Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 1 | .. |
| 2 | SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 3 | SPDX-License-Identifier: Apache-2.0 |
| 4 | |
| 5 | VPN Bootstrap |
| 6 | ============= |
| 7 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 8 | This section guides you through setting up a VPN connection between Aether Central in GCP and ACE. |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 9 | We will be using GitOps based Aether CI/CD system for this and what you need to do is |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 10 | create a patch for the new edge in **aether-pod-configs**, where all edge infrastructure |
| 11 | configuration is stored. |
| 12 | |
| 13 | Here is a brief overview of each step. Note that some of the steps described here are not |
| 14 | directly related to setting up a VPN, but are prerequisites for adding a new edge. |
| 15 | |
| 16 | **1. Add deployment jobs** |
| 17 | Each edge has its own Jenkins jobs that build and apply infrastructure change plans. |
| 18 | In this step, you'll add those jobs for the new edge. |
| 19 | |
| 20 | **2. Update global resource maps** |
| 21 | aether-pod-configs maintains complete list of clusters, VPN connections, and users |
| 22 | in separate global resource files. Before adding edge specific configurations, |
| 23 | it is required to update those global resource maps first. |
| 24 | |
| 25 | **3. Generate Ansible and Terraform configs** |
| 26 | In this step, you'll add Ansible and Terraform configs necessary to install and |
| 27 | configure VPN softwares at the edge and set up VPN gateway, router, |
| 28 | and firewall on GCP. |
| 29 | |
| 30 | **4. Submit your changes** |
| 31 | Finally, submit your change to run the deployment job added in the first step. |
| 32 | |
| 33 | |
| 34 | .. attention:: |
| 35 | |
| 36 | Make sure that UDP port 500, UDP port 4500, and ESP from **gcpvpn1.infra.aetherproject.net(35.242.47.15)** |
| 37 | and **gcpvpn2.infra.aetherproject.net(34.104.68.78)** are allowed in the firewall. |
| 38 | |
| 39 | .. attention:: |
| 40 | |
| 41 | If you are adding another ACE to an existing VPN connection, go to |
| 42 | :ref:`Add ACE to an existing VPN connection <add_ace_to_vpn>`. Verify VPN connection. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 43 | |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 44 | .. _add_deployment_jobs: |
| 45 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 46 | Add deployment jobs |
| 47 | ------------------- |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 48 | First, you need to add Jenkins jobs to Aether CI/CD system that build and apply infrastructure change |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 49 | plans for the new edge. This can be done by creating a patch to **aether-ci-management** repository. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 50 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 51 | Download **aether-ci-management** repository. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 52 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 53 | .. code-block:: shell |
| 54 | |
| 55 | $ cd $WORKDIR |
| 56 | $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-ci-management" |
| 57 | |
| 58 | Add the jobs for the new cluster at the end of the `cd-pipeline-terraform-ace` project job list. |
| 59 | Make sure to add both pre-merge and post-merge jobs. |
| 60 | Note that the cluster name specified here will be used in the rest of the deployment procedure. |
| 61 | |
| 62 | .. code-block:: diff |
| 63 | |
| 64 | $ cd $WORKDIR/aether-ci-management |
| 65 | $ vi jjb/repos/cd-pipeline-terraform.yaml |
| 66 | |
| 67 | # Add jobs for the new cluster |
| 68 | diff jjb/repos/cd-pipeline-terraform.yamll |
| 69 | --- a/jjb/repos/cd-pipeline-terraform.yaml |
| 70 | +++ b/jjb/repos/cd-pipeline-terraform.yaml |
| 71 | @@ -227,3 +227,9 @@ |
| 72 | - 'cd-pipeline-terraform-postmerge-cluster': |
| 73 | pod: 'production' |
| 74 | cluster: 'ace-eks' |
| 75 | + - 'cd-pipeline-terraform-premerge-cluster': |
| 76 | + pod: 'production' |
| 77 | + cluster: 'ace-test' |
| 78 | + - 'cd-pipeline-terraform-postmerge-cluster': |
| 79 | + pod: 'production' |
| 80 | + cluster: 'ace-test' |
| 81 | |
Hyunsun Moon | 2b2bf9a | 2021-08-01 05:29:48 -0700 | [diff] [blame] | 82 | Submit your change and wait for the jobs you just added available in Aether Jenkins. |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 83 | |
| 84 | .. code-block:: shell |
| 85 | |
| 86 | $ git status |
| 87 | Changes not staged for commit: |
| 88 | |
| 89 | modified: jjb/repos/cd-pipeline-terraform.yaml |
| 90 | |
| 91 | $ git add . |
| 92 | $ git commit -m "Add test ACE deployment job" |
| 93 | $ git review |
| 94 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 95 | |
Andy Bavier | 802cce5 | 2021-07-29 12:15:15 -0700 | [diff] [blame] | 96 | Get access to encrypted files in aether-pod-configs repository |
| 97 | -------------------------------------------------------------- |
| 98 | |
Andy Bavier | 718fd90 | 2021-07-30 10:10:55 -0700 | [diff] [blame] | 99 | `git-crypt <https://github.com/AGWA/git-crypt>`_ is used to securely store encrypted files |
| 100 | in the aether-pod-configs repository. Before proceeding, (1) install git-crypt and `gpg <https://gnupg.org/>`_, |
Andy Bavier | 6fc0ff1 | 2021-08-02 09:29:25 -0700 | [diff] [blame] | 101 | (2) create a GPG keypair, and (3) ask a member of the Aether OPs team to add your public key |
Andy Bavier | 802cce5 | 2021-07-29 12:15:15 -0700 | [diff] [blame] | 102 | to the aether-pod-configs keyring. To create the keypair follow these steps: |
| 103 | |
| 104 | .. code-block:: shell |
| 105 | |
| 106 | $ gpg --full-generate-key |
| 107 | $ gpg --output <key-name>.gpg --armor --export <your-email-address> |
| 108 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 109 | .. _update_global_resource: |
| 110 | |
| 111 | Update global resource maps |
| 112 | --------------------------- |
| 113 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 114 | Download aether-pod-configs repository. |
| 115 | |
| 116 | .. code-block:: shell |
| 117 | |
| 118 | $ cd $WORKDIR |
| 119 | $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-pod-configs" |
Andy Bavier | 802cce5 | 2021-07-29 12:15:15 -0700 | [diff] [blame] | 120 | $ git-crypt unlock |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 121 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 122 | Add the new cluster information at the end of the following global resource maps. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 123 | |
| 124 | * ``user_map.tfvars`` |
| 125 | * ``cluster_map.tfvars`` |
| 126 | * ``vpn_map.tfvars`` |
| 127 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 128 | .. code-block:: diff |
| 129 | |
| 130 | $ cd $WORKDIR/aether-pod-configs/production |
| 131 | $ vi user_map.tfvars |
| 132 | |
| 133 | # Add the new cluster admin user at the end of the map |
| 134 | $ git diff user_map.tfvars |
| 135 | --- a/production/user_map.tfvars |
| 136 | +++ b/production/user_map.tfvars |
| 137 | @@ user_map = { |
| 138 | username = "menlo" |
| 139 | password = "changeme" |
| 140 | global_roles = ["user-base", "catalogs-use"] |
| 141 | + }, |
| 142 | + test_admin = { |
| 143 | + username = "test" |
| 144 | + password = "changeme" |
| 145 | + global_roles = ["user-base", "catalogs-use"] |
| 146 | } |
| 147 | } |
| 148 | |
| 149 | .. code-block:: diff |
| 150 | |
| 151 | $ cd $WORKDIR/aether-pod-configs/production |
| 152 | $ vi cluster_map.tfvars |
| 153 | |
| 154 | # Add the new K8S cluster information at the end of the map |
| 155 | $ git diff cluster_map.tfvars |
| 156 | --- a/production/cluster_map.tfvars |
| 157 | +++ b/production/cluster_map.tfvars |
| 158 | @@ cluster_map = { |
| 159 | kube_dns_cluster_ip = "10.53.128.10" |
| 160 | cluster_domain = "prd.menlo.aetherproject.net" |
| 161 | calico_ip_detect_method = "can-reach=www.google.com" |
| 162 | + }, |
| 163 | + ace-test = { |
| 164 | + cluster_name = "ace-test" |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 165 | + management_subnets = ["10.32.4.0/24"] |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 166 | + k8s_version = "v1.18.8-rancher1-1" |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 167 | + k8s_pod_range = "10.33.0.0/17" |
| 168 | + k8s_cluster_ip_range = "10.33.128.0/17" |
| 169 | + kube_dns_cluster_ip = "10.33.128.10" |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 170 | + cluster_domain = "prd.test.aetherproject.net" |
| 171 | + calico_ip_detect_method = "can-reach=www.google.com" |
| 172 | } |
| 173 | } |
| 174 | } |
| 175 | |
| 176 | .. code-block:: diff |
| 177 | |
| 178 | $ cd $WORKDIR/aether-pod-configs/production |
| 179 | $ vi vpn_map.tfvars |
| 180 | |
| 181 | # Add VPN and tunnel information at the end of the map |
| 182 | $ git diff vpn_map.tfvars |
| 183 | --- a/production/vpn_map.tfvars |
| 184 | +++ b/production/vpn_map.tfvars |
| 185 | @@ vpn_map = { |
| 186 | bgp_peer_ip_address_1 = "169.254.0.6" |
| 187 | bgp_peer_ip_range_2 = "169.254.1.5/30" |
| 188 | bgp_peer_ip_address_2 = "169.254.1.6" |
| 189 | + }, |
| 190 | + ace-test = { |
| 191 | + peer_name = "production-ace-test" |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 192 | + peer_vpn_gateway_address = "66.201.42.222" |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 193 | + tunnel_shared_secret = "UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI" |
| 194 | + bgp_peer_asn = "65003" |
| 195 | + bgp_peer_ip_range_1 = "169.254.0.9/30" |
| 196 | + bgp_peer_ip_address_1 = "169.254.0.10" |
| 197 | + bgp_peer_ip_range_2 = "169.254.1.9/30" |
| 198 | + bgp_peer_ip_address_2 = "169.254.1.10" |
| 199 | } |
| 200 | } |
| 201 | |
| 202 | .. note:: |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 203 | Use `this site <https://cloud.google.com/network-connectivity/docs/vpn/how-to/generating-pre-shared-key/>`_ |
| 204 | to generate a strong tunnel shared secret. |
| 205 | |
| 206 | .. note:: |
Hyunsun Moon | 35868bc | 2021-08-11 15:01:13 -0700 | [diff] [blame] | 207 | Unless you have a specific requirement, set ASN to the next available value in the map. |
| 208 | For BGP peer IP range and address, use the next available /30 subnet in the map. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 209 | |
| 210 | |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 211 | Generate Ansible and Terraform configurations |
| 212 | --------------------------------------------- |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 213 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 214 | In this step, we will create a directory under ``production`` with the same name |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 215 | as the cluster, and add Ansible and Terraform configurations needed |
| 216 | to configure a VPN in ACE and GCP using a tool. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 217 | |
| 218 | .. code-block:: shell |
| 219 | |
| 220 | $ cd $WORKDIR/aether-pod-configs/tools |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 221 | $ cp ace_config.yaml.example ace_config.yaml |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 222 | |
| 223 | # Set all values in ace_config.yaml |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 224 | $ vi ace_config.yaml |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 225 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 226 | $ make vpn |
| 227 | Created ../production/ace-test |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 228 | Created ../production/ace-test/provider.tf |
| 229 | Created ../production/ace-test/cluster.tf |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 230 | Created ../production/ace-test/gcp_ha_vpn.tf |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 231 | Created ../production/ace-test/gcp_fw.tf |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 232 | Created ../production/ace-test/backend.tf |
| 233 | Created ../production/ace-test/cluster_val.tfvars |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 234 | Created ../production/ace-test/ansible |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 235 | Created ../production/ace-test/ansible/hosts.ini |
| 236 | Created ../production/ace-test/ansible/extra_vars.yml |
| 237 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 238 | |
Hyunsun Moon | 2b2bf9a | 2021-08-01 05:29:48 -0700 | [diff] [blame] | 239 | Submit your change |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 240 | ------------------ |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 241 | |
| 242 | .. code-block:: shell |
| 243 | |
| 244 | $ cd $WORKDIR/aether-pod-configs/production |
| 245 | $ git status |
| 246 | On branch tools |
| 247 | Changes not staged for commit: |
| 248 | |
| 249 | modified: cluster_map.tfvars |
| 250 | modified: user_map.tfvars |
| 251 | modified: vpn_map.tfvars |
| 252 | |
| 253 | Untracked files: |
| 254 | (use "git add <file>..." to include in what will be committed) |
| 255 | |
| 256 | ace-test/ |
| 257 | |
| 258 | $ git add . |
| 259 | $ git commit -m "Add test ACE" |
| 260 | $ git review |
| 261 | |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 262 | Wait for a while until the post-merge job finishes after the change is merged. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 263 | |
| 264 | Verify VPN connection |
| 265 | --------------------- |
| 266 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 267 | You can verify the VPN connections by checking |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 268 | the routing table from the management server and trying to ping to one of the |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 269 | central cluster VMs. |
| 270 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 271 | Be sure there are two tunnel interfaces, `gcp_tunnel1` and `gcp_tunnel2`, |
Hyunsun Moon | bbad67d | 2021-08-12 00:47:27 -0700 | [diff] [blame^] | 272 | and three additional routing entries via one of the tunnel interfaces. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 273 | |
| 274 | .. code-block:: shell |
| 275 | |
| 276 | # Verify routings |
| 277 | $ netstat -rn |
| 278 | Kernel IP routing table |
| 279 | Destination Gateway Genmask Flags MSS Window irtt Iface |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 280 | 0.0.0.0 66.201.42.209 0.0.0.0 UG 0 0 0 eno1 |
| 281 | 10.32.4.0 0.0.0.0 255.255.255.128 U 0 0 0 eno2 |
| 282 | 10.32.4.128 0.0.0.0 255.255.255.128 U 0 0 0 mgmt800 |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 283 | 10.45.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1 |
| 284 | 10.52.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1 |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 285 | 10.33.128.0 10.32.4.138 255.255.128.0 UG 0 0 0 mgmt800 |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 286 | 10.168.0.0 169.254.0.9 255.255.240.0 UG 0 0 0 gcp_tunnel1 |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 287 | 66.201.42.208 0.0.0.0 255.255.252.0 U 0 0 0 eno1 |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 288 | 169.254.0.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel1 |
| 289 | 169.254.1.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel2 |
| 290 | |
| 291 | # Verify ACC VM access |
| 292 | $ ping 10.168.0.6 |
| 293 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 294 | # Verify ACC K8S Service access |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 295 | $ nslookup kube-dns.kube-system.svc.prd.acc.gcp.aetherproject.net 10.52.128.10 |
| 296 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 297 | You can also login to GCP console and check if the edge subnets exist in |
| 298 | **VPC Network > Routes > Dynamic**. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 299 | |
| 300 | |
| 301 | Post VPN setup |
| 302 | -------------- |
| 303 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 304 | Once you verify the VPN connections, update ``ansible`` directory name to |
| 305 | ``_ansible`` to prevent the ansible playbook from being rerun. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 306 | |
| 307 | .. code-block:: shell |
| 308 | |
| 309 | $ cd $WORKDIR/aether-pod-configs/production/$ACE_NAME |
| 310 | $ mv ansible _ansible |
| 311 | $ git add . |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 312 | $ git commit -m "Ansible done for test ACE" |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 313 | $ git review |
| 314 | |
| 315 | .. _add_ace_to_vpn: |
| 316 | |
| 317 | Add another ACE to an existing VPN connection |
| 318 | """"""""""""""""""""""""""""""""""""""""""""" |
| 319 | |
| 320 | VPN connections can be shared when there are multiple ACE clusters in a site. |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 321 | In order to add another cluster to an existing VPN connection, you'll have to SSH into the |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 322 | management node and manually update BIRD configuration. |
| 323 | |
| 324 | .. note:: |
| 325 | |
| 326 | This step needs improvements in the future. |
| 327 | |
| 328 | .. code-block:: shell |
| 329 | |
| 330 | $ sudo vi /etc/bird/bird.conf |
| 331 | protocol static { |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 332 | # Routings for the existing cluster |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 333 | ... |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 334 | route 10.33.128.0/17 via 10.32.4.138; |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 335 | |
| 336 | # Add routings for the new ACE's K8S cluster IP range via cluster nodes |
| 337 | # TODO: Configure iBGP peering with Calico nodes and dynamically learn these routings |
| 338 | route <NEW-ACE-CLUSTER-IP> via <SERVER1> |
| 339 | route <NEW-ACE-CLUSTER-IP> via <SERVER2> |
| 340 | route <NEW-ACE-CLUSTER-IP> via <SERVER3> |
| 341 | } |
| 342 | |
| 343 | filter gcp_tunnel_out { |
| 344 | # Add the new ACE's K8S cluster IP range and the management subnet if required to the list |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 345 | if (net ~ [ 10.32.4.0/24, 10.33.128.0/17, <NEW-ACE-CLUSTER-MGMT-SUBNET>, <NEW-ACE-CLUSTER-IP-RANGE> ]) then accept; |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 346 | else reject; |
| 347 | } |
| 348 | # Save and exit |
| 349 | |
| 350 | $ sudo birdc configure |
| 351 | |
| 352 | # Confirm the static routes are added |
| 353 | $ sudo birdc show route |
| 354 | |