roles/pixiecore/templates/pixie-volumes.j2 diff --git a/partition/roles/metal-bmc/README.md b/partition/roles/metal-bmc/README.md index 7b31a738..fbe14590 100644 --- a/partition/roles/metal-bmc/README.md +++ b/partition/roles/metal-bmc/README.md @@ -8,24 +8,25 @@ This role uses variables from [partition-defaults](/partition). So, make sure yo You can look up all the default values of this role [here](defaults/main.yaml). -| Name | Mandatory | Description | -| ------------------------------ | --------- | ---------------------------------------------------------------------------------------------- | -| metal_bmc_image_name | yes | Image version of the metal-bmc | -| metal_bmc_image_tag | yes | Image tag of the metal-bmc | -| metal_bmc_superuser | yes | Name of the BMC superuser | -| metal_bmc_superuser_pwd | yes | Password of the BMC superuser | -| metal_bmc_nsqd_addr | yes | The address to the nsqd that metal-bmc uses for discovering the NSQ of the metal control plane | -| metal_bmc_nsq_log_level | | The metal-core log level used on NSQ communication | -| metal_bmc_nsq_tls_enabled | | Enables tls encryption on NSQ traffic | -| metal_bmc_nsq_cert_dir | | Defines the path of the NSQ certificates | -| metal_bmc_nsqd_ca_cert | | The CA certificate that signed the NSQ client cert | -| metal_bmc_nsqd_client_cert | | The NSQ client certificate | -| metal_bmc_nsqd_client_cert_key | | The NSQ client certificate key | -| metal_bmc_console_port | | The port where to listen for incoming metal-console connections | -| metal_bmc_console_ca_cert | yes | The CA certificate for the metal-console port as a string | -| metal_bmc_console_cert | yes | The certificate for metal-console port as a string | -| metal_bmc_console_key | yes | The key for the metal-console port as a string | -| metal_bmc_console_cert_owner | | user of the created certificate files | -| metal_bmc_console_cert_group | | group of the created certificate files | -| metal_bmc_ignore_macs | | when fetching bmc reports from the dhcp lease file, the given macs are ignored | -| metal_bmc_allowed_cidrs | | when fetching bmc reports from the dhcp lease file, ips in the given cidrs are ignored | +| Name | Mandatory | Description | +| ---------------------------------- | --------- | ---------------------------------------------------------------------------------------------- | +| metal_bmc_image_name | yes | Image version of the metal-bmc | +| metal_bmc_image_tag | yes | Image tag of the metal-bmc | +| metal_bmc_superuser | yes | Name of the BMC superuser | +| metal_bmc_superuser_pwd | yes | Password of the BMC superuser | +| metal_bmc_nsqd_addr | yes | The address to the nsqd that metal-bmc uses for discovering the NSQ of the metal control plane | +| metal_bmc_nsq_log_level | | The metal-core log level used on NSQ communication | +| metal_bmc_nsq_tls_enabled | | Enables tls encryption on NSQ traffic | +| metal_bmc_nsq_cert_dir | | Defines the path of the NSQ certificates | +| metal_bmc_nsqd_ca_cert | | The CA certificate that signed the NSQ client cert | +| metal_bmc_nsqd_client_cert | | The NSQ client certificate | +| metal_bmc_nsqd_client_cert_key | | The NSQ client certificate key | +| metal_bmc_console_port | | The port where to listen for incoming metal-console connections | +| metal_bmc_console_ca_cert | yes | The CA certificate for the metal-console port as a string | +| metal_bmc_console_cert | yes | The certificate for metal-console port as a string | +| metal_bmc_console_key | yes | The key for the metal-console port as a string | +| metal_bmc_console_cert_owner | | user of the created certificate files | +| metal_bmc_console_cert_group | | group of the created certificate files | +| metal_bmc_ignore_macs | | when fetching bmc reports from the dhcp lease file, the given macs are ignored | +| metal_bmc_allowed_cidrs | | when fetching bmc reports from the dhcp lease file, ips in the given cidrs are ignored | +| metal_bmc_additional_volume_mounts | | Volumes to mount into the metal-bmc, besides the default ones | diff --git a/partition/roles/metal-bmc/defaults/main/main.yaml b/partition/roles/metal-bmc/defaults/main/main.yaml index 13606d6f..ca15c4a5 100755 --- a/partition/roles/metal-bmc/defaults/main/main.yaml +++ b/partition/roles/metal-bmc/defaults/main/main.yaml @@ -20,3 +20,5 @@ metal_bmc_console_cert_dir: /certs/console metal_bmc_console_ca_cert: metal_bmc_console_cert: metal_bmc_console_key: + +metal_bmc_additional_volume_mounts: [] diff --git a/partition/roles/metal-bmc/tasks/main.yaml b/partition/roles/metal-bmc/tasks/main.yaml index e32da2a6..ec4295da 100755 --- a/partition/roles/metal-bmc/tasks/main.yaml +++ b/partition/roles/metal-bmc/tasks/main.yaml @@ -81,10 +81,7 @@ systemd_docker_ports: - host_port: "{{ metal_bmc_console_port }}" target_port: "{{ metal_bmc_console_port }}" - systemd_docker_volumes: - - /var/lib/dhcp:/var/lib/dhcp:ro - - /certs/nsq:/certs/nsq:ro - - /certs/console:/certs/console:ro + systemd_docker_volumes: "{{ lookup('template', 'metal-bmc-volumes.j2') | from_yaml }}" systemd_service_environment: TZ: "{{ metal_partition_timezone }}" METAL_BMC_LEASE_FILE: /var/lib/dhcp/dhcpd.leases @@ -104,4 +101,4 @@ METAL_BMC_CONSOLE_PORT: "{{ metal_bmc_console_port }}" METAL_BMC_CONSOLE_CA_CERT_FILE: "{{metal_bmc_console_cert_dir }}/ca.pem" METAL_BMC_CONSOLE_CERT_FILE: "{{metal_bmc_console_cert_dir }}/cert.pem" - METAL_BMC_CONSOLE_KEY_FILE: "{{metal_bmc_console_cert_dir }}/key.pem" + METAL_BMC_CONSOLE_KEY_FILE: "{{metal_bmc_console_cert_dir }}/key.pem" diff --git a/partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 b/partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 new file mode 100644 index 00000000..370a367c --- /dev/null +++ b/partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 @@ -0,0 +1,6 @@ +- /var/lib/dhcp:/var/lib/dhcp:ro +- /certs/nsq:/certs/nsq:ro +- /certs/console:/certs/console:ro +{% for volume_mount in metal_bmc_additional_volume_mounts %} +- {{ volume_mount }} +{% endfor %} \ No newline at end of file diff --git a/partition/roles/metal-core/README.md b/partition/roles/metal-core/README.md index 130d0701..2bc21c32 100644 --- a/partition/roles/metal-core/README.md +++ b/partition/roles/metal-core/README.md @@ -32,3 +32,4 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_core_interfaces_tpl_file | | The golang template file to use for rendering `/etc/network/interfaces`. If this is left blank the default template shipped with metal-core will be used. | | metal_core_frr_tpl_file | | The golang template file to use for rendering `/etc/frr/frr.conf`. If this is left blank the default template shipped with metal-core will be used. | | metal_core_pxe_vlan_id | | The VLAN ID for the PXE machines. Defaults to `4000`. | +| metal_core_additional_volume_mounts | | Volumes to mount into the metal-core, besides the default ones | diff --git a/partition/roles/metal-core/defaults/main/main.yaml b/partition/roles/metal-core/defaults/main/main.yaml index fb5a1ee4..8218e893 100644 --- a/partition/roles/metal-core/defaults/main/main.yaml +++ b/partition/roles/metal-core/defaults/main/main.yaml @@ -15,6 +15,7 @@ metal_core_grpc_client_key: "{{ metal_partition_metal_api_grpc_client_key }}" metal_core_additional_bridge_vids: [] metal_core_additional_bridge_ports: [] +metal_core_additional_volume_mounts: [] metal_core_consider_hosts_file_resolution: false diff --git a/partition/roles/metal-core/templates/metal-core-volumes.j2 b/partition/roles/metal-core/templates/metal-core-volumes.j2 index aafc717f..3f94614e 100644 --- a/partition/roles/metal-core/templates/metal-core-volumes.j2 +++ b/partition/roles/metal-core/templates/metal-core-volumes.j2 @@ -12,3 +12,6 @@ - /etc/nsswitch.conf:/etc/nsswitch.conf {% endif %} - "{{ metal_core_grpc_cert_dir }}:/certs/grpc:ro" +{% for volume_mount in metal_core_additional_volume_mounts %} +- {{ volume_mount }} +{% endfor %} \ No newline at end of file diff --git a/partition/roles/pixiecore/README.md b/partition/roles/pixiecore/README.md index 8f57ef3a..57bca4e6 100644 --- a/partition/roles/pixiecore/README.md +++ b/partition/roles/pixiecore/README.md @@ -5,7 +5,7 @@ Deploys pixiecore in a systemd-managed Docker container. ## Variables | Name | Mandatory | Description | -|---------------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------| +| ------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------- | | pixiecore_image_name | yes | Image version of the pixiecore | | pixiecore_image_tag | yes | Image tag of the pixiecore | | pixiecore_debug | | Enable debugging | @@ -26,3 +26,4 @@ Deploys pixiecore in a systemd-managed Docker container. | pixiecore_metal_hammer_logging_cert | | set metal-hammer to send logs to a remote endpoint and authenticate with this cert for mtls auth | | pixiecore_metal_hammer_logging_key | | set metal-hammer to send logs to a remote endpoint and authenticate with this key for mtls auth | | pixiecore_metal_hammer_logging_tls_insecure | | set metal-hammer to send logs to a remote endpoint without verifying the tls certificate for mtls auth | +| pixiecore_additional_volume_mounts | | Volumes to mount into the pixiecore, besides the default ones | diff --git a/partition/roles/pixiecore/defaults/main/main.yaml b/partition/roles/pixiecore/defaults/main/main.yaml index 6ef53e8c..dfd4f0d6 100644 --- a/partition/roles/pixiecore/defaults/main/main.yaml +++ b/partition/roles/pixiecore/defaults/main/main.yaml @@ -19,3 +19,5 @@ pixiecore_metal_hammer_logging_password: pixiecore_metal_hammer_logging_cert: pixiecore_metal_hammer_logging_key: pixiecore_metal_hammer_logging_tls_insecure: false + +pixiecore_additional_volume_mounts: [] diff --git a/partition/roles/pixiecore/tasks/main.yaml b/partition/roles/pixiecore/tasks/main.yaml index 1b59497e..48868895 100644 --- a/partition/roles/pixiecore/tasks/main.yaml +++ b/partition/roles/pixiecore/tasks/main.yaml @@ -66,8 +66,7 @@ systemd_docker_cpu_quota: 10000 systemd_docker_memory: 256m systemd_docker_dns: "{{ pixiecore_dns_servers }}" - systemd_docker_volumes: - - "{{ pixiecore_grpc_cert_dir }}:/certs/grpc:ro" + systemd_docker_volumes: "{{ lookup('template', 'pixie-volumes.j2') | from_yaml }}" # Because Pixiecore needs to listen for DHCP traffic, # it has to run with access to the host's networking stack. # Both Rkt and Docker do this with the --net=host commandline flag. diff --git a/partition/roles/pixiecore/templates/pixie-volumes.j2 b/partition/roles/pixiecore/templates/pixie-volumes.j2 new file mode 100644 index 00000000..d1d6ce55 --- /dev/null +++ b/partition/roles/pixiecore/templates/pixie-volumes.j2 @@ -0,0 +1,4 @@ +- "{{ pixiecore_grpc_cert_dir }}:/certs/grpc:ro" +{% for volume_mount in pixiecore_additional_volume_mounts %} +- {{ volume_mount }} +{% endfor %} \ No newline at end of file From e10502d048c75ce3c14b3be42880bd180add7a29 Mon Sep 17 00:00:00 2001 From: mreiger Date: Tue, 13 Aug 2024 19:49:13 +0200 Subject: [PATCH 27/49] Set the gratuitous arp force override option for SAG interfaces, per Edgecore's recommendation. Only for VLANs in a vrf because that is the (current) use case. --- partition/roles/sonic/templates/metal.yaml.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index 64c05914..cd119b23 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -171,6 +171,13 @@ VLAN_INTERFACE: {% for vlan in sonic_vlans %} {% if vlan.vrf is defined %} Vlan{{ vlan.id }}: + {% if sonic_sag is defined and sonic_sag.vlans is defined %} + {% for sag_vlan in sonic_sag.vlans %} + {% if vlan.id == sag_vlan.id %} + "grat_arp_force_override": "enabled" + {% endif %} + {% endfor %} + {% endif %} vrf_name: "{{ vlan.vrf }}" {% else %} Vlan{{ vlan.id }}: {} From f7799543e5f7533679fe3e64d5b5fd82a389868c Mon Sep 17 00:00:00 2001 From: mreiger Date: Wed, 14 Aug 2024 12:44:12 +0200 Subject: [PATCH 28/49] Adjust l2 leaf test; exclude backup files --- .gitignore | 1 + partition/roles/sonic/test/data/l2_leaf/metal.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index ea53cc9e..a368e039 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ .shoot* __pycache__ .Trash* +*~ diff --git a/partition/roles/sonic/test/data/l2_leaf/metal.yaml b/partition/roles/sonic/test/data/l2_leaf/metal.yaml index e1f05736..929f8142 100644 --- a/partition/roles/sonic/test/data/l2_leaf/metal.yaml +++ b/partition/roles/sonic/test/data/l2_leaf/metal.yaml @@ -267,6 +267,7 @@ VLAN_INTERFACE: Vlan1000: {} Vlan1000|192.168.255.1/24: {} Vlan1001: + "grat_arp_force_override": "enabled" vrf_name: "Vrf46" VLAN_MEMBER: From 2f4028fa65d4794ed2c178cf288f98475b22b603 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Thu, 22 Aug 2024 14:32:10 +0200 Subject: [PATCH 29/49] Add node-agent to oci-mirror. (#308) --- .../roles/isolated-clusters/defaults/main/images.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/control-plane/roles/isolated-clusters/defaults/main/images.yaml b/control-plane/roles/isolated-clusters/defaults/main/images.yaml index 95da6706..97123ae4 100644 --- a/control-plane/roles/isolated-clusters/defaults/main/images.yaml +++ b/control-plane/roles/isolated-clusters/defaults/main/images.yaml @@ -29,6 +29,10 @@ isolated_clusters_registry_oci_mirror_config: destination: http://registry:5000/gardener-project/releases/hyperkube match: semver: ">= v1.27.10" + - source: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent + destination: http://registry:5000/gardener-project/releases/gardener/node-agent + match: + semver: ">= v1.89.0" - source: eu.gcr.io/gardener-project/3rd/alpine destination: http://registry:5000/gardener-project/3rd/alpine match: @@ -157,3 +161,8 @@ isolated_clusters_registry_oci_mirror_config: destination: http://registry:5000/node-init match: semver: ">= v0.1.4" + # TODO: this can be removed after g/g v1.94 when we do not rely on our fork build anymore + - source: r.metal-stack.io/gardener/node-agent + destination: http://registry:5000/gardener/node-agent + match: + all_tags: true From bbdc27531e7d46ed673aa52b246d0fe84d57c678 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Fri, 6 Sep 2024 15:16:59 +0200 Subject: [PATCH 30/49] Added lightbox and lightos to prometheus (#297) --- .../prometheus/defaults/main/main.yaml | 2 ++ .../prometheus/templates/prometheus.yaml.j2 | 24 +++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/partition/roles/monitoring/prometheus/defaults/main/main.yaml b/partition/roles/monitoring/prometheus/defaults/main/main.yaml index a95fa8fc..02c384f9 100644 --- a/partition/roles/monitoring/prometheus/defaults/main/main.yaml +++ b/partition/roles/monitoring/prometheus/defaults/main/main.yaml @@ -17,6 +17,8 @@ prometheus_promtail_targets: [] prometheus_ping_targets: [] prometheus_sonic_exporter_targets: [] prometheus_blackbox_exporter_targets: [] +prometheus_lightbox_exporter_targets: [] +prometheus_lightos_smart_targets: [] prometheus_hosts_content: | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 diff --git a/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 b/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 index 03e3bb66..f9cf7df0 100644 --- a/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 +++ b/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 @@ -197,6 +197,26 @@ scrape_configs: metrics_path: /metrics scrape_timeout: 25s scrape_interval: 30s - honor_timestamps: True + params: + collect[]: + - clustering + - datapath + - duroslight + - meminfo + - textfile + - lightfield + - netstat + - netdev + - cpufreq + static_configs: + - targets: {{ prometheus_lightbox_exporter_targets | to_json }} + +- job_name: 'lightos-smart' + metrics_path: /metrics + scrape_timeout: 10s + scrape_interval: 5m + params: + collect[]: + - smart static_configs: - - targets: + - targets: {{ prometheus_lightos_smart_targets | to_json }} \ No newline at end of file From 306380652aa873779231cf3f555b96936f50fcf5 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 9 Sep 2024 09:02:30 +0200 Subject: [PATCH 31/49] Add toggles for Gardener extensions. (#312) --- control-plane/roles/gardener/README.md | 6 ++++++ .../roles/gardener/defaults/main/extensions.yaml | 13 ++++++++++--- control-plane/roles/gardener/tasks/extensions.yaml | 7 +++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index da8c3deb..5fc40550 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -89,6 +89,12 @@ This includes the metal-stack extension provider called [gardener-extension-prov | Name | Mandatory | Description | | ------------------------------------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | +| gardener_extension_provider_gcp_enabled | | If enabled, deploys the gardener-extension-provider-metal | +| gardener_extension_os_metal_enabled | | If enabled, deploys the os-metal-extension | +| gardener_extension_networking_calico_enabled | | If enabled, deploys the gardener-networking-extension-calico | +| gardener_extension_networking_cilium_enabled | | If enabled, deploys the gardener-networking-extension-cilium | +| gardener_extension_shoot_cert_service_enabled | | If enabled, deploys the gardener-extension-shoot-cert-service | +| gardener_extension_shoot_dns_service_enabled | | If enabled, deploys the gardener-extension-shoot-dns-service | | gardener_os_controller_repo_ref | | A repo reference for deploying the [os-metal-extension](https://github.com/metal-stack/os-metal-extension/) | | gardener_networking_cilium_repo_ref | | A repo reference for deploying the [gardener-extension-networking-cilium](https://github.com/gardener/gardener-extension-networking-cilium) | | gardener_extension_provider_metal_repo_ref | | A repo reference for deploying the [gardener-extension-provider-metal](https://github.com/metal-stack/gardener-extension-provider-metal) | diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 002c8050..4ddf1919 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -1,12 +1,19 @@ --- -gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}" +gardener_extension_networking_calico_enabled: true +gardener_extension_networking_cilium_enabled: true +gardener_extension_os_metal_enabled: true +gardener_extension_provider_gcp_enabled: true +gardener_extension_provider_metal_enabled: true +gardener_extension_shoot_cert_service_enabled: true +gardener_extension_shoot_dns_service_enabled: true + +gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}" gardener_networking_cilium_repo_ref: "gardener/gardener-extension-networking-cilium/{{ gardener_networking_cilium_image_tag }}" +gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}" gardener_metal_admission_replicas: 1 gardener_metal_admission_vpa: true -gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}" - gardener_extension_provider_metal_cluster_audit_enabled: false gardener_extension_provider_metal_audit_to_splunk_enabled: false gardener_extension_provider_metal_audit_to_splunk: diff --git a/control-plane/roles/gardener/tasks/extensions.yaml b/control-plane/roles/gardener/tasks/extensions.yaml index 8fbb2772..c2a7cbab 100644 --- a/control-plane/roles/gardener/tasks/extensions.yaml +++ b/control-plane/roles/gardener/tasks/extensions.yaml @@ -12,6 +12,7 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_provider_metal_enabled - name: "Register controller: provider gcp (backups only)" k8s: @@ -26,6 +27,7 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_provider_gcp_enabled - name: "Register controller: os extension provider metal" k8s: @@ -39,6 +41,7 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_os_metal_enabled - name: "Register controller: networking calico" k8s: @@ -52,6 +55,7 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_networking_calico_enabled - name: "Register controller: networking cilium" k8s: @@ -65,6 +69,7 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_networking_cilium_enabled - name: "Register controller: shoot-cert-service" k8s: @@ -79,6 +84,7 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_shoot_cert_service_enabled - name: "Register controller: shoot-dns-service" k8s: @@ -93,3 +99,4 @@ loop: - controller-deployment.yaml - controller-registration.yaml + when: gardener_extension_shoot_dns_service_enabled From 10183812871da7fb420b75bf2c073792b937b4e5 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Tue, 10 Sep 2024 16:05:58 +0200 Subject: [PATCH 32/49] Allow to configure email and server of cert management issuer (#315) --- control-plane/roles/gardener/README.md | 2 ++ control-plane/roles/gardener/defaults/main/extensions.yaml | 2 ++ control-plane/roles/gardener/tasks/main.yaml | 1 + .../templates/shoot-cert-service/controller-deployment.yaml | 4 ++-- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 5fc40550..12dc60a5 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -112,6 +112,8 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_provider_metal_image_pull_policy | | Sets the image pull policy for components deployed through this extension controller. | | gardener_extension_provider_metal_image_pull_secret | | Provide image pull secrets for deployed containers | | gardener_cert_management_issuer_private_key | | The Let's Encrypt private key used by the cert-management extension controller to setup signed certificates | +| gardener_cert_management_issuer_email | | The issuer email used by the cert-management extension | +| gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | ### Certificates diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 4ddf1919..02d915e9 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -65,5 +65,7 @@ gardener_extension_provider_metal_image_pull_secret: # ... gardener_cert_management_issuer_private_key: "" +gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/directory +gardener_cert_management_issuer_email: gardener_extension_dns_external_controller_registration_url: diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index dccd291a..690d7569 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -55,6 +55,7 @@ - gardener_dns_provider is not none - gardener_cloud_profile_metal_api_url is not none - gardener_cloud_profile_metal_api_hmac is not none + - gardener_cert_management_issuer_email is not none - name: Deploy required Seed CRDs k8s: diff --git a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml index 434bdd7c..9df45b84 100644 --- a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml @@ -15,7 +15,7 @@ providerConfig: defaultIssuer: restricted: true # restrict default issuer to any sub-domain of shoot.spec.dns.domain acme: - email: cert-expiry@metal-pod.io - server: https://acme-v02.api.letsencrypt.org/directory + email: "{{ gardener_cert_management_issuer_email }}" + server: "{{ gardener_cert_management_issuer_server }}" privateKey: | {{ gardener_cert_management_issuer_private_key | indent(width=12, first=false) }} From f2c38970b872c2ab7c139c4c8448cd7243e65996 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:21:43 +0200 Subject: [PATCH 33/49] Allow s3 for virtual garden etcd (#314) --- control-plane/roles/gardener/README.md | 2 +- .../gardener/defaults/main/gardener.yaml | 19 +++++++++++++++++++ control-plane/roles/gardener/tasks/main.yaml | 1 + .../roles/gardener/tasks/shooted_seed.yaml | 10 ---------- .../roles/gardener/templates/etcd-values.j2 | 8 +++++++- 5 files changed, 28 insertions(+), 12 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 12dc60a5..a71bc779 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -21,7 +21,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt | gardener_scheduler_resources | | Set custom resource definitions for the gardener-scheduler | | gardener_dns_domain | | Specifies the DNS domain on which the Gardener will manage DNS entries | | gardener_dns_provider | yes | Specifies the DNS provider | -| gardener_backup_infrastructure | | Specifies the Gardener backup infrastructure | +| gardener_backup_infrastructure | | Specifies the Gardener backup infrastructure, required when `gardener_backup_infrastructure_secret` is set | | gardener_backup_infrastructure_secret | | Specifies the secret for the backup infrastructure | | gardener_soil_name | | The name of the initial `Seed` (used for spinning up shooted seeds) | | gardener_soil_kubeconfig_file_path | | The kubeconfig path to the initial seed cluster | diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml index dc94a021..b062f5f6 100644 --- a/control-plane/roles/gardener/defaults/main/gardener.yaml +++ b/control-plane/roles/gardener/defaults/main/gardener.yaml @@ -35,7 +35,26 @@ gardener_dns_domain: gardener_dns_provider: gardener_backup_infrastructure: + # provider: gcp + # region: + # secretRef: + # name: backup-secret + # namespace: garden + # bucket: + # + # provider: S3 + # endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}" + # accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}" + # secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}" + gardener_backup_infrastructure_secret: + # for gcp: + # serviceaccount.json: "{{ gardener_backup_infrastructure_service_account_json | b64encode }}" + # + # for S3: + # endpoint: + # accessKeyID: + # secretAccessKey: gardener_soil_name: "{{ metal_control_plane_stage_name }}" gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}" diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index 690d7569..f81a54f9 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -55,6 +55,7 @@ - gardener_dns_provider is not none - gardener_cloud_profile_metal_api_url is not none - gardener_cloud_profile_metal_api_hmac is not none + - gardener_backup_infrastructure_secret is none or (gardener_backup_infrastructure is not none and gardener_backup_infrastructure.provider in ["gcp", "S3"]) - gardener_cert_management_issuer_email is not none - name: Deploy required Seed CRDs diff --git a/control-plane/roles/gardener/tasks/shooted_seed.yaml b/control-plane/roles/gardener/tasks/shooted_seed.yaml index 4073d0d6..b494b059 100644 --- a/control-plane/roles/gardener/tasks/shooted_seed.yaml +++ b/control-plane/roles/gardener/tasks/shooted_seed.yaml @@ -13,16 +13,6 @@ apply: yes when: gardener_backup_infrastructure_secret -- name: Create backup infrastructure config for shooted seed - set_fact: - gardener_shooted_seed_backup_infratructure: - provider: "{{ gardener_backup_infrastructure.provider }}" - region: "{{ gardener_backup_infrastructure.region }}" - secretRef: - name: "{{ gardener_shooted_seed.name }}-backup-secret" - namespace: garden - when: gardener_backup_infrastructure_secret - - name: Add seed provider secret k8s: definition: diff --git a/control-plane/roles/gardener/templates/etcd-values.j2 b/control-plane/roles/gardener/templates/etcd-values.j2 index e29e1fdd..59639fb8 100644 --- a/control-plane/roles/gardener/templates/etcd-values.j2 +++ b/control-plane/roles/gardener/templates/etcd-values.j2 @@ -5,10 +5,16 @@ images: {% if gardener_backup_infrastructure_secret %} backup: storageContainer: {{ gardener_backup_infrastructure.bucket }} -{% if metal_control_plane_host_provider == "gcp" %} +{% if gardener_backup_infrastructure.provider == "gcp" %} storageProvider: "GCS" gcs: serviceAccountJson: {{ gardener_backup_infrastructure_service_account_json | to_json }} +{% elif gardener_backup_infrastructure.provider == "S3" %} + storageProvider: "ECS" + ecs: + endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}" + accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}" + secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}" {% endif %} {% endif %} From 9d22b647958ed6fdd4fdf9dc559ea3773ba15d46 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:30:47 +0200 Subject: [PATCH 34/49] Make basic_auth for prometheus and promtail optional (#316) --- .../roles/monitoring/prometheus/templates/prometheus.yaml.j2 | 2 ++ partition/roles/promtail/templates/promtail.yaml.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 b/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 index f9cf7df0..06006bd8 100644 --- a/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 +++ b/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 @@ -34,9 +34,11 @@ alerting: {% if prometheus_remote_write_url %} remote_write: - url: {{ prometheus_remote_write_url }} + {% if prometheus_remote_write_basic_auth_username is defined and prometheus_remote_write_basic_auth_password is defined %} basic_auth: username: {{ prometheus_remote_write_basic_auth_username }} password: {{ prometheus_remote_write_basic_auth_password }} + {% endif %} {% endif %} # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. diff --git a/partition/roles/promtail/templates/promtail.yaml.j2 b/partition/roles/promtail/templates/promtail.yaml.j2 index 7df42b07..daca6ef0 100644 --- a/partition/roles/promtail/templates/promtail.yaml.j2 +++ b/partition/roles/promtail/templates/promtail.yaml.j2 @@ -8,9 +8,11 @@ positions: clients: - url: {{ promtail_loki_push_endpoint }} timeout: 60s + {% if promtail_loki_basic_auth_username is defined and promtail_loki_basic_auth_password is defined %} basic_auth: username: {{ promtail_loki_basic_auth_username }} password: {{ promtail_loki_basic_auth_password }} + {% endif %} scrape_configs: {{ promtail_scrape_configs|to_yaml(indent=2) }} From 5327bbda28bf35768f61de120e0462d11c2728ee Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:45:50 +0200 Subject: [PATCH 35/49] Allow to provide the imageVectorOverwrite for the cilium extension (#318) --- control-plane/roles/gardener/README.md | 1 + .../gardener/defaults/main/extensions.yaml | 6 ++++++ .../controller-deployment.yaml | 19 +++---------------- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index a71bc779..cfe77146 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -112,6 +112,7 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_provider_metal_image_pull_policy | | Sets the image pull policy for components deployed through this extension controller. | | gardener_extension_provider_metal_image_pull_secret | | Provide image pull secrets for deployed containers | | gardener_cert_management_issuer_private_key | | The Let's Encrypt private key used by the cert-management extension controller to setup signed certificates | +| gardener_extension_networking_cilium_image_vector_overwrite | | Allows overriding the image vector for the networking cilium extension | | gardener_cert_management_issuer_email | | The issuer email used by the cert-management extension | | gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 02d915e9..8c87eeac 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -69,3 +69,9 @@ gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/dir gardener_cert_management_issuer_email: gardener_extension_dns_external_controller_registration_url: + +gardener_extension_networking_cilium_image_vector_overwrite: [] + # - name: + # sourceRepository: /source/repository + # repository: /repository + # tag: diff --git a/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml b/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml index fdf02722..0e832f65 100644 --- a/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml @@ -11,21 +11,8 @@ providerConfig: repository: "{{ gardener_networking_cilium_image_name }}" tag: "{{ gardener_networking_cilium_image_tag }}" pullPolicy: Always +{% if gardener_extension_networking_cilium_image_vector_overwrite %} imageVectorOverwrite: | images: - - name: cilium-agent - sourceRepository: github.com/cilium/cilium - repository: quay.io/cilium/cilium - tag: v1.12.1 - - name: cilium-preflight - sourceRepository: github.com/cilium/cilium - repository: quay.io/cilium/cilium - tag: v1.12.1 - - name: cilium-operator - sourceRepository: github.com/cilium/cilium - repository: quay.io/cilium/operator - tag: v1.12.1 - - name: hubble-relay - sourceRepository: github.com/cilium/hubble-ui - repository: quay.io/cilium/hubble-relay - tag: v1.12.1 + {{ gardener_extension_networking_cilium_image_vector_overwrite | to_nice_yaml(indent=2) | indent(width=8, first=false) }} +{% endif %} \ No newline at end of file From b64184b8f834d5c4f666dd21eb338c1f0a6221d0 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:53:22 +0200 Subject: [PATCH 36/49] Add variable for configuring ntp servers (#313) --- partition/roles/pixiecore/README.md | 1 + partition/roles/pixiecore/defaults/main/main.yaml | 1 + partition/roles/pixiecore/templates/pixie-cmd.j2 | 3 +++ 3 files changed, 5 insertions(+) diff --git a/partition/roles/pixiecore/README.md b/partition/roles/pixiecore/README.md index 57bca4e6..3b799fef 100644 --- a/partition/roles/pixiecore/README.md +++ b/partition/roles/pixiecore/README.md @@ -26,4 +26,5 @@ Deploys pixiecore in a systemd-managed Docker container. | pixiecore_metal_hammer_logging_cert | | set metal-hammer to send logs to a remote endpoint and authenticate with this cert for mtls auth | | pixiecore_metal_hammer_logging_key | | set metal-hammer to send logs to a remote endpoint and authenticate with this key for mtls auth | | pixiecore_metal_hammer_logging_tls_insecure | | set metal-hammer to send logs to a remote endpoint without verifying the tls certificate for mtls auth | +| pixiecore_metal_hammer_ntp_servers | | A list of custom NTP servers | | pixiecore_additional_volume_mounts | | Volumes to mount into the pixiecore, besides the default ones | diff --git a/partition/roles/pixiecore/defaults/main/main.yaml b/partition/roles/pixiecore/defaults/main/main.yaml index dfd4f0d6..74b1cb6f 100644 --- a/partition/roles/pixiecore/defaults/main/main.yaml +++ b/partition/roles/pixiecore/defaults/main/main.yaml @@ -19,5 +19,6 @@ pixiecore_metal_hammer_logging_password: pixiecore_metal_hammer_logging_cert: pixiecore_metal_hammer_logging_key: pixiecore_metal_hammer_logging_tls_insecure: false +pixiecore_metal_hammer_ntp_servers: [] pixiecore_additional_volume_mounts: [] diff --git a/partition/roles/pixiecore/templates/pixie-cmd.j2 b/partition/roles/pixiecore/templates/pixie-cmd.j2 index eb9a12d4..95c5815d 100644 --- a/partition/roles/pixiecore/templates/pixie-cmd.j2 +++ b/partition/roles/pixiecore/templates/pixie-cmd.j2 @@ -28,3 +28,6 @@ {% if pixiecore_metal_hammer_logging_tls_insecure %} - "--metal-hammer-logging-tls-insecure={{ pixiecore_metal_hammer_logging_tls_insecure | lower }}" {% endif %} +{% if pixiecore_metal_hammer_ntp_servers %} +- "--ntp-servers={{ pixiecore_metal_hammer_ntp_servers | join(',') }}" +{% endif %} \ No newline at end of file From f9a39d009ed861b29cc650c2d00042ddb5d80439 Mon Sep 17 00:00:00 2001 From: mreiger Date: Tue, 24 Sep 2024 11:25:31 +0200 Subject: [PATCH 37/49] Implement new SAG configuration for SONIC 202211 --- partition/roles/sonic/README.md | 4 +-- partition/roles/sonic/templates/metal.yaml.j2 | 26 +++++-------------- .../roles/sonic/test/data/l2_leaf/input.yaml | 4 +-- .../roles/sonic/test/data/l2_leaf/metal.yaml | 12 +++------ 4 files changed, 11 insertions(+), 35 deletions(-) diff --git a/partition/roles/sonic/README.md b/partition/roles/sonic/README.md index 66463935..3e6f921c 100644 --- a/partition/roles/sonic/README.md +++ b/partition/roles/sonic/README.md @@ -45,6 +45,7 @@ It depends on the `switch_facts` module from `ansible-common`, so make sure modu | sonic_vlans.untagged_ports | | Array of untagged ports to bind to this VLAN. | | sonic_vlans.tagged_ports | | Array of tagged ports to bind to this VLAN. | | sonic_vlans.vrf | | The VRF to bind the VLANs SVI to. | +| sonic_vlans.sag | | Whether to enable Static Anycast Gateway for this VLAN. Defaults to false in SONIC. | | sonic_vteps | | VTEPs to configure. If defined FRR will automatically advertise all VNIs. | | sonic_vteps.comment | | Description for the VTEP. | | sonic_vteps.vlan | | The local VLAN interface. | @@ -82,9 +83,6 @@ It depends on the `switch_facts` module from `ansible-common`, so make sure modu | sonic_portchannels.members | | The list of the interfaces taking part in the portchannel. | | sonic_sag | | Configuration for SAG (Static Anycast Gateway) | | sonic_sag.mac | | The virtual MAC used for the SAG address | -| sonic_sag.vlans | | A list of VLANs that use SAG | -| sonic_sag.vlans.id | | The VLAN ID of this VLAN | -| sonic_sag.vlans.ip | | The SAG IP of this VLAN | | sonic_ssh_sourceranges | | The source ranges from which the switch should be reachable over SSH on its prod (non-management) addresses | | sonic_extended_cacl.ipv4 | | Iptables ipv4 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | | sonic_extended_cacl.ipv6 | | Iptables ipv6 rules that should be added as extended Control Plane ACLs (Edgecore Sonic specific feature) | diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index cd119b23..86c00b6f 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -140,21 +140,11 @@ PORTCHANNEL_MEMBER: {% endfor %} {% endfor %} {% endif %} -{% if sonic_sag is defined and sonic_sag|length > 0 %} -{% if sonic_sag.vlans is defined and sonic_sag.vlans|length > 0 %} +{% if sonic_sag.mac is defined %} SAG: -{% for vlan in sonic_sag.vlans %} - "Vlan{{ vlan.id }}|IPv4": - gwip: - - "{{ vlan.ip }}" -{% endfor %} -{% endif %} - -SAG_GLOBAL: - IP: - IPv4: "enable" - gwmac: "{{ sonic_sag.mac }}" + GLOBAL: + gateway_mac: "{{ sonic_sag.mac }}" {% endif %} {% if sonic_vlans is defined and sonic_vlans|length > 0 %} @@ -171,13 +161,9 @@ VLAN_INTERFACE: {% for vlan in sonic_vlans %} {% if vlan.vrf is defined %} Vlan{{ vlan.id }}: - {% if sonic_sag is defined and sonic_sag.vlans is defined %} - {% for sag_vlan in sonic_sag.vlans %} - {% if vlan.id == sag_vlan.id %} - "grat_arp_force_override": "enabled" - {% endif %} - {% endfor %} - {% endif %} + {% if vlan.sag is defined %} + static_anycast_gateway: "{{ vlan.sag|bool }}" + {% endif %} vrf_name: "{{ vlan.vrf }}" {% else %} Vlan{{ vlan.id }}: {} diff --git a/partition/roles/sonic/test/data/l2_leaf/input.yaml b/partition/roles/sonic/test/data/l2_leaf/input.yaml index 1e348c43..4310c259 100644 --- a/partition/roles/sonic/test/data/l2_leaf/input.yaml +++ b/partition/roles/sonic/test/data/l2_leaf/input.yaml @@ -133,6 +133,7 @@ sonic_vlans: - PortChannel01 - id: 1001 vrf: Vrf46 + sag: "true" tagged_ports: - PortChannel01 untagged_ports: @@ -201,9 +202,6 @@ sonic_portchannels: sonic_sag: mac: 00:11:22:33:44:66 - vlans: - - id: 1001 - ip: 10.3.2.1/27 sonic_frr_l2vpn_evpn: true sonic_frr_route_map: diff --git a/partition/roles/sonic/test/data/l2_leaf/metal.yaml b/partition/roles/sonic/test/data/l2_leaf/metal.yaml index 929f8142..1d0184c8 100644 --- a/partition/roles/sonic/test/data/l2_leaf/metal.yaml +++ b/partition/roles/sonic/test/data/l2_leaf/metal.yaml @@ -248,14 +248,8 @@ PORTCHANNEL_MEMBER: PortChannel23|Ethernet2: {} SAG: - "Vlan1001|IPv4": - gwip: - - "10.3.2.1/27" - -SAG_GLOBAL: - IP: - IPv4: "enable" - gwmac: "00:11:22:33:44:66" + GLOBAL: + gateway_mac: "00:11:22:33:44:66" VLAN: Vlan1000: @@ -267,7 +261,7 @@ VLAN_INTERFACE: Vlan1000: {} Vlan1000|192.168.255.1/24: {} Vlan1001: - "grat_arp_force_override": "enabled" + static_anycast_gateway: "True" vrf_name: "Vrf46" VLAN_MEMBER: From 4b974f5df101b5bbd64720caf62ba80ad0265fa0 Mon Sep 17 00:00:00 2001 From: mreiger Date: Tue, 24 Sep 2024 13:06:41 +0200 Subject: [PATCH 38/49] For SONIC, boolean strings need to be lowercase apparently --- partition/roles/sonic/templates/metal.yaml.j2 | 8 ++++---- partition/roles/sonic/test/data/l2_leaf/metal.yaml | 9 ++++----- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index 86c00b6f..0face0e1 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -123,8 +123,8 @@ PORTCHANNEL: {% for po in sonic_portchannels %} PortChannel{{ po.number }}: admin_status: "up" -{% if po.fallback is defined %} - fallback: "{{ po.fallback|bool }}" +{% if po.fallback is defined and po.fallback %} + fallback: "true" {% endif %} fast_rate: "false" lacp_key: "auto" @@ -161,8 +161,8 @@ VLAN_INTERFACE: {% for vlan in sonic_vlans %} {% if vlan.vrf is defined %} Vlan{{ vlan.id }}: - {% if vlan.sag is defined %} - static_anycast_gateway: "{{ vlan.sag|bool }}" + {% if vlan.sag is defined and vlan.sag %} + static_anycast_gateway: "true" {% endif %} vrf_name: "{{ vlan.vrf }}" {% else %} diff --git a/partition/roles/sonic/test/data/l2_leaf/metal.yaml b/partition/roles/sonic/test/data/l2_leaf/metal.yaml index 1d0184c8..3944e5ad 100644 --- a/partition/roles/sonic/test/data/l2_leaf/metal.yaml +++ b/partition/roles/sonic/test/data/l2_leaf/metal.yaml @@ -200,7 +200,7 @@ PORTCHANNEL: mtu: "9216" PortChannel11: admin_status: "up" - fallback: "True" + fallback: "true" fast_rate: "false" lacp_key: "auto" min_links: "1" @@ -208,7 +208,7 @@ PORTCHANNEL: mtu: "9000" PortChannel12: admin_status: "up" - fallback: "True" + fallback: "true" fast_rate: "false" lacp_key: "auto" min_links: "1" @@ -216,7 +216,7 @@ PORTCHANNEL: mtu: "9000" PortChannel21: admin_status: "up" - fallback: "True" + fallback: "true" fast_rate: "false" lacp_key: "auto" min_links: "1" @@ -224,7 +224,6 @@ PORTCHANNEL: mtu: "9000" PortChannel22: admin_status: "up" - fallback: "False" fast_rate: "false" lacp_key: "auto" min_links: "1" @@ -261,7 +260,7 @@ VLAN_INTERFACE: Vlan1000: {} Vlan1000|192.168.255.1/24: {} Vlan1001: - static_anycast_gateway: "True" + static_anycast_gateway: "true" vrf_name: "Vrf46" VLAN_MEMBER: From 8dc6a8af57ac927c36a9cebf00dc72ebe4a7cec5 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 30 Sep 2024 14:44:30 +0200 Subject: [PATCH 39/49] Adapt to latest size reservations API. (#322) --- control-plane/roles/metal/README.md | 3 ++- control-plane/roles/metal/defaults/main/main.yaml | 1 + control-plane/roles/metal/templates/metal-values.j2 | 9 +++++---- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/control-plane/roles/metal/README.md b/control-plane/roles/metal/README.md index f6ca6f12..849857df 100644 --- a/control-plane/roles/metal/README.md +++ b/control-plane/roles/metal/README.md @@ -54,7 +54,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya ### metal-api | Name | Mandatory | Description | -|-------------------------------------|-----------|------------------------------------------------------------------------------------------------| +| ----------------------------------- | --------- | ---------------------------------------------------------------------------------------------- | | metal_api_replicas | | The number of deployed replicas of the metal-api | | metal_api_hpa_enabled | | Enables horizontal pod autoscaling for the metal-api | | metal_api_hpa_max | | Max amount of replicas for the HPA of the metal-api | @@ -85,6 +85,7 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_api_ips | | Creates ips (as masterdata) to the metal-api after deployment | | metal_api_filesystemlayouts | | Creates filesystemlayouts to the metal-api after deployment | | metal_api_sizeimageconstraints | | Creates sizeimageconstraints to the metal-api after deployment | +| metal_api_size_reservations | | Creates size reservations to the metal-api after deployment | | metal_api_resources | | Sets the given container resources | | metal_api_bmc_superuser_enabled | | Enables creating the BMC superuser and disabling the default one | | metal_api_bmc_superuser_pwd | | If enabled use this password for the new BMC superuser | diff --git a/control-plane/roles/metal/defaults/main/main.yaml b/control-plane/roles/metal/defaults/main/main.yaml index b3efe59a..0f1077f9 100644 --- a/control-plane/roles/metal/defaults/main/main.yaml +++ b/control-plane/roles/metal/defaults/main/main.yaml @@ -53,6 +53,7 @@ metal_api_networks: [] metal_api_ips: [] metal_api_filesystemlayouts: [] metal_api_sizeimageconstraints: [] +metal_api_size_reservations: [] metal_api_resources: metal_api_s3_enabled: false metal_api_s3_address: diff --git a/control-plane/roles/metal/templates/metal-values.j2 b/control-plane/roles/metal/templates/metal-values.j2 index 7321a954..90bbad73 100644 --- a/control-plane/roles/metal/templates/metal-values.j2 +++ b/control-plane/roles/metal/templates/metal-values.j2 @@ -160,10 +160,6 @@ metal_api: filesystemlayouts: | {% for entity in metal_api_filesystemlayouts %} --- - {# - Some FSL Types confuse different YAML-parsing implementations. - Hence we fall back to JSON to enforce quotes around literals like 8e00. - #} {{ entity | to_json | indent(width=4, first=false) }} {% endfor %} sizeimageconstraints: | @@ -171,6 +167,11 @@ metal_api: --- {{ entity | to_json | indent(width=4, first=false) }} {% endfor %} + size_reservations: | +{% for entity in metal_api_size_reservations %} + --- + {{ entity | to_json | indent(width=4, first=false) }} +{% endfor %} masterdata_api: provider_tenant: {{ metal_masterdata_api_provider_tenant }} From c5939cae6ad9dc0cf78d455c07f310efc4cb8d18 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 30 Sep 2024 15:16:20 +0200 Subject: [PATCH 40/49] Headscale v0.23.0 (#326) --- control-plane/roles/headscale/README.md | 6 ++--- .../roles/headscale/defaults/main/main.yaml | 5 ++-- control-plane/roles/headscale/tasks/main.yaml | 1 - .../roles/headscale/templates/headscale.yaml | 25 ++++++++++++------- 4 files changed, 21 insertions(+), 16 deletions(-) diff --git a/control-plane/roles/headscale/README.md b/control-plane/roles/headscale/README.md index ebce023e..0095d4be 100644 --- a/control-plane/roles/headscale/README.md +++ b/control-plane/roles/headscale/README.md @@ -11,14 +11,13 @@ If you want to rotate the API key, you need to delete the `headscale-api-key` se The role should take the same variables as the wrapped role, but prefixed with `headscale_db_` instead of `postgres_`. | Name | Mandatory | Description | -|------------------------------------------------|-----------|-------------------------------------------------------------| +| ---------------------------------------------- | --------- | ----------------------------------------------------------- | | headscale_image_name | yes | Image name of headscale | | headscale_image_tag | yes | Image version of headscale | | headscale_db_image_name | yes | Image name of headscale DB | | headscale_db_image_tag | yes | Image version of headscale DB | | headscale_db_backup_restore_sidecar_image_name | yes | Image name of init container for headscale DB | | headscale_db_backup_restore_sidecar_image_tag | yes | Image version of init container for headscale DB | -| headscale_private_key | yes | Private key | | headscale_noise_private_key | yes | Noise Protocol Private key for TS2021 compatibility | | headscale_ingress_dns | | Domain name | | headscale_namespace | | The deployment's target namespace | @@ -26,4 +25,5 @@ The role should take the same variables as the wrapped role, but prefixed with ` | headscale_ingress_annotations | | Annotations that will be attached to the ingress resource | | headscale_resources | | The kubernetes resources for the actual headscale container | | headscale_api_key_expiration | | The time how long the generated api key will be valid | -| headscale_ip_prefixes | | Slice of IP Prefixes where the tunnel endpoints are created | +| headscale_ipv4_prefix | | IPv4 prefix where the tunnel endpoints are created | +| headscale_ipv6_prefix | | IPv6 prefix where the tunnel endpoints are created | diff --git a/control-plane/roles/headscale/defaults/main/main.yaml b/control-plane/roles/headscale/defaults/main/main.yaml index 5d482efb..148bab0e 100644 --- a/control-plane/roles/headscale/defaults/main/main.yaml +++ b/control-plane/roles/headscale/defaults/main/main.yaml @@ -15,6 +15,5 @@ headscale_resources: headscale_api_key_expiration: 365d -headscale_ip_prefixes: - - fd7a:115c:a1e0::/48 - - 100.64.0.0/1 +headscale_ipv4_prefix: 100.64.0.0/1 +headscale_ipv6_prefix: fd7a:115c:a1e0::/48 diff --git a/control-plane/roles/headscale/tasks/main.yaml b/control-plane/roles/headscale/tasks/main.yaml index 9f184f73..73dec327 100644 --- a/control-plane/roles/headscale/tasks/main.yaml +++ b/control-plane/roles/headscale/tasks/main.yaml @@ -13,7 +13,6 @@ - headscale_db_image_tag is defined - headscale_db_backup_restore_sidecar_image_name is defined - headscale_db_backup_restore_sidecar_image_tag is defined - - headscale_private_key is defined - headscale_noise_private_key is defined - headscale_ingress_dns is not none diff --git a/control-plane/roles/headscale/templates/headscale.yaml b/control-plane/roles/headscale/templates/headscale.yaml index 236abd50..e7a183ba 100644 --- a/control-plane/roles/headscale/templates/headscale.yaml +++ b/control-plane/roles/headscale/templates/headscale.yaml @@ -11,18 +11,27 @@ data: listen_addr: 0.0.0.0:8080 grpc_allow_insecure: true ephemeral_node_inactivity_timeout: 30m - private_key_path: /vol/data/private.key noise: private_key_path: /vol/data/noise_private.key derp: urls: - https://controlplane.tailscale.com/derpmap/default - ip_prefixes: {{ headscale_ip_prefixes | to_json }} - db_type: postgres - db_host: headscale-db - db_name: {{ headscale_db_db }} - db_user: {{ headscale_db_user }} + database: + type: postgres + postgres: + host: headscale-db + port: 5432 + name: {{ headscale_db_db }} + user: {{ headscale_db_user }} + + prefixes: + v4: {{ headscale_ipv4_prefix }} + v6: {{ headscale_ipv6_prefix }} + + dns: + magic_dns: false + --- apiVersion: v1 kind: Secret @@ -94,9 +103,7 @@ spec: - containerPort: 50443 name: grpc env: - - name: HEADSCALE_DB_PORT - value: "5432" - - name: HEADSCALE_DB_PASS + - name: HEADSCALE_DATABASE_POSTGRES_PASS valueFrom: secretKeyRef: key: password From 1bb6eb9271d084646f33fda162c602252d43637e Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 8 Oct 2024 13:41:49 +0200 Subject: [PATCH 41/49] Use VPA CRD from gardener seed-crd folder. (#329) --- ...scaling.k8s.io_verticalpodautoscalers.yaml | 543 ------------------ control-plane/roles/gardener/tasks/main.yaml | 3 +- 2 files changed, 1 insertion(+), 545 deletions(-) delete mode 100644 control-plane/roles/gardener/files/10-crd-autoscaling.k8s.io_verticalpodautoscalers.yaml diff --git a/control-plane/roles/gardener/files/10-crd-autoscaling.k8s.io_verticalpodautoscalers.yaml b/control-plane/roles/gardener/files/10-crd-autoscaling.k8s.io_verticalpodautoscalers.yaml deleted file mode 100644 index 7be2e9ce..00000000 --- a/control-plane/roles/gardener/files/10-crd-autoscaling.k8s.io_verticalpodautoscalers.yaml +++ /dev/null @@ -1,543 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: unapproved, temporarily squatting - controller-gen.kubebuilder.io/version: v0.13.0 - name: verticalpodautoscalers.autoscaling.k8s.io -spec: - group: autoscaling.k8s.io - names: - kind: VerticalPodAutoscaler - listKind: VerticalPodAutoscalerList - plural: verticalpodautoscalers - shortNames: - - vpa - singular: verticalpodautoscaler - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.updatePolicy.updateMode - name: Mode - type: string - - jsonPath: .status.recommendation.containerRecommendations[0].target.cpu - name: CPU - type: string - - jsonPath: .status.recommendation.containerRecommendations[0].target.memory - name: Mem - type: string - - jsonPath: .status.conditions[?(@.type=='RecommendationProvided')].status - name: Provided - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VerticalPodAutoscaler is the configuration for a vertical pod - autoscaler, which automatically manages pod resources based on historical - and real time resource utilization. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the behavior of the autoscaler. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' - properties: - recommenders: - description: Recommender responsible for generating recommendation - for this object. List should be empty (then the default recommender - will generate the recommendation) or contain exactly one recommender. - items: - description: VerticalPodAutoscalerRecommenderSelector points to - a specific Vertical Pod Autoscaler recommender. In the future - it might pass parameters to the recommender. - properties: - name: - description: Name of the recommender responsible for generating - recommendation for this object. - type: string - required: - - name - type: object - type: array - resourcePolicy: - description: Controls how the autoscaler computes recommended resources. - The resource policy may be used to set constraints on the recommendations - for individual containers. If not specified, the autoscaler computes - recommended resources for all containers in the pod, without additional - constraints. - properties: - containerPolicies: - description: Per-container resource policies. - items: - description: ContainerResourcePolicy controls how autoscaler - computes the recommended resources for a specific container. - properties: - containerName: - description: Name of the container or DefaultContainerResourcePolicy, - in which case the policy is used by the containers that - don't have their own policy specified. - type: string - controlledResources: - description: Specifies the type of recommendations that - will be computed (and possibly applied) by VPA. If not - specified, the default of [ResourceCPU, ResourceMemory] - will be used. - items: - description: ResourceName is the name identifying various - resources in a ResourceList. - type: string - type: array - controlledValues: - description: Specifies which resource values should be controlled. - The default is "RequestsAndLimits". - enum: - - RequestsAndLimits - - RequestsOnly - type: string - maxAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the maximum amount of resources that - will be recommended for the container. The default is - no maximum. - type: object - minAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the minimal amount of resources that - will be recommended for the container. The default is - no minimum. - type: object - mode: - description: Whether autoscaler is enabled for the container. - The default is "Auto". - enum: - - Auto - - "Off" - type: string - type: object - type: array - type: object - targetRef: - description: TargetRef points to the controller managing the set of - pods for the autoscaler to control - e.g. Deployment, StatefulSet. - VerticalPodAutoscaler can be targeted at controller implementing - scale subresource (the pod set is retrieved from the controller's - ScaleStatus) or some well known controllers (e.g. for DaemonSet - the pod set is read from the controller's spec). If VerticalPodAutoscaler - cannot use specified target it will report ConfigUnsupported condition. - Note that VerticalPodAutoscaler does not require full implementation - of scale subresource - it will not use it to modify the replica - count. The only thing retrieved is a label selector matching pods - grouped by the target resource. - properties: - apiVersion: - description: apiVersion is the API version of the referent - type: string - kind: - description: 'kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - updatePolicy: - description: Describes the rules on how changes are applied to the - pods. If not specified, all fields in the `PodUpdatePolicy` are - set to their default values. - properties: - minReplicas: - description: Minimal number of replicas which need to be alive - for Updater to attempt pod eviction (pending other checks like - PDB). Only positive values are allowed. Overrides global '--min-replicas' - flag. - format: int32 - type: integer - updateMode: - description: Controls when autoscaler applies changes to the pod - resources. The default is 'Auto'. - enum: - - "Off" - - Initial - - Recreate - - Auto - type: string - type: object - required: - - targetRef - type: object - status: - description: Current information about the autoscaler. - properties: - conditions: - description: Conditions is the set of conditions required for this - autoscaler to scale its target, and indicates whether or not those - conditions are met. - items: - description: VerticalPodAutoscalerCondition describes the state - of a VerticalPodAutoscaler at a certain point. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another - format: date-time - type: string - message: - description: message is a human-readable explanation containing - details about the transition - type: string - reason: - description: reason is the reason for the condition's last transition. - type: string - status: - description: status is the status of the condition (True, False, - Unknown) - type: string - type: - description: type describes the current condition - type: string - required: - - status - - type - type: object - type: array - recommendation: - description: The most recently computed amount of resources recommended - by the autoscaler for the controlled pods. - properties: - containerRecommendations: - description: Resources recommended by the autoscaler for each - container. - items: - description: RecommendedContainerResources is the recommendation - of resources computed by autoscaler for a specific container. - Respects the container resource policy if present in the spec. - In particular the recommendation is not produced for containers - with `ContainerScalingMode` set to 'Off'. - properties: - containerName: - description: Name of the container. - type: string - lowerBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Minimum recommended amount of resources. Observes - ContainerResourcePolicy. This amount is not guaranteed - to be sufficient for the application to operate in a stable - way, however running with less resources is likely to - have significant impact on performance/availability. - type: object - target: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Recommended amount of resources. Observes ContainerResourcePolicy. - type: object - uncappedTarget: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: The most recent recommended resources target - computed by the autoscaler for the controlled pods, based - only on actual resource usage, not taking into account - the ContainerResourcePolicy. May differ from the Recommendation - if the actual resource usage causes the target to violate - the ContainerResourcePolicy (lower than MinAllowed or - higher that MaxAllowed). Used only as status indication, - will not affect actual resource assignment. - type: object - upperBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Maximum recommended amount of resources. Observes - ContainerResourcePolicy. Any resources allocated beyond - this value are likely wasted. This value may be larger - than the maximum amount of application is actually capable - of consuming. - type: object - required: - - target - type: object - type: array - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} - - deprecated: true - deprecationWarning: autoscaling.k8s.io/v1beta2 API is deprecated - name: v1beta2 - schema: - openAPIV3Schema: - description: VerticalPodAutoscaler is the configuration for a vertical pod - autoscaler, which automatically manages pod resources based on historical - and real time resource utilization. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the behavior of the autoscaler. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' - properties: - resourcePolicy: - description: Controls how the autoscaler computes recommended resources. - The resource policy may be used to set constraints on the recommendations - for individual containers. If not specified, the autoscaler computes - recommended resources for all containers in the pod, without additional - constraints. - properties: - containerPolicies: - description: Per-container resource policies. - items: - description: ContainerResourcePolicy controls how autoscaler - computes the recommended resources for a specific container. - properties: - containerName: - description: Name of the container or DefaultContainerResourcePolicy, - in which case the policy is used by the containers that - don't have their own policy specified. - type: string - maxAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the maximum amount of resources that - will be recommended for the container. The default is - no maximum. - type: object - minAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the minimal amount of resources that - will be recommended for the container. The default is - no minimum. - type: object - mode: - description: Whether autoscaler is enabled for the container. - The default is "Auto". - enum: - - Auto - - "Off" - type: string - type: object - type: array - type: object - targetRef: - description: TargetRef points to the controller managing the set of - pods for the autoscaler to control - e.g. Deployment, StatefulSet. - VerticalPodAutoscaler can be targeted at controller implementing - scale subresource (the pod set is retrieved from the controller's - ScaleStatus) or some well known controllers (e.g. for DaemonSet - the pod set is read from the controller's spec). If VerticalPodAutoscaler - cannot use specified target it will report ConfigUnsupported condition. - Note that VerticalPodAutoscaler does not require full implementation - of scale subresource - it will not use it to modify the replica - count. The only thing retrieved is a label selector matching pods - grouped by the target resource. - properties: - apiVersion: - description: apiVersion is the API version of the referent - type: string - kind: - description: 'kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - updatePolicy: - description: Describes the rules on how changes are applied to the - pods. If not specified, all fields in the `PodUpdatePolicy` are - set to their default values. - properties: - updateMode: - description: Controls when autoscaler applies changes to the pod - resources. The default is 'Auto'. - enum: - - "Off" - - Initial - - Recreate - - Auto - type: string - type: object - required: - - targetRef - type: object - status: - description: Current information about the autoscaler. - properties: - conditions: - description: Conditions is the set of conditions required for this - autoscaler to scale its target, and indicates whether or not those - conditions are met. - items: - description: VerticalPodAutoscalerCondition describes the state - of a VerticalPodAutoscaler at a certain point. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another - format: date-time - type: string - message: - description: message is a human-readable explanation containing - details about the transition - type: string - reason: - description: reason is the reason for the condition's last transition. - type: string - status: - description: status is the status of the condition (True, False, - Unknown) - type: string - type: - description: type describes the current condition - type: string - required: - - status - - type - type: object - type: array - recommendation: - description: The most recently computed amount of resources recommended - by the autoscaler for the controlled pods. - properties: - containerRecommendations: - description: Resources recommended by the autoscaler for each - container. - items: - description: RecommendedContainerResources is the recommendation - of resources computed by autoscaler for a specific container. - Respects the container resource policy if present in the spec. - In particular the recommendation is not produced for containers - with `ContainerScalingMode` set to 'Off'. - properties: - containerName: - description: Name of the container. - type: string - lowerBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Minimum recommended amount of resources. Observes - ContainerResourcePolicy. This amount is not guaranteed - to be sufficient for the application to operate in a stable - way, however running with less resources is likely to - have significant impact on performance/availability. - type: object - target: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Recommended amount of resources. Observes ContainerResourcePolicy. - type: object - uncappedTarget: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: The most recent recommended resources target - computed by the autoscaler for the controlled pods, based - only on actual resource usage, not taking into account - the ContainerResourcePolicy. May differ from the Recommendation - if the actual resource usage causes the target to violate - the ContainerResourcePolicy (lower than MinAllowed or - higher that MaxAllowed). Used only as status indication, - will not affect actual resource assignment. - type: object - upperBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Maximum recommended amount of resources. Observes - ContainerResourcePolicy. Any resources allocated beyond - this value are likely wasted. This value may be larger - than the maximum amount of application is actually capable - of consuming. - type: object - required: - - target - type: object - type: array - type: object - type: object - required: - - spec - type: object - served: true - storage: false diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index f81a54f9..d9c7b3c4 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -65,9 +65,8 @@ loop: - name: hvpas definition: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener/' + gardener_repo_ref + '/example/seed-crds/10-crd-autoscaling.k8s.io_hvpas.yaml', split_lines=False) | from_yaml_all | list)[0] }}" - # TODO: starting from g/g 1.82, this resource will be located in seed-crds, too - name: vpas - definition: "{{ lookup('file', '10-crd-autoscaling.k8s.io_verticalpodautoscalers.yaml') }}" + definition: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener/' + gardener_repo_ref + '/example/seed-crds/10-crd-autoscaling.k8s.io_verticalpodautoscalers.yaml', split_lines=False) | from_yaml_all | list)[0] }}" loop_control: label: "{{ item.name }}" From a5fc29b49842f0f1abbfe930e710b7df9ec3df11 Mon Sep 17 00:00:00 2001 From: Robert Volkmann <20912167+robertvolkmann@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:37:06 +0200 Subject: [PATCH 42/49] Introduce gardener_shoot_dns_service_repo_ref (#330) --- control-plane/roles/gardener/README.md | 1 + control-plane/roles/gardener/defaults/main/extensions.yaml | 1 + .../templates/shoot-dns-service/controller-deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index cfe77146..9207115b 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -98,6 +98,7 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_os_controller_repo_ref | | A repo reference for deploying the [os-metal-extension](https://github.com/metal-stack/os-metal-extension/) | | gardener_networking_cilium_repo_ref | | A repo reference for deploying the [gardener-extension-networking-cilium](https://github.com/gardener/gardener-extension-networking-cilium) | | gardener_extension_provider_metal_repo_ref | | A repo reference for deploying the [gardener-extension-provider-metal](https://github.com/metal-stack/gardener-extension-provider-metal) | +| gardener_shoot_dns_service_repo_ref | | A repo reference for deploying the [gardener-extension-shoot-dns-service](https://github.com/gardener/gardener-extension-shoot-dns-service) | | gardener_metal_admission_replicas | | Specifies the amount of metal-admission webhook replicas | | gardener_metal_admission_vpa | | Enables the VPA for the metal-admission webhook | | gardener_extension_provider_metal_cluster_audit_enabled | | Enables the audit functionality of the GEPM | diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 8c87eeac..5f92b901 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -10,6 +10,7 @@ gardener_extension_shoot_dns_service_enabled: true gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}" gardener_networking_cilium_repo_ref: "gardener/gardener-extension-networking-cilium/{{ gardener_networking_cilium_image_tag }}" gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}" +gardener_shoot_dns_service_repo_ref: "gardener/gardener-extension-shoot-dns-service/{{ gardener_shoot_dns_service_image_tag }}" gardener_metal_admission_replicas: 1 gardener_metal_admission_vpa: true diff --git a/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml index 941f2003..eeb0cfe5 100644 --- a/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml @@ -5,7 +5,7 @@ metadata: name: extension-shoot-dns-service type: helm providerConfig: - chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener-extension-shoot-dns-service/' + gardener_shoot_dns_service_image_tag + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}" + chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_shoot_dns_service_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}" values: image: repository: "{{ gardener_shoot_dns_service_image_name }}" From 1df79dcc7a2a896b35b9d43b470e4fc1c282b85d Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 14 Oct 2024 15:02:24 +0200 Subject: [PATCH 43/49] Remove obsolete MCM override. (#332) --- control-plane/roles/gardener/tasks/main.yaml | 1 - .../extension-provider-metal/controller-deployment.yaml | 4 ---- defaults/main.yaml | 2 -- 3 files changed, 7 deletions(-) diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index d9c7b3c4..8dd5052f 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -16,7 +16,6 @@ - gardener_controller_manager_image_tag is defined - gardener_scheduler_image_tag is defined - gardener_extension_provider_metal_image_tag is defined - - gardener_machine_controller_manager_image_tag is defined - gardener_os_controller_image_tag is defined - metal_cloud_controller_manager_image_tag is defined - gardener_networking_calico_image_tag is defined diff --git a/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml b/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml index c9132ccd..4010ed0b 100644 --- a/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml @@ -72,10 +72,6 @@ providerConfig: sourceRepository: https://github.com/metal-stack/droptailer repository: {{ droptailer_image_name }} tag: {{ droptailer_image_tag }} - - name: machine-controller-manager - sourceRepository: github.com/gardener/machine-controller-manager - repository: {{ gardener_machine_controller_manager_image_name }} - tag: {{ gardener_machine_controller_manager_image_tag }} - name: firewall-controller-manager sourceRepository: github.com/metal-stack/firewall-controller-manager repository: {{ firewall_controller_manager_image_name }} diff --git a/defaults/main.yaml b/defaults/main.yaml index 5b8d4421..e1164ff7 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -54,8 +54,6 @@ metal_stack_release: gardener_extension_provider_metal_repo_url: "docker-images.metal-stack.gardener.gardener-extension-provider-metal.repository" gardener_os_controller_image_tag: "docker-images.metal-stack.gardener.os-metal-extension.tag" gardener_os_controller_image_name: "docker-images.metal-stack.gardener.os-metal-extension.name" - gardener_machine_controller_manager_image_tag: "docker-images.metal-stack.gardener.machine-controller-manager.tag" - gardener_machine_controller_manager_image_name: "docker-images.metal-stack.gardener.machine-controller-manager.name" gardener_mcm_provider_metal_image_name: "docker-images.metal-stack.gardener.machine-controller-manager-provider-metal.name" gardener_mcm_provider_metal_image_tag: "docker-images.metal-stack.gardener.machine-controller-manager-provider-metal.tag" gardener_extension_audit_image_name: "docker-images.metal-stack.gardener.gardener-extension-audit.name" From 90b2c4ce6e3a001042b94e90f95425cde7f0dbb1 Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Tue, 15 Oct 2024 08:41:53 +0200 Subject: [PATCH 44/49] Use running configuration for sonic ports (#324) --- partition/roles/sonic/templates/metal.yaml.j2 | 13 ++++++++-- .../roles/sonic/test/data/exit/metal.yaml | 9 ++++--- .../roles/sonic/test/data/l2_leaf/input.yaml | 4 ++- .../roles/sonic/test/data/l2_leaf/metal.yaml | 25 +++++++++++-------- .../roles/sonic/test/data/mgmtleaf/metal.yaml | 13 +++++----- .../roles/sonic/test/data/sonic-vs/metal.yaml | 3 ++- .../roles/sonic/test/data/spine/metal.yaml | 4 +-- 7 files changed, 46 insertions(+), 25 deletions(-) diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index 0face0e1..55d4c078 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -109,13 +109,22 @@ PORT: {% endif %} {% if sonic_ports_dict[name] is defined %} {% set port = sonic_ports_dict[name] %} - admin_status: up + admin_status: {{ port.admin_status|default('up') }} speed: "{{ port.speed|default(sonic_ports_default_speed) }}" mtu: "{{ port.mtu|default(sonic_ports_default_mtu) }}" - fec: "{{ port.fec|default(sonic_ports_default_fec)|string|lower }}" + fec: {{ port.fec|default(sonic_ports_default_fec)|string|lower }} {% else %} + admin_status: up + {% if running_cfg.speed is defined %} speed: "{{ running_cfg.speed }}" {% endif %} + {% if running_cfg.mtu is defined %} + mtu: "{{ running_cfg.mtu }}" + {% endif %} + {% if running_cfg.fec is defined %} + fec: {{ running_cfg.fec }} + {% endif %} + {% endif %} {% endfor %} {% if sonic_portchannels %} diff --git a/partition/roles/sonic/test/data/exit/metal.yaml b/partition/roles/sonic/test/data/exit/metal.yaml index 086542b1..4c2a5bc8 100644 --- a/partition/roles/sonic/test/data/exit/metal.yaml +++ b/partition/roles/sonic/test/data/exit/metal.yaml @@ -61,13 +61,14 @@ PORT: admin_status: up speed: "10000" mtu: "1500" - fec: "none" + fec: none Ethernet1: alias: Eth1/2(Port1) autoneg: "off" index: "1" lanes: "2" parent_port: Ethernet0 + admin_status: up speed: "10000" Ethernet2: alias: Eth1/3(Port1) @@ -75,6 +76,7 @@ PORT: index: "1" lanes: "3" parent_port: Ethernet0 + admin_status: up speed: "10000" Ethernet3: alias: Eth1/4(Port1) @@ -82,6 +84,7 @@ PORT: index: "1" lanes: "4" parent_port: Ethernet0 + admin_status: up speed: "10000" Ethernet112: alias: Eth29(Port29) @@ -92,7 +95,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none Ethernet116: alias: Eth30(Port30) autoneg: "off" @@ -102,7 +105,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none VLAN: Vlan4000: diff --git a/partition/roles/sonic/test/data/l2_leaf/input.yaml b/partition/roles/sonic/test/data/l2_leaf/input.yaml index 4310c259..75601c61 100644 --- a/partition/roles/sonic/test/data/l2_leaf/input.yaml +++ b/partition/roles/sonic/test/data/l2_leaf/input.yaml @@ -72,7 +72,9 @@ sonic_running_cfg_ports: index: "1" lanes: "4" parent_port: Ethernet0 - speed: "25000" + speed: "10000" + fec: rs + mtu: "9100" Ethernet4: alias: Eth2/1(Port2) index: "2" diff --git a/partition/roles/sonic/test/data/l2_leaf/metal.yaml b/partition/roles/sonic/test/data/l2_leaf/metal.yaml index 3944e5ad..1e714005 100644 --- a/partition/roles/sonic/test/data/l2_leaf/metal.yaml +++ b/partition/roles/sonic/test/data/l2_leaf/metal.yaml @@ -87,7 +87,7 @@ PORT: admin_status: up speed: "25000" mtu: "9000" - fec: "none" + fec: none Ethernet1: alias: Eth1/2(Port1) autoneg: "off" @@ -97,7 +97,7 @@ PORT: admin_status: up speed: "25000" mtu: "9000" - fec: "none" + fec: none Ethernet2: alias: Eth1/3(Port1) autoneg: "off" @@ -107,14 +107,17 @@ PORT: admin_status: up speed: "25000" mtu: "9000" - fec: "none" + fec: none Ethernet3: alias: Eth1/4(Port1) autoneg: "off" index: "1" lanes: "4" parent_port: Ethernet0 - speed: "25000" + admin_status: up + speed: "10000" + mtu: "9100" + fec: rs Ethernet4: alias: Eth2/1(Port2) autoneg: "off" @@ -124,7 +127,7 @@ PORT: admin_status: up speed: "25000" mtu: "9000" - fec: "none" + fec: none Ethernet5: alias: Eth2/2(Port2) autoneg: "off" @@ -134,13 +137,14 @@ PORT: admin_status: up speed: "25000" mtu: "9000" - fec: "none" + fec: none Ethernet6: alias: Eth2/3(Port2) autoneg: "off" index: "2" lanes: "3" parent_port: Ethernet4 + admin_status: up speed: "25000" Ethernet7: alias: Eth2/4(Port2) @@ -148,6 +152,7 @@ PORT: index: "2" lanes: "4" parent_port: Ethernet4 + admin_status: up speed: "25000" Ethernet112: alias: Eth29(Port29) @@ -158,7 +163,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none Ethernet116: alias: Eth30(Port30) autoneg: "off" @@ -168,7 +173,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none Ethernet120: alias: Eth31(Port31) autoneg: "off" @@ -178,7 +183,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none Ethernet124: alias: Eth32(Port32) autoneg: "off" @@ -188,7 +193,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none PORTCHANNEL: PortChannel01: diff --git a/partition/roles/sonic/test/data/mgmtleaf/metal.yaml b/partition/roles/sonic/test/data/mgmtleaf/metal.yaml index aee38b48..15f353b4 100644 --- a/partition/roles/sonic/test/data/mgmtleaf/metal.yaml +++ b/partition/roles/sonic/test/data/mgmtleaf/metal.yaml @@ -65,7 +65,7 @@ PORT: admin_status: up speed: "1000" mtu: "9000" - fec: "none" + fec: none Ethernet1: alias: Eth1/2(Port1) autoneg: "off" @@ -75,7 +75,7 @@ PORT: admin_status: up speed: "1000" mtu: "9000" - fec: "none" + fec: none Ethernet2: alias: Eth1/3(Port1) autoneg: "off" @@ -85,7 +85,7 @@ PORT: admin_status: up speed: "1000" mtu: "9000" - fec: "none" + fec: none Ethernet3: alias: Eth1/4(Port1) autoneg: "off" @@ -95,13 +95,14 @@ PORT: admin_status: up speed: "1000" mtu: "9000" - fec: "none" + fec: none Ethernet4: alias: Eth2(Port2) autoneg: "off" index: "2" lanes: "5,6,7,8" parent_port: Ethernet4 + admin_status: up speed: "100000" Ethernet120: alias: Eth31(Port31) @@ -112,7 +113,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "rs" + fec: rs Ethernet124: alias: Eth32(Port32) autoneg: "off" @@ -122,7 +123,7 @@ PORT: admin_status: up speed: "100000" mtu: "9000" - fec: "none" + fec: none VLAN: Vlan1: diff --git a/partition/roles/sonic/test/data/sonic-vs/metal.yaml b/partition/roles/sonic/test/data/sonic-vs/metal.yaml index 20b0ab56..9fbed0c2 100644 --- a/partition/roles/sonic/test/data/sonic-vs/metal.yaml +++ b/partition/roles/sonic/test/data/sonic-vs/metal.yaml @@ -50,12 +50,13 @@ PORT: admin_status: up speed: "40000" mtu: "9000" - fec: "none" + fec: none Ethernet4: alias: fortyGigE0/4 autoneg: "off" index: "1" lanes: "29,30,31,32" + admin_status: up speed: "40000" VLAN: diff --git a/partition/roles/sonic/test/data/spine/metal.yaml b/partition/roles/sonic/test/data/spine/metal.yaml index 155855bb..0562f31b 100644 --- a/partition/roles/sonic/test/data/spine/metal.yaml +++ b/partition/roles/sonic/test/data/spine/metal.yaml @@ -56,7 +56,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none Ethernet124: alias: Eth32(Port32) autoneg: "off" @@ -66,7 +66,7 @@ PORT: admin_status: up speed: "100000" mtu: "9216" - fec: "none" + fec: none LLDP: Global: From d285f2ca2c702d2c22fa86e2ae341bbe3fd92e74 Mon Sep 17 00:00:00 2001 From: Robert Volkmann <20912167+robertvolkmann@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:24:53 +0200 Subject: [PATCH 45/49] Allow configuration of precheck nameservers for shoot-cert-service extension (#334) --- control-plane/roles/gardener/README.md | 1 + control-plane/roles/gardener/defaults/main/extensions.yaml | 1 + .../templates/shoot-cert-service/controller-deployment.yaml | 3 +++ 3 files changed, 5 insertions(+) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 9207115b..8001f378 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -116,6 +116,7 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_networking_cilium_image_vector_overwrite | | Allows overriding the image vector for the networking cilium extension | | gardener_cert_management_issuer_email | | The issuer email used by the cert-management extension | | gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | +| gardener_cert_management_precheck_nameservers | | To provide special set of nameservers to be used for prechecking DNSChallenges for an issuer | ### Certificates diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 5f92b901..f8378430 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -68,6 +68,7 @@ gardener_extension_provider_metal_image_pull_secret: gardener_cert_management_issuer_private_key: "" gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/directory gardener_cert_management_issuer_email: +gardener_cert_management_precheck_nameservers: [] gardener_extension_dns_external_controller_registration_url: diff --git a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml index 9df45b84..202bf9e2 100644 --- a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml @@ -19,3 +19,6 @@ providerConfig: server: "{{ gardener_cert_management_issuer_server }}" privateKey: | {{ gardener_cert_management_issuer_private_key | indent(width=12, first=false) }} +{% if gardener_cert_management_precheck_nameservers %} + precheckNameservers: "{{ gardener_cert_management_precheck_nameservers | join(',') }}" +{% endif %} From 2d05aba1ec82a927803d18bff17619ead84a6198 Mon Sep 17 00:00:00 2001 From: Robert Volkmann <20912167+robertvolkmann@users.noreply.github.com> Date: Tue, 15 Oct 2024 13:31:05 +0200 Subject: [PATCH 46/49] Add possibility to allow shoot issuers (#335) --- control-plane/roles/gardener/README.md | 1 + control-plane/roles/gardener/defaults/main/extensions.yaml | 1 + .../templates/shoot-cert-service/controller-deployment.yaml | 2 ++ 3 files changed, 4 insertions(+) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 8001f378..37cc7abc 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -117,6 +117,7 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_cert_management_issuer_email | | The issuer email used by the cert-management extension | | gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | | gardener_cert_management_precheck_nameservers | | To provide special set of nameservers to be used for prechecking DNSChallenges for an issuer | +| gardener_cert_management_shoot_issuers_enabled | | If enabled, allows to specify issuers in the shoot clusters | ### Certificates diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index f8378430..02a5cf2f 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -69,6 +69,7 @@ gardener_cert_management_issuer_private_key: "" gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/directory gardener_cert_management_issuer_email: gardener_cert_management_precheck_nameservers: [] +gardener_cert_management_shoot_issuers_enabled: false gardener_extension_dns_external_controller_registration_url: diff --git a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml index 202bf9e2..a3b28bcf 100644 --- a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml @@ -22,3 +22,5 @@ providerConfig: {% if gardener_cert_management_precheck_nameservers %} precheckNameservers: "{{ gardener_cert_management_precheck_nameservers | join(',') }}" {% endif %} + shootIssuers: + enabled: {{ gardener_cert_management_shoot_issuers_enabled | bool }} # if true, allows to specify issuers in the shoot clusters From 5aab58ca4127a44c2157e83b5f863b86a528a51a Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 21 Oct 2024 13:06:12 +0200 Subject: [PATCH 47/49] Remove dns-controller-manager subcomponent from release vector (#337) --- control-plane/roles/gardener/README.md | 3 + .../gardener/defaults/main/extensions.yaml | 8 ++ .../controller-deployment.yaml | 17 +++- .../test/dns_extension_template_test.py | 80 +++++++++++++++++++ defaults/main.yaml | 2 - 5 files changed, 105 insertions(+), 5 deletions(-) create mode 100644 control-plane/roles/gardener/test/dns_extension_template_test.py diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 37cc7abc..9030a3c0 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -118,6 +118,9 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | | gardener_cert_management_precheck_nameservers | | To provide special set of nameservers to be used for prechecking DNSChallenges for an issuer | | gardener_cert_management_shoot_issuers_enabled | | If enabled, allows to specify issuers in the shoot clusters | +| gardener_shoot_dns_service_image_vector_overwrite | | Allows overriding the image vector for the shoot-dns-service extension | +| gardener_shoot_dns_service_dns_controller_manager_image_name | | Setting an explicit image name for the dns-controller-manager | +| gardener_shoot_dns_service_dns_controller_manager_image_tag | | Setting an explicit image tag for the dns-controller-manager | ### Certificates diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 02a5cf2f..2b724d6c 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -78,3 +78,11 @@ gardener_extension_networking_cilium_image_vector_overwrite: [] # sourceRepository: /source/repository # repository: /repository # tag: + +gardener_shoot_dns_service_image_vector_overwrite: [] + # - name: dns-controller-manager + # sourceRepository: github.com/gardener/external-dns-management + # repository: europe-docker.pkg.dev/gardener-project/public/dns-controller-manager + # tag: "0.7.1" +gardener_shoot_dns_service_dns_controller_manager_image_name: +gardener_shoot_dns_service_dns_controller_manager_image_tag: diff --git a/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml index eeb0cfe5..cf1c6ea0 100644 --- a/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml @@ -10,10 +10,21 @@ providerConfig: image: repository: "{{ gardener_shoot_dns_service_image_name }}" tag: "{{ gardener_shoot_dns_service_image_tag }}" +{% if gardener_shoot_dns_service_image_vector_overwrite %} + imageVectorOverwrite: | + images: + {{ gardener_shoot_dns_service_image_vector_overwrite | to_nice_yaml(indent=2) | indent(width=8, first=false) }} +{% endif %} dnsProviderManagement: enabled: true dnsControllerManager: - image: - tag: "{{ gardener_dns_controller_manager_image_tag }}" - repository: "{{ gardener_dns_controller_manager_image_name }}" deploy: true +{% if gardener_shoot_dns_service_dns_controller_manager_image_name or gardener_shoot_dns_service_dns_controller_manager_image_tag %} + image: +{% if gardener_shoot_dns_service_dns_controller_manager_image_tag %} + tag: "{{ gardener_shoot_dns_service_dns_controller_manager_image_tag }}" +{% endif %} +{% if gardener_shoot_dns_service_dns_controller_manager_image_name %} + repository: "{{ gardener_shoot_dns_service_dns_controller_manager_image_name }}" +{% endif %} +{% endif %} diff --git a/control-plane/roles/gardener/test/dns_extension_template_test.py b/control-plane/roles/gardener/test/dns_extension_template_test.py new file mode 100644 index 00000000..72d10fed --- /dev/null +++ b/control-plane/roles/gardener/test/dns_extension_template_test.py @@ -0,0 +1,80 @@ +import unittest +import sys +import yaml + +from ansible.template import Templar +from test import read_template_file +from unittest.mock import patch, MagicMock + +class ShootDnsExtensionControllerDeploymentTemplate(unittest.TestCase): + @patch('urllib.request.urlopen') + def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen): + cm = MagicMock() + cm.getcode.return_value = 200 + cm.read.return_value = ''' +--- +apiVersion: core.gardener.cloud/v1beta1 +kind: ControllerDeployment +metadata: + name: extension-shoot-dns-service +type: helm +providerConfig: + chart: a-chart + values: + image: + tag: v1.48.0 +''' + mock_urlopen.return_value = cm + + t = read_template_file("shoot-dns-service/controller-deployment.yaml") + + templar = Templar(loader=None, variables={ + "gardener_shoot_dns_service_image_tag": "v0.0.1", + "gardener_shoot_dns_service_repo_ref": "gardener/gardener-extension-shoot-dns-service/{{ gardener_shoot_dns_service_image_tag }}", + "gardener_shoot_dns_service_image_name": "extension-image", + "gardener_shoot_dns_service_image_tag": "extension-tag", + "gardener_shoot_dns_service_image_vector_overwrite": [ + { + "name": "dns-controller-manager", + "sourceRepository": "github.com/gardener/external-dns-management", + "repository": "europe-docker.pkg.dev/gardener-project/public/dns-controller-manager", + "tag": "0.7.1", + }, + ], + "gardener_shoot_dns_service_dns_controller_manager_image_name": "dns-controller-image", + "gardener_shoot_dns_service_dns_controller_manager_image_tag": "dns-controller-tag", + }) + + + res = templar.template(t) + + expected = ''' +--- +apiVersion: core.gardener.cloud/v1beta1 +kind: ControllerDeployment +metadata: + name: extension-shoot-dns-service +type: helm +providerConfig: + chart: "a-chart" + values: + image: + repository: "extension-image" + tag: "extension-tag" + imageVectorOverwrite: | + images: + - name: dns-controller-manager + repository: europe-docker.pkg.dev/gardener-project/public/dns-controller-manager + sourceRepository: github.com/gardener/external-dns-management + tag: 0.7.1 + dnsProviderManagement: + enabled: true + dnsControllerManager: + deploy: true + image: + tag: "dns-controller-tag" + repository: "dns-controller-image" +''' + + self.maxDiff = None + self.assertDictEqual(yaml.safe_load(expected), yaml.safe_load(res)) diff --git a/defaults/main.yaml b/defaults/main.yaml index e1164ff7..a6d8b792 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -125,8 +125,6 @@ metal_stack_release: gardener_shoot_cert_service_image_name: "docker-images.third-party.gardener.shoot-cert-service.name" gardener_shoot_dns_service_image_tag: "docker-images.third-party.gardener.shoot-dns-service.tag" gardener_shoot_dns_service_image_name: "docker-images.third-party.gardener.shoot-dns-service.name" - gardener_dns_controller_manager_image_tag: "docker-images.third-party.gardener.dns-controller-manager.tag" - gardener_dns_controller_manager_image_name: "docker-images.third-party.gardener.dns-controller-manager.name" gardener_metrics_exporter_image_tag: "docker-images.third-party.gardener.metrics-exporter.tag" gardener_metrics_exporter_image_name: "docker-images.third-party.gardener.metrics-exporter.name" gardener_extension_acl_image_name: "docker-images.third-party.gardener.acl-extension.name" From b93cbc0bbb0426cdfd9bb4fdee26c6b4d6f48ea6 Mon Sep 17 00:00:00 2001 From: Ebubekir Ates <109050136+Honigeintopf@users.noreply.github.com> Date: Wed, 23 Oct 2024 10:56:20 +0200 Subject: [PATCH 48/49] Add role for partition management firewall setup (#336) --- partition/roles/mgmt-firewall/README.md | 120 ++++++++ .../roles/mgmt-firewall/defaults/main.yaml | 63 ++++ partition/roles/mgmt-firewall/tasks/main.yaml | 273 ++++++++++++++++++ 3 files changed, 456 insertions(+) create mode 100644 partition/roles/mgmt-firewall/README.md create mode 100644 partition/roles/mgmt-firewall/defaults/main.yaml create mode 100644 partition/roles/mgmt-firewall/tasks/main.yaml diff --git a/partition/roles/mgmt-firewall/README.md b/partition/roles/mgmt-firewall/README.md new file mode 100644 index 00000000..24ee482d --- /dev/null +++ b/partition/roles/mgmt-firewall/README.md @@ -0,0 +1,120 @@ +# Automated Firewall Setup with Ansible + +This role automates the configuration of management firewalls using Ansible. It is designed to streamline the process of setting up firewalls for consistent deployment before mounting devices in the data center. By utilizing default configurations and flexible variables, this role simplifies the setup across multiple devices. + +**Note**: This role is intended to be run on devices reset to factory defaults. + +## Supported Devices + +| Manufacturer | Model | +| ------------ | ------ | +| Teltonika | RUTXR1 | + +## Key Features + +- **Automated firewall setup** using default configurations +- **VLAN and BGP** configuration support +- **Dynamic port forwarding** setup +- **Pre-configured firewall rules** for LAN, WAN, and global settings +- **Device-specific customization** via `routers.yaml` + +## Prerequisites + +- The device must be **reset to factory defaults** before running this role. +- An initial login is required to change the root password using credentials defined in the `routers.yaml` file. + +## Configuration Details + +### Firewall Rules + +The firewall is configured with the following settings by default: + +1. **Global Settings:** + + - Drop invalid packets: **Enabled** + - Input: **Drop** + - Output: **Accept** + - Forward: **Drop** + - Offloading: **On** + +2. **LAN Configuration:** + + - Input, Output, Forward: **Accept** + - Masquerading: **On** + - MSS Clamping: **On** + +3. **WAN Configuration:** + - Input: **Drop** + - Output: **Accept** + - Forward: **Drop** + - Masquerading: **On** + - MSS Clamping: **On** + +### VLAN Configuration + +- **VLAN 1:** Tagged to port 4 +- **VLAN 2:** Tagged to port 5 (WAN) +- Other VLANs can be configured dynamically. + +### BGP Configuration + +- The BGP peer is **hardcoded** as `mgmtsrv`. +- The IP address and AS number can be configured dynamically. + +## Interfaces + +Both LAN and WAN interfaces share the following mandatory fields: + +| Field | Description | +| --------------------------------------------------------- | -------------- | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.name` | Interface name | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.ipaddr` | IP address | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.netmask` | Subnet mask | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.device` | Router port | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.dhcp_options` | (LAN Only) | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.metric` | (WAN Only) | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.gateway` | (WAN Only) | +| `mgmt_firewall_interfaces.mgmt_firewall_lan.dns` (List) | (WAN Only) | + +### Default WAN Interface + +To enable configuration of the default WAN interface, set `mgmt_firewall_default_wan_enabled` to `true`. + +| Field | Description | +| ------------------------------------------------------------ | --------------- | +| `mgmt_firewall_interfaces.mgmt_firewall_wan.default.name` | Interface name | +| `mgmt_firewall_interfaces.mgmt_firewall_wan.default.ipaddr` | IP address | +| `mgmt_firewall_interfaces.mgmt_firewall_wan.default.netmask` | Subnet mask | +| `mgmt_firewall_interfaces.mgmt_firewall_wan.default.device` | Router port | +| `mgmt_firewall_interfaces.mgmt_firewall_wan.default.gateway` | Default gateway | + +## Port Forwarding Configuration + +The following fields define port forwarding rules: + +| Field | Description | +| ------------------------------------------- | ------------------------------ | +| `mgmt_firewall_port_forwards.name` | Rule name | +| `mgmt_firewall_port_forwards.src_dport` | External port | +| `mgmt_firewall_port_forwards.dest_ip` | Internal IP address | +| `mgmt_firewall_port_forwards.dest_port` | Internal port | +| `mgmt_firewall_port_forwards.src` | Source zone | +| `mgmt_firewall_port_forwards.priority` | Rule priority (start with 1) | +| `mgmt_firewall_port_forwards.dest` | Destination zone | +| `mgmt_firewall_port_forwards.reflection` | NAT Loopback (0 = off, 1 = on) | +| `mgmt_firewall_port_forwards.src_ip` (List) | Source IP addresses | +| `mgmt_firewall_port_forwards.proto` (List) | Protocols (e.g., TCP, UDP) | +| `mgmt_firewall_port_forwards.src_dip` | External IP address | + +## Variables + +The following variables can be customized for each firewall: + +| Variable | Mandatory | Description | +| ------------------------------------- | --------- | ---------------------------------------------- | +| `mgmt_firewall_location_name` | yes | Location of the firewall | +| `mgmt_firewall_device_name` | yes | Device name | +| `mgmt_firewall_public_key` | yes | Public key for the firewall | +| `mgmt_firewall_default_wan_enabled` | | Default: false | +| `mgmt_firewall_wireless_disabled` | | Default: true | +| `mgmt_firewall_static_routes_enabled` | | Set up static routes, by specifying a gateway. | diff --git a/partition/roles/mgmt-firewall/defaults/main.yaml b/partition/roles/mgmt-firewall/defaults/main.yaml new file mode 100644 index 00000000..c573cf62 --- /dev/null +++ b/partition/roles/mgmt-firewall/defaults/main.yaml @@ -0,0 +1,63 @@ +mgmt_firewall_location_name: +mgmt_firewall_device_name: + +mgmt_firewall_default_wan_enabled: true +mgmt_firewall_static_routes_enabled: true + +mgmt_firewall_config: + location_name: '' + device_name: '' + bgp: + enabled: true + general_ip: '' + general_as: + mgmtsrv_ipaddr: '' + mgmtsrv_as: + +mgmt_firewall_interfaces: + mgmt_firewall_lan: + - name: '' + ipaddr: '' + netmask: '' + device: '' + dhcp_options: + - { option: '3', value: '' } + - { option: '6', value: '' } + - { option: '12', value: '' } + mgmt_firewall_wan: + default: + ip_adress: '' + gateway: '' + net_mask: '' + interfaces: + - name: wan_mgmtsrv + device: eth1 + metric: '5' + ipaddr: '' + netmask: '' + dns: + - '1.1.1.1' + - '1.0.0.1' + gateway: '' + +mgmt_firewall_port_forwards: + - name: 'ssh_mgmtsrv' + src_dport: '22' + dest_ip: '' + dest_port: '22' + src: 'wan' + priority: '1' + dest: 'lan' + reflection: '0' + src_ip: [''] + proto: ['tcp'] + src_dip: '' + +mgmt_firewall_vlans: + - vlan: '3' + vid: '3' + ports: '0t 1' + +mgmt_firewall_static_routes: + - gateway: '' + network: 1 diff --git a/partition/roles/mgmt-firewall/tasks/main.yaml b/partition/roles/mgmt-firewall/tasks/main.yaml new file mode 100644 index 00000000..f85aa42c --- /dev/null +++ b/partition/roles/mgmt-firewall/tasks/main.yaml @@ -0,0 +1,273 @@ +--- +- name: Check mandatory variables for this role are set + assert: + fail_msg: 'not all mandatory variables given, check role documentation' + quiet: yes + that: + - mgmt_firewall_location_name is not none + - mgmt_firewall_device_name is not none + - mgmt_firewall_public_key is not none + +- name: Setup BGP configuration + ansible.builtin.raw: | + uci set bgp.bgp.enabled='1' + uci set bgp.bgp.enabled_vty='1' + uci set bgp.general.enabled='1' + uci add_list bgp.general.redistribute='static' + uci add_list bgp.general.redistribute='connected' + uci add_list bgp.general.redistribute='kernel' + uci set bgp.general.id={{ mgmt_firewall_config.bgp.general_ip }} + uci set bgp.general.as='{{ mgmt_firewall_config.bgp.general_as }}' + uci set bgp.general.ebgp_requires_policy='1' + uci set bgp.general.deterministic_med='0' + when: mgmt_firewall_config.bgp.enabled + +- name: Setup BGP Peer + ansible.builtin.raw: | + uci set bgp.mgmtsrv=bgp_peer + uci set bgp.mgmtsrv.instance='general' + uci set bgp.mgmtsrv.default_originate='0' + uci set bgp.mgmtsrv.ipaddr='{{ mgmt_firewall_config.bgp.mgmtsrv_ipaddr }}' + uci set bgp.mgmtsrv.as='{{ mgmt_firewall_config.bgp.mgmtsrv_as }}' + uci set bgp.mgmtsrv.enabled='1' + uci commit bgp + /etc/init.d/frr restart + when: mgmt_firewall_config.bgp.enabled + +- name: Setup SSH + ansible.builtin.raw: | + uci set dropbear.@dropbear[0]._sshWanAccess='1' + uci set dropbear.@dropbear[0].enable_key_ssh='1' + uci set dropbear.@dropbear[0].RootPasswordAuth='0' + uci commit dropbear + /etc/init.d/dropbear restart + uci set firewall.15.enabled='1' # Enable SSH Wan + uci commit firewall + /etc/init.d/firewall + +- name: Setup firewall default settings + ansible.builtin.raw: | + uci set firewall.1.input='DROP' + uci set firewall.1.forward='DROP' + uci set firewall.1.drop_invalid='1' + uci set firewall.2.masq='1' + uci set firewall.2.mtu_fix='1' + uci set firewall.3.input='DROP' + uci set firewall.3.forward='DROP' + {% if mgmt_firewall_config.bgp.enabled is true %} + uci set firewall.A_BGP=rule + uci set firewall.A_BGP.enabled='1' + uci set firewall.A_BGP.src='wan' + uci set firewall.A_BGP.name='Allow-BGP-WAN-traffic' + uci set firewall.A_BGP.target='ACCEPT' + uci set firewall.A_BGP.dest_port='179' + uci add_list firewall.A_BGP.proto='tcp' + uci add_list firewall.A_BGP.proto='udp' + {% endif %} + uci commit firewall + /etc/init.d/firewall restart + +- name: Get the total number of sms_utils rules + ansible.builtin.raw: | + uci show sms_utils | grep -o '@rule\[[0-9]\+\]' | sort -u | wc -l + register: rule_count + +- name: Disable all sms_utils rules + ansible.builtin.raw: | + uci set sms_utils.@rule[{{ item }}].enabled='0' + loop: '{{ range(0, rule_count.stdout | int) }}' + register: disable_output + +- name: Commit and restart sms_utils after disabling rules + ansible.builtin.raw: | + uci commit sms_utils + /etc/init.d/sms_utils restart + +- name: Disable rms_connect + ansible.builtin.raw: | + uci set rms_mqtt.rms_connect_mqtt.enable='0' + uci commit rms_mqtt + /etc/init.d/rms_mqtt restart + +- name: Change location Name + ansible.builtin.raw: | + uci set snmpd.@system[0].sysName='{{ mgmt_firewall_location_name }}' + uci set system.system.devicename='{{ mgmt_firewall_device_name }}' + uci set system.system.hostname='{{ mgmt_firewall_location_name }}' + uci set system.system.zoneName='Europe/Berlin' + uci set system.system.timezone='CET-1CEST,M3.5.0,M10.5.0/3' + uci commit snmpd + uci commit system + /etc/init.d/system restart + +- name: Enable Remote Https Access + ansible.builtin.raw: | + uci set uhttpd.main._httpsWanAccess='1' + uci set uhttpd.main.redirect_https='0' + uci commit uhttpd + /etc/init.d/uhttpd restart + +- name: Disable wireless + ansible.builtin.raw: | + uci set wireless.default_radio1.disabled='1' + uci set wireless.default_radio0.disabled='1' + uci commit wireless + /etc/init.d/network restart + when: mgmt_firewall_wireless_disabled | default(true) + +- name: Create authorized keys file in /etc/dropbear + ansible.builtin.raw: | + echo '{{mgmt_firewall_public_key}}' > ../etc/dropbear/authorized_keys + +- name: Adjust Lan Default to not Bridge + ansible.builtin.raw: | + uci delete network.br_lan + uci delete network.br_lan.name + uci delete network.br_lan.type + uci delete network.br_lan.ports + uci delete network.lan.device + uci set network.lan.device='eth0' + uci commit network + /etc/init.d/network restart + +- name: Configure Default wan + ansible.builtin.raw: | + uci set network.wan.ipaddr='{{mgmt_firewall_interfaces.mgmt_firewall_wan.default.ip_adress}}' + uci set network.wan.netmask='{{mgmt_firewall_interfaces.mgmt_firewall_wan.default.net_mask}}' + uci set network.wan.gateway='{{mgmt_firewall_interfaces.mgmt_firewall_wan.default.gateway}}' + uci add_list network.wan.dns='1.1.1.1' + uci add_list network.wan.dns='1.0.0.1' # Hardcoded for now + uci set network.wan.peerdns='0' + uci set network.wan.proto='static' + uci commit network + /etc/init.d/network + uci set firewall.3.network='' + uci add_list firewall.3.network=wan + uci commit firewall + /etc/init.d/firewall + when: mgmt_firewall_default_wan_enabled | default(false) + +- name: Configure new LAN interfaces + ansible.builtin.raw: | + section_id=$(uci add network interface) + uci rename network.$section_id="{{ item.name }}" + uci set network.{{ item.name }}.proto='static' + uci set network.{{ item.name }}.ipaddr='{{ item.ipaddr }}' + uci set network.{{ item.name }}.netmask='{{ item.netmask }}' + uci set network.{{ item.name }}.device='{{ item.device }}' + uci set network.{{ item.name }}.delegate='1' + uci set network.{{ item.name }}.force_link='1' + uci set network.{{ item.name }}.area_type='lan' + uci commit network + /etc/init.d/network restart + uci add_list firewall.2.network="{{ item.name }}" + uci commit firewall + /etc/init.d/firewall restart + + loop: '{{ mgmt_firewall_interfaces.mgmt_firewall_lan }}' + +- name: Configure DHCP + ansible.builtin.raw: | + uci set dhcp.{{ item.name }}=dhcp + uci set dhcp.{{ item.name }}.ignore_ipv6='1' + uci set dhcp.{{ item.name }}.interface="{{ item.name }}" + uci set dhcp.{{ item.name }}.ra='server' + uci set dhcp.{{ item.name }}.dhcpv6='server' + uci set dhcp.{{ item.name }}.leasetime='12h' + uci set dhcp.{{ item.name }}.start='2' + uci set dhcp.{{ item.name }}.limit='1' + uci set dhcp.{{ item.name }}.netmask='255.255.255.252' + {% for option in item.dhcp_options %} + uci add_list dhcp.{{ item.name }}.dhcp_option_force="{{ option.option }},{{ option.value }}" + {% endfor %} + uci commit dhcp + /etc/init.d/dnsmasq restart + + loop: '{{ mgmt_firewall_interfaces.mgmt_firewall_lan }}' + +- name: Configure WAN interfaces + ansible.builtin.raw: | + section_id=$(uci add network interface) + uci set network.$section_id.proto='static' + uci set network.$section_id.area_type='wan' + uci set network.$section_id.peerdns='0' + uci set network.$section_id.device='{{ item.device }}' + uci set network.$section_id.metric='{{ item.metric }}' + uci set network.$section_id.ipaddr='{{ item.ipaddr }}' + uci set network.$section_id.netmask='{{ item.netmask }}' + uci set network.$section_id.gateway='{{ item.gateway }}' + uci set network.$section_id.name='{{ item.name }}' + {% for dns_server in item.dns %} + uci add_list network.$section_id.dns='{{ dns_server }}' + {% endfor %} + + uci add_list firewall.3.network="$section_id" + uci commit firewall + /etc/init.d/firewall restart + + uci commit network + /etc/init.d/network restart + loop: '{{ mgmt_firewall_interfaces.mgmt_firewall_wan.interfaces }}' + +- name: Apply Port-Forwards + ansible.builtin.raw: | + uci add firewall redirect + uci set firewall.@redirect[-1].src_dport='{{ item.src_dport }}' # External port + uci set firewall.@redirect[-1].dest_ip='{{ item.dest_ip }}' + uci set firewall.@redirect[-1].dest_port='{{ item.dest_port }}' + uci set firewall.@redirect[-1].src='{{ item.src }}' + uci set firewall.@redirect[-1].name='{{ item.name }}' + uci set firewall.@redirect[-1].target='DNAT' + uci set firewall.@redirect[-1].priority='{{ item.priority }}' # Order of rule + {% if item.dest is defined %} + uci set firewall.@redirect[-1].dest='{{ item.dest }}' # Internal Zone + {% endif %} + uci set firewall.@redirect[-1].enabled='1' + uci set firewall.@redirect[-1].reflection='{{ item.reflection }}' # Enable Nat Loopback + {% if item.src_ip is defined %} + {% for src_ip in item.src_ip %} + uci add_list firewall.@redirect[-1].src_ip="{{ src_ip }}" + {% endfor %} + {% endif %} + {% if item.src_dip is defined %} + uci set firewall.@redirect[-1].src_dip='{{ item.src_dip }}' # External IP, defaults to Any + {% endif %} + {% if item.proto is defined %} + {% for proto in item.proto %} + uci add_list firewall.@redirect[-1].proto="{{ proto }}" # Protocol setter (TCP, UDP) + {% endfor %} + {% endif %} + uci commit firewall + /etc/init.d/firewall restart + loop: '{{ mgmt_firewall_port_forwards }}' + +- name: Setup Static Routes + ansible.builtin.raw: | + uci set network.{{ item.network }}=route + uci set network.{{ item.network }}.table='254' + uci set network.{{ item.network }}.netmask='0.0.0.0' + uci set network.{{ item.network }}.target='0.0.0.0' + uci set network.{{ item.network }}.gateway='{{ item.gateway }}' + uci set network.{{ item.network }}.interface='wan' + loop: '{{ mgmt_firewall_static_routes }}' + when: mgmt_firewall_static_routes_enabled | default(false) + +- name: Setup static VLANs (VLAN 1 and 2) + ansible.builtin.raw: | + uci set network.@switch_vlan[0].ports='0t 4' + uci set network.@switch_vlan[1].ports='0t 5' + uci commit network + +- name: Setup dynamic VLANs + ansible.builtin.raw: | + uci add network switch_vlan + uci set network.@switch_vlan[-1].device='switch0' + uci set network.@switch_vlan[-1].vlan='{{ item.vlan }}' + uci set network.@switch_vlan[-1].vid='{{ item.vid }}' + uci set network.@switch_vlan[-1].ports='{{ item.ports }}' + uci commit network + loop: '{{ mgmt_firewall_vlans }}' + +- name: Restart Network + ansible.builtin.raw: | + /etc/init.d/network restart From e7a1e303be926eee3640a250696e1c553b2a26fd Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:53:01 +0200 Subject: [PATCH 49/49] Add config db to ZTP (#333) --- partition/roles/ztp/README.md | 21 +++++++++++++++++++++ partition/roles/ztp/defaults/main/main.yaml | 1 + partition/roles/ztp/files/config_db.json | 7 +++++++ partition/roles/ztp/files/reload.sh | 3 +++ partition/roles/ztp/tasks/main.yaml | 18 ++++++++++++++++++ partition/roles/ztp/templates/ztp.json.j2 | 21 +++++++++++++++++++++ 6 files changed, 71 insertions(+) create mode 100644 partition/roles/ztp/files/config_db.json create mode 100644 partition/roles/ztp/files/reload.sh create mode 100644 partition/roles/ztp/templates/ztp.json.j2 diff --git a/partition/roles/ztp/README.md b/partition/roles/ztp/README.md index 2de4b68a..f49ae6f1 100644 --- a/partition/roles/ztp/README.md +++ b/partition/roles/ztp/README.md @@ -9,7 +9,28 @@ Configures a server for providing zero-touch-provisioning scripts for switches. | ztp_nginx_image_name | yes | the docker image to use to serve ztp scripts. | | ztp_nginx_image_tag | yes | the tag of the docker image to use to serve ztp scripts. | | ztp_host_dir_path | | the path to serve ztp scripts from. | +| ztp_listen_address | | the address used to serve ztp requests | | ztp_port | | the port to serve ztp scripts on. | | ztp_authorized_keys | yes | the authorized keys that should be installed by ztp. | | ztp_admin_user | | the user for which the authorized keys will be provisioned. | | ztp_additional_files | | puts additional files into serve directory. | + +## Provisioning SONiC Switches via ztp.json + +On SONiC switches it is possible to describe the ZTP procedure in a file called `ztp.json`. +It contains all steps that should be performed during ZTP along with some additional options. +We use `ztp.json` to trigger a restart of the BGP service after the initial switch provisioning. +To use the `ztp.json` file, add a DHCP option with code 67 to the DHCP server that serves the file. +For example, add a section like the following to `/etc/dhcp/dhcpd.conf`: + +``` +option sonic_ztp code 67 = text; + +host leaf01 { + hardware ethernet aa:aa:aa:aa:aa:aa; + fixed-address 10.1.253.154; + option sonic_ztp "http://10.1.253.13:8080/ztp.json"; +} +``` + +For more information on the `ztp.json` format refer to the [documentation](https://github.com/sonic-net/SONiC/blob/master/doc/ztp/ztp.md). diff --git a/partition/roles/ztp/defaults/main/main.yaml b/partition/roles/ztp/defaults/main/main.yaml index 8cff09c2..01dfafc3 100644 --- a/partition/roles/ztp/defaults/main/main.yaml +++ b/partition/roles/ztp/defaults/main/main.yaml @@ -4,6 +4,7 @@ ztp_host_dir_path: /ztp ztp_authorized_keys: ztp_admin_user: admin +ztp_listen_address: "{{ ansible_host }}" ztp_port: 8080 ztp_additional_files: [] diff --git a/partition/roles/ztp/files/config_db.json b/partition/roles/ztp/files/config_db.json new file mode 100644 index 00000000..0d7ecddd --- /dev/null +++ b/partition/roles/ztp/files/config_db.json @@ -0,0 +1,7 @@ +{ + "DEVICE_METADATA": { + "localhost": { + "docker_routing_config_mode": "split" + } + } +} \ No newline at end of file diff --git a/partition/roles/ztp/files/reload.sh b/partition/roles/ztp/files/reload.sh new file mode 100644 index 00000000..4712145e --- /dev/null +++ b/partition/roles/ztp/files/reload.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sudo systemctl restart bgp diff --git a/partition/roles/ztp/tasks/main.yaml b/partition/roles/ztp/tasks/main.yaml index 780c2956..1f17f311 100644 --- a/partition/roles/ztp/tasks/main.yaml +++ b/partition/roles/ztp/tasks/main.yaml @@ -23,6 +23,24 @@ dest: "{{ ztp_host_dir_path }}/config/ztp.sh" mode: 0644 +- name: copy config_db.json + copy: + src: "config_db.json" + dest: "{{ ztp_host_dir_path }}/config/config_db.json" + mode: 0644 + +- name: copy reload script + copy: + src: "reload.sh" + dest: "{{ ztp_host_dir_path }}/config/reload.sh" + mode: 0644 + +- name: render ztp.json + template: + src: "ztp.json.j2" + dest: "{{ ztp_host_dir_path }}/config/ztp.json" + mode: 0644 + - name: copy additional contents copy: dest: "{{ ztp_host_dir_path }}/config/{{ item.name }}" diff --git a/partition/roles/ztp/templates/ztp.json.j2 b/partition/roles/ztp/templates/ztp.json.j2 new file mode 100644 index 00000000..29da1d14 --- /dev/null +++ b/partition/roles/ztp/templates/ztp.json.j2 @@ -0,0 +1,21 @@ +{ + "ztp": { + "02-user": { + "plugin": { + "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/ztp.sh" + } + }, + "03-configdb-json": { + "url": { + "source": "http://{{ ztp_listen_address }}:{{ ztp_port }}/config_db.json" + }, + "clear-config": false + }, + "04-reload": { + "plugin": { + "url": "http://{{ ztp_listen_address }}:{{ ztp_port }}/reload.sh" + } + }, + "restart-ztp-no-config": false + } +}