Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 1 | .. |
| 2 | SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 3 | SPDX-License-Identifier: Apache-2.0 |
| 4 | |
| 5 | VPN Bootstrap |
| 6 | ============= |
| 7 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 8 | This section guides you through setting up a VPN connection between Aether Central in GCP and ACE. |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 9 | We will be using GitOps based Aether CI/CD system for this and what you need to do is |
| 10 | create a patch to Aether GitOps repository, **aether-pod-configs**, with the edge specific information. |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 11 | Note that some of the steps described here are not directly related to setting up a VPN, |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 12 | but rather are a prerequisite for adding a new ACE. |
| 13 | |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 14 | .. _add_deployment_jobs: |
| 15 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 16 | Add deployment jobs |
| 17 | ------------------- |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 18 | First, you need to add Jenkins jobs to Aether CI/CD system that build and apply infrastructure change |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 19 | plans for the new edge. This can be done by creating a patch to **aether-ci-management** repository. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 20 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 21 | Download **aether-ci-management** repository. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 22 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 23 | .. code-block:: shell |
| 24 | |
| 25 | $ cd $WORKDIR |
| 26 | $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-ci-management" |
| 27 | |
| 28 | Add the jobs for the new cluster at the end of the `cd-pipeline-terraform-ace` project job list. |
| 29 | Make sure to add both pre-merge and post-merge jobs. |
| 30 | Note that the cluster name specified here will be used in the rest of the deployment procedure. |
| 31 | |
| 32 | .. code-block:: diff |
| 33 | |
| 34 | $ cd $WORKDIR/aether-ci-management |
| 35 | $ vi jjb/repos/cd-pipeline-terraform.yaml |
| 36 | |
| 37 | # Add jobs for the new cluster |
| 38 | diff jjb/repos/cd-pipeline-terraform.yamll |
| 39 | --- a/jjb/repos/cd-pipeline-terraform.yaml |
| 40 | +++ b/jjb/repos/cd-pipeline-terraform.yaml |
| 41 | @@ -227,3 +227,9 @@ |
| 42 | - 'cd-pipeline-terraform-postmerge-cluster': |
| 43 | pod: 'production' |
| 44 | cluster: 'ace-eks' |
| 45 | + - 'cd-pipeline-terraform-premerge-cluster': |
| 46 | + pod: 'production' |
| 47 | + cluster: 'ace-test' |
| 48 | + - 'cd-pipeline-terraform-postmerge-cluster': |
| 49 | + pod: 'production' |
| 50 | + cluster: 'ace-test' |
| 51 | |
Hyunsun Moon | 2b2bf9a | 2021-08-01 05:29:48 -0700 | [diff] [blame] | 52 | Submit your change and wait for the jobs you just added available in Aether Jenkins. |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 53 | |
| 54 | .. code-block:: shell |
| 55 | |
| 56 | $ git status |
| 57 | Changes not staged for commit: |
| 58 | |
| 59 | modified: jjb/repos/cd-pipeline-terraform.yaml |
| 60 | |
| 61 | $ git add . |
| 62 | $ git commit -m "Add test ACE deployment job" |
| 63 | $ git review |
| 64 | |
| 65 | Gather VPN information |
| 66 | ---------------------- |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 67 | |
| 68 | * Make sure firewall in front of ACE allows UDP port 500, UDP port 4500, and |
| 69 | ESP packets from **gcpvpn1.infra.aetherproject.net(35.242.47.15)** and |
| 70 | **gcpvpn2.infra.aetherproject.net(34.104.68.78)** |
| 71 | |
| 72 | * Make sure that the external IP on ACE side is owned by or routed to the |
| 73 | management node |
| 74 | |
| 75 | To help your understanding, the following sample ACE environment will be used |
| 76 | in the rest of this section. Make sure to replace the sample values when you |
| 77 | actually create a review request. |
| 78 | |
| 79 | +-----------------------------+----------------------------------+ |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 80 | | Management node external IP | 66.201.42.222 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 81 | +-----------------------------+----------------------------------+ |
| 82 | | ASN | 65003 | |
| 83 | +-----------------------------+----------------------------------+ |
| 84 | | GCP BGP IP address | Tunnel 1: 169.254.0.9/30 | |
| 85 | | +----------------------------------+ |
| 86 | | | Tunnel 2: 169.254.1.9/30 | |
| 87 | +-----------------------------+----------------------------------+ |
| 88 | | ACE BGP IP address | Tunnel 1: 169.254.0.10/30 | |
| 89 | | +----------------------------------+ |
| 90 | | | Tunnel 2: 169.254.1.10/30 | |
| 91 | +-----------------------------+----------------------------------+ |
| 92 | | PSK | UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI | |
| 93 | +-----------------------------+----------------------------------+ |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 94 | | Management Subnet | 10.32.4.0/24 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 95 | +-----------------------------+----------------------------------+ |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 96 | | K8S Subnet | Pod IP: 10.33.0.0/17 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 97 | | +----------------------------------+ |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 98 | | | Cluster IP: 10.33.128.0/17 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 99 | +-----------------------------+----------------------------------+ |
| 100 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 101 | .. note:: |
| 102 | Use `this site <https://cloud.google.com/network-connectivity/docs/vpn/how-to/generating-pre-shared-key/>`_ to generate a new strong pre-shared key. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 103 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 104 | .. attention:: |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 105 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 106 | If you are adding another ACE to an existing VPN connection, go to |
| 107 | :ref:`Add ACE to an existing VPN connection <add_ace_to_vpn>` |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 108 | |
Andy Bavier | 802cce5 | 2021-07-29 12:15:15 -0700 | [diff] [blame] | 109 | Get access to encrypted files in aether-pod-configs repository |
| 110 | -------------------------------------------------------------- |
| 111 | |
Andy Bavier | 718fd90 | 2021-07-30 10:10:55 -0700 | [diff] [blame] | 112 | `git-crypt <https://github.com/AGWA/git-crypt>`_ is used to securely store encrypted files |
| 113 | in the aether-pod-configs repository. Before proceeding, (1) install git-crypt and `gpg <https://gnupg.org/>`_, |
Andy Bavier | 6fc0ff1 | 2021-08-02 09:29:25 -0700 | [diff] [blame] | 114 | (2) create a GPG keypair, and (3) ask a member of the Aether OPs team to add your public key |
Andy Bavier | 802cce5 | 2021-07-29 12:15:15 -0700 | [diff] [blame] | 115 | to the aether-pod-configs keyring. To create the keypair follow these steps: |
| 116 | |
| 117 | .. code-block:: shell |
| 118 | |
| 119 | $ gpg --full-generate-key |
| 120 | $ gpg --output <key-name>.gpg --armor --export <your-email-address> |
| 121 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 122 | .. _update_global_resource: |
| 123 | |
| 124 | Update global resource maps |
| 125 | --------------------------- |
| 126 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 127 | Download aether-pod-configs repository. |
| 128 | |
| 129 | .. code-block:: shell |
| 130 | |
| 131 | $ cd $WORKDIR |
| 132 | $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-pod-configs" |
Andy Bavier | 802cce5 | 2021-07-29 12:15:15 -0700 | [diff] [blame] | 133 | $ git-crypt unlock |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 134 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 135 | Add the new cluster information at the end of the following global resource maps. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 136 | |
| 137 | * ``user_map.tfvars`` |
| 138 | * ``cluster_map.tfvars`` |
| 139 | * ``vpn_map.tfvars`` |
| 140 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 141 | .. code-block:: diff |
| 142 | |
| 143 | $ cd $WORKDIR/aether-pod-configs/production |
| 144 | $ vi user_map.tfvars |
| 145 | |
| 146 | # Add the new cluster admin user at the end of the map |
| 147 | $ git diff user_map.tfvars |
| 148 | --- a/production/user_map.tfvars |
| 149 | +++ b/production/user_map.tfvars |
| 150 | @@ user_map = { |
| 151 | username = "menlo" |
| 152 | password = "changeme" |
| 153 | global_roles = ["user-base", "catalogs-use"] |
| 154 | + }, |
| 155 | + test_admin = { |
| 156 | + username = "test" |
| 157 | + password = "changeme" |
| 158 | + global_roles = ["user-base", "catalogs-use"] |
| 159 | } |
| 160 | } |
| 161 | |
| 162 | .. code-block:: diff |
| 163 | |
| 164 | $ cd $WORKDIR/aether-pod-configs/production |
| 165 | $ vi cluster_map.tfvars |
| 166 | |
| 167 | # Add the new K8S cluster information at the end of the map |
| 168 | $ git diff cluster_map.tfvars |
| 169 | --- a/production/cluster_map.tfvars |
| 170 | +++ b/production/cluster_map.tfvars |
| 171 | @@ cluster_map = { |
| 172 | kube_dns_cluster_ip = "10.53.128.10" |
| 173 | cluster_domain = "prd.menlo.aetherproject.net" |
| 174 | calico_ip_detect_method = "can-reach=www.google.com" |
| 175 | + }, |
| 176 | + ace-test = { |
| 177 | + cluster_name = "ace-test" |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 178 | + management_subnets = ["10.32.4.0/24"] |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 179 | + k8s_version = "v1.18.8-rancher1-1" |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 180 | + k8s_pod_range = "10.33.0.0/17" |
| 181 | + k8s_cluster_ip_range = "10.33.128.0/17" |
| 182 | + kube_dns_cluster_ip = "10.33.128.10" |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 183 | + cluster_domain = "prd.test.aetherproject.net" |
| 184 | + calico_ip_detect_method = "can-reach=www.google.com" |
| 185 | } |
| 186 | } |
| 187 | } |
| 188 | |
| 189 | .. code-block:: diff |
| 190 | |
| 191 | $ cd $WORKDIR/aether-pod-configs/production |
| 192 | $ vi vpn_map.tfvars |
| 193 | |
| 194 | # Add VPN and tunnel information at the end of the map |
| 195 | $ git diff vpn_map.tfvars |
| 196 | --- a/production/vpn_map.tfvars |
| 197 | +++ b/production/vpn_map.tfvars |
| 198 | @@ vpn_map = { |
| 199 | bgp_peer_ip_address_1 = "169.254.0.6" |
| 200 | bgp_peer_ip_range_2 = "169.254.1.5/30" |
| 201 | bgp_peer_ip_address_2 = "169.254.1.6" |
| 202 | + }, |
| 203 | + ace-test = { |
| 204 | + peer_name = "production-ace-test" |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 205 | + peer_vpn_gateway_address = "66.201.42.222" |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 206 | + tunnel_shared_secret = "UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI" |
| 207 | + bgp_peer_asn = "65003" |
| 208 | + bgp_peer_ip_range_1 = "169.254.0.9/30" |
| 209 | + bgp_peer_ip_address_1 = "169.254.0.10" |
| 210 | + bgp_peer_ip_range_2 = "169.254.1.9/30" |
| 211 | + bgp_peer_ip_address_2 = "169.254.1.10" |
| 212 | } |
| 213 | } |
| 214 | |
| 215 | .. note:: |
| 216 | Unless you have a specific requirement, set ASN and BGP addresses to the next available values in the map. |
| 217 | |
| 218 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 219 | Create Terraform and Ansible configurations |
| 220 | ------------------------------------------- |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 221 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 222 | In this step, we will create a directory under ``production`` with the same name |
| 223 | as the cluster, and add Terraform configurations and Ansible inventory needed |
| 224 | to configure a VPN in GCP and ACE accordingly. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 225 | |
| 226 | .. code-block:: shell |
| 227 | |
| 228 | $ cd $WORKDIR/aether-pod-configs/tools |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 229 | $ cp ace_config.yaml.example ace_config.yaml |
Wei-Yu Chen | f6c0642 | 2021-08-11 11:43:10 +0800 | [diff] [blame^] | 230 | |
| 231 | # Set all values in ace_config.yaml |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 232 | $ vi ace_config.yaml |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 233 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 234 | $ make vpn |
| 235 | Created ../production/ace-test |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 236 | Created ../production/ace-test/provider.tf |
| 237 | Created ../production/ace-test/cluster.tf |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 238 | Created ../production/ace-test/gcp_ha_vpn.tf |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 239 | Created ../production/ace-test/gcp_fw.tf |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 240 | Created ../production/ace-test/backend.tf |
| 241 | Created ../production/ace-test/cluster_val.tfvars |
Hyunsun Moon | 049b505 | 2021-07-30 12:41:03 -0700 | [diff] [blame] | 242 | Created ../production/ace-test/ansible |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 243 | Created ../production/ace-test/ansible/hosts.ini |
| 244 | Created ../production/ace-test/ansible/extra_vars.yml |
| 245 | |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 246 | |
Hyunsun Moon | 2b2bf9a | 2021-08-01 05:29:48 -0700 | [diff] [blame] | 247 | Submit your change |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 248 | ------------------ |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 249 | |
| 250 | .. code-block:: shell |
| 251 | |
| 252 | $ cd $WORKDIR/aether-pod-configs/production |
| 253 | $ git status |
| 254 | On branch tools |
| 255 | Changes not staged for commit: |
| 256 | |
| 257 | modified: cluster_map.tfvars |
| 258 | modified: user_map.tfvars |
| 259 | modified: vpn_map.tfvars |
| 260 | |
| 261 | Untracked files: |
| 262 | (use "git add <file>..." to include in what will be committed) |
| 263 | |
| 264 | ace-test/ |
| 265 | |
| 266 | $ git add . |
| 267 | $ git commit -m "Add test ACE" |
| 268 | $ git review |
| 269 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 270 | After the change is merged, wait for a while until the post-merge job finishes. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 271 | |
| 272 | Verify VPN connection |
| 273 | --------------------- |
| 274 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 275 | You can verify the VPN connections by checking |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 276 | the routing table on the management node and trying to ping to one of the |
| 277 | central cluster VMs. |
| 278 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 279 | Be sure there are two tunnel interfaces, `gcp_tunnel1` and `gcp_tunnel2`, |
| 280 | and three routing entries via one of the tunnel interfaces. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 281 | |
| 282 | .. code-block:: shell |
| 283 | |
| 284 | # Verify routings |
| 285 | $ netstat -rn |
| 286 | Kernel IP routing table |
| 287 | Destination Gateway Genmask Flags MSS Window irtt Iface |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 288 | 0.0.0.0 66.201.42.209 0.0.0.0 UG 0 0 0 eno1 |
| 289 | 10.32.4.0 0.0.0.0 255.255.255.128 U 0 0 0 eno2 |
| 290 | 10.32.4.128 0.0.0.0 255.255.255.128 U 0 0 0 mgmt800 |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 291 | 10.45.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1 |
| 292 | 10.52.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1 |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 293 | 10.33.128.0 10.32.4.138 255.255.128.0 UG 0 0 0 mgmt800 |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 294 | 10.168.0.0 169.254.0.9 255.255.240.0 UG 0 0 0 gcp_tunnel1 |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 295 | 66.201.42.208 0.0.0.0 255.255.252.0 U 0 0 0 eno1 |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 296 | 169.254.0.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel1 |
| 297 | 169.254.1.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel2 |
| 298 | |
| 299 | # Verify ACC VM access |
| 300 | $ ping 10.168.0.6 |
| 301 | |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 302 | # Verify ACC K8S Service access |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 303 | $ nslookup kube-dns.kube-system.svc.prd.acc.gcp.aetherproject.net 10.52.128.10 |
| 304 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 305 | You can also login to GCP console and check if the edge subnets exist in |
| 306 | **VPC Network > Routes > Dynamic**. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 307 | |
| 308 | |
| 309 | Post VPN setup |
| 310 | -------------- |
| 311 | |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 312 | Once you verify the VPN connections, update ``ansible`` directory name to |
| 313 | ``_ansible`` to prevent the ansible playbook from being rerun. |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 314 | |
| 315 | .. code-block:: shell |
| 316 | |
| 317 | $ cd $WORKDIR/aether-pod-configs/production/$ACE_NAME |
| 318 | $ mv ansible _ansible |
| 319 | $ git add . |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 320 | $ git commit -m "Ansible done for test ACE" |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 321 | $ git review |
| 322 | |
| 323 | .. _add_ace_to_vpn: |
| 324 | |
| 325 | Add another ACE to an existing VPN connection |
| 326 | """"""""""""""""""""""""""""""""""""""""""""" |
| 327 | |
| 328 | VPN connections can be shared when there are multiple ACE clusters in a site. |
Hyunsun Moon | fabe974 | 2021-08-01 06:41:44 -0700 | [diff] [blame] | 329 | In order to add another cluster to an existing VPN connection, you'll have to SSH into the |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 330 | management node and manually update BIRD configuration. |
| 331 | |
| 332 | .. note:: |
| 333 | |
| 334 | This step needs improvements in the future. |
| 335 | |
| 336 | .. code-block:: shell |
| 337 | |
| 338 | $ sudo vi /etc/bird/bird.conf |
| 339 | protocol static { |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 340 | # Routings for the existing cluster |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 341 | ... |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 342 | route 10.33.128.0/17 via 10.32.4.138; |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 343 | |
| 344 | # Add routings for the new ACE's K8S cluster IP range via cluster nodes |
| 345 | # TODO: Configure iBGP peering with Calico nodes and dynamically learn these routings |
| 346 | route <NEW-ACE-CLUSTER-IP> via <SERVER1> |
| 347 | route <NEW-ACE-CLUSTER-IP> via <SERVER2> |
| 348 | route <NEW-ACE-CLUSTER-IP> via <SERVER3> |
| 349 | } |
| 350 | |
| 351 | filter gcp_tunnel_out { |
| 352 | # Add the new ACE's K8S cluster IP range and the management subnet if required to the list |
Hyunsun Moon | a703edf | 2021-07-29 15:55:15 -0700 | [diff] [blame] | 353 | if (net ~ [ 10.32.4.0/24, 10.33.128.0/17, <NEW-ACE-CLUSTER-MGMT-SUBNET>, <NEW-ACE-CLUSTER-IP-RANGE> ]) then accept; |
Zack Williams | 794532a | 2021-03-18 17:38:36 -0700 | [diff] [blame] | 354 | else reject; |
| 355 | } |
| 356 | # Save and exit |
| 357 | |
| 358 | $ sudo birdc configure |
| 359 | |
| 360 | # Confirm the static routes are added |
| 361 | $ sudo birdc show route |
| 362 | |