blob: 11aa824ac29fb74592e011cfe09b5a5e96fc9764 [file] [log] [blame]
Zack Williams794532a2021-03-18 17:38:36 -07001..
2 SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
3 SPDX-License-Identifier: Apache-2.0
4
5VPN Bootstrap
6=============
7
Hyunsun Moona703edf2021-07-29 15:55:15 -07008This section guides you through setting up a VPN connection between Aether Central in GCP and ACE.
Hyunsun Moon049b5052021-07-30 12:41:03 -07009We will be using GitOps based Aether CI/CD system for this and what you need to do is
10create a patch to Aether GitOps repository, **aether-pod-configs**, with the edge specific information.
Hyunsun Moona703edf2021-07-29 15:55:15 -070011Note that some of the steps described here are not directly related to setting up a VPN,
Zack Williams794532a2021-03-18 17:38:36 -070012but rather are a prerequisite for adding a new ACE.
13
Hyunsun Moon049b5052021-07-30 12:41:03 -070014.. _add_deployment_jobs:
15
Hyunsun Moona703edf2021-07-29 15:55:15 -070016Add deployment jobs
17-------------------
Hyunsun Moonfabe9742021-08-01 06:41:44 -070018First, you need to add Jenkins jobs to Aether CI/CD system that build and apply infrastructure change
Hyunsun Moon049b5052021-07-30 12:41:03 -070019plans for the new edge. This can be done by creating a patch to **aether-ci-management** repository.
Zack Williams794532a2021-03-18 17:38:36 -070020
Hyunsun Moona703edf2021-07-29 15:55:15 -070021Download **aether-ci-management** repository.
Zack Williams794532a2021-03-18 17:38:36 -070022
Hyunsun Moona703edf2021-07-29 15:55:15 -070023.. code-block:: shell
24
25 $ cd $WORKDIR
26 $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-ci-management"
27
28Add the jobs for the new cluster at the end of the `cd-pipeline-terraform-ace` project job list.
29Make sure to add both pre-merge and post-merge jobs.
30Note that the cluster name specified here will be used in the rest of the deployment procedure.
31
32.. code-block:: diff
33
34 $ cd $WORKDIR/aether-ci-management
35 $ vi jjb/repos/cd-pipeline-terraform.yaml
36
37 # Add jobs for the new cluster
38 diff jjb/repos/cd-pipeline-terraform.yamll
39 --- a/jjb/repos/cd-pipeline-terraform.yaml
40 +++ b/jjb/repos/cd-pipeline-terraform.yaml
41 @@ -227,3 +227,9 @@
42 - 'cd-pipeline-terraform-postmerge-cluster':
43 pod: 'production'
44 cluster: 'ace-eks'
45 + - 'cd-pipeline-terraform-premerge-cluster':
46 + pod: 'production'
47 + cluster: 'ace-test'
48 + - 'cd-pipeline-terraform-postmerge-cluster':
49 + pod: 'production'
50 + cluster: 'ace-test'
51
Hyunsun Moon2b2bf9a2021-08-01 05:29:48 -070052Submit your change and wait for the jobs you just added available in Aether Jenkins.
Hyunsun Moona703edf2021-07-29 15:55:15 -070053
54.. code-block:: shell
55
56 $ git status
57 Changes not staged for commit:
58
59 modified: jjb/repos/cd-pipeline-terraform.yaml
60
61 $ git add .
62 $ git commit -m "Add test ACE deployment job"
63 $ git review
64
65Gather VPN information
66----------------------
Zack Williams794532a2021-03-18 17:38:36 -070067
68* Make sure firewall in front of ACE allows UDP port 500, UDP port 4500, and
69 ESP packets from **gcpvpn1.infra.aetherproject.net(35.242.47.15)** and
70 **gcpvpn2.infra.aetherproject.net(34.104.68.78)**
71
72* Make sure that the external IP on ACE side is owned by or routed to the
73 management node
74
75To help your understanding, the following sample ACE environment will be used
76in the rest of this section. Make sure to replace the sample values when you
77actually create a review request.
78
79+-----------------------------+----------------------------------+
Hyunsun Moona703edf2021-07-29 15:55:15 -070080| Management node external IP | 66.201.42.222 |
Zack Williams794532a2021-03-18 17:38:36 -070081+-----------------------------+----------------------------------+
82| ASN | 65003 |
83+-----------------------------+----------------------------------+
84| GCP BGP IP address | Tunnel 1: 169.254.0.9/30 |
85| +----------------------------------+
86| | Tunnel 2: 169.254.1.9/30 |
87+-----------------------------+----------------------------------+
88| ACE BGP IP address | Tunnel 1: 169.254.0.10/30 |
89| +----------------------------------+
90| | Tunnel 2: 169.254.1.10/30 |
91+-----------------------------+----------------------------------+
92| PSK | UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI |
93+-----------------------------+----------------------------------+
Hyunsun Moona703edf2021-07-29 15:55:15 -070094| Management Subnet | 10.32.4.0/24 |
Zack Williams794532a2021-03-18 17:38:36 -070095+-----------------------------+----------------------------------+
Hyunsun Moona703edf2021-07-29 15:55:15 -070096| K8S Subnet | Pod IP: 10.33.0.0/17 |
Zack Williams794532a2021-03-18 17:38:36 -070097| +----------------------------------+
Hyunsun Moona703edf2021-07-29 15:55:15 -070098| | Cluster IP: 10.33.128.0/17 |
Zack Williams794532a2021-03-18 17:38:36 -070099+-----------------------------+----------------------------------+
100
Hyunsun Moona703edf2021-07-29 15:55:15 -0700101.. note::
102 Use `this site <https://cloud.google.com/network-connectivity/docs/vpn/how-to/generating-pre-shared-key/>`_ to generate a new strong pre-shared key.
Zack Williams794532a2021-03-18 17:38:36 -0700103
Hyunsun Moona703edf2021-07-29 15:55:15 -0700104.. attention::
Zack Williams794532a2021-03-18 17:38:36 -0700105
Hyunsun Moona703edf2021-07-29 15:55:15 -0700106 If you are adding another ACE to an existing VPN connection, go to
107 :ref:`Add ACE to an existing VPN connection <add_ace_to_vpn>`
Zack Williams794532a2021-03-18 17:38:36 -0700108
Andy Bavier802cce52021-07-29 12:15:15 -0700109Get access to encrypted files in aether-pod-configs repository
110--------------------------------------------------------------
111
Andy Bavier718fd902021-07-30 10:10:55 -0700112`git-crypt <https://github.com/AGWA/git-crypt>`_ is used to securely store encrypted files
113in the aether-pod-configs repository. Before proceeding, (1) install git-crypt and `gpg <https://gnupg.org/>`_,
Andy Bavier6fc0ff12021-08-02 09:29:25 -0700114(2) create a GPG keypair, and (3) ask a member of the Aether OPs team to add your public key
Andy Bavier802cce52021-07-29 12:15:15 -0700115to the aether-pod-configs keyring. To create the keypair follow these steps:
116
117.. code-block:: shell
118
119 $ gpg --full-generate-key
120 $ gpg --output <key-name>.gpg --armor --export <your-email-address>
121
Zack Williams794532a2021-03-18 17:38:36 -0700122.. _update_global_resource:
123
124Update global resource maps
125---------------------------
126
Hyunsun Moona703edf2021-07-29 15:55:15 -0700127Download aether-pod-configs repository.
128
129.. code-block:: shell
130
131 $ cd $WORKDIR
132 $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-pod-configs"
Andy Bavier802cce52021-07-29 12:15:15 -0700133 $ git-crypt unlock
Hyunsun Moona703edf2021-07-29 15:55:15 -0700134
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700135Add the new cluster information at the end of the following global resource maps.
Zack Williams794532a2021-03-18 17:38:36 -0700136
137* ``user_map.tfvars``
138* ``cluster_map.tfvars``
139* ``vpn_map.tfvars``
140
Zack Williams794532a2021-03-18 17:38:36 -0700141.. code-block:: diff
142
143 $ cd $WORKDIR/aether-pod-configs/production
144 $ vi user_map.tfvars
145
146 # Add the new cluster admin user at the end of the map
147 $ git diff user_map.tfvars
148 --- a/production/user_map.tfvars
149 +++ b/production/user_map.tfvars
150 @@ user_map = {
151 username = "menlo"
152 password = "changeme"
153 global_roles = ["user-base", "catalogs-use"]
154 + },
155 + test_admin = {
156 + username = "test"
157 + password = "changeme"
158 + global_roles = ["user-base", "catalogs-use"]
159 }
160 }
161
162.. code-block:: diff
163
164 $ cd $WORKDIR/aether-pod-configs/production
165 $ vi cluster_map.tfvars
166
167 # Add the new K8S cluster information at the end of the map
168 $ git diff cluster_map.tfvars
169 --- a/production/cluster_map.tfvars
170 +++ b/production/cluster_map.tfvars
171 @@ cluster_map = {
172 kube_dns_cluster_ip = "10.53.128.10"
173 cluster_domain = "prd.menlo.aetherproject.net"
174 calico_ip_detect_method = "can-reach=www.google.com"
175 + },
176 + ace-test = {
177 + cluster_name = "ace-test"
Hyunsun Moona703edf2021-07-29 15:55:15 -0700178 + management_subnets = ["10.32.4.0/24"]
Zack Williams794532a2021-03-18 17:38:36 -0700179 + k8s_version = "v1.18.8-rancher1-1"
Hyunsun Moona703edf2021-07-29 15:55:15 -0700180 + k8s_pod_range = "10.33.0.0/17"
181 + k8s_cluster_ip_range = "10.33.128.0/17"
182 + kube_dns_cluster_ip = "10.33.128.10"
Zack Williams794532a2021-03-18 17:38:36 -0700183 + cluster_domain = "prd.test.aetherproject.net"
184 + calico_ip_detect_method = "can-reach=www.google.com"
185 }
186 }
187 }
188
189.. code-block:: diff
190
191 $ cd $WORKDIR/aether-pod-configs/production
192 $ vi vpn_map.tfvars
193
194 # Add VPN and tunnel information at the end of the map
195 $ git diff vpn_map.tfvars
196 --- a/production/vpn_map.tfvars
197 +++ b/production/vpn_map.tfvars
198 @@ vpn_map = {
199 bgp_peer_ip_address_1 = "169.254.0.6"
200 bgp_peer_ip_range_2 = "169.254.1.5/30"
201 bgp_peer_ip_address_2 = "169.254.1.6"
202 + },
203 + ace-test = {
204 + peer_name = "production-ace-test"
Hyunsun Moona703edf2021-07-29 15:55:15 -0700205 + peer_vpn_gateway_address = "66.201.42.222"
Zack Williams794532a2021-03-18 17:38:36 -0700206 + tunnel_shared_secret = "UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI"
207 + bgp_peer_asn = "65003"
208 + bgp_peer_ip_range_1 = "169.254.0.9/30"
209 + bgp_peer_ip_address_1 = "169.254.0.10"
210 + bgp_peer_ip_range_2 = "169.254.1.9/30"
211 + bgp_peer_ip_address_2 = "169.254.1.10"
212 }
213 }
214
215.. note::
216 Unless you have a specific requirement, set ASN and BGP addresses to the next available values in the map.
217
218
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700219Create Terraform and Ansible configurations
220-------------------------------------------
Zack Williams794532a2021-03-18 17:38:36 -0700221
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700222In this step, we will create a directory under ``production`` with the same name
223as the cluster, and add Terraform configurations and Ansible inventory needed
224to configure a VPN in GCP and ACE accordingly.
Zack Williams794532a2021-03-18 17:38:36 -0700225
226.. code-block:: shell
227
228 $ cd $WORKDIR/aether-pod-configs/tools
Hyunsun Moona703edf2021-07-29 15:55:15 -0700229 $ cp ace_config.yaml.example ace_config.yaml
Wei-Yu Chenf6c06422021-08-11 11:43:10 +0800230
231 # Set all values in ace_config.yaml
Hyunsun Moona703edf2021-07-29 15:55:15 -0700232 $ vi ace_config.yaml
Zack Williams794532a2021-03-18 17:38:36 -0700233
Zack Williams794532a2021-03-18 17:38:36 -0700234 $ make vpn
235 Created ../production/ace-test
Hyunsun Moon049b5052021-07-30 12:41:03 -0700236 Created ../production/ace-test/provider.tf
237 Created ../production/ace-test/cluster.tf
Zack Williams794532a2021-03-18 17:38:36 -0700238 Created ../production/ace-test/gcp_ha_vpn.tf
Hyunsun Moon049b5052021-07-30 12:41:03 -0700239 Created ../production/ace-test/gcp_fw.tf
Zack Williams794532a2021-03-18 17:38:36 -0700240 Created ../production/ace-test/backend.tf
241 Created ../production/ace-test/cluster_val.tfvars
Hyunsun Moon049b5052021-07-30 12:41:03 -0700242 Created ../production/ace-test/ansible
Zack Williams794532a2021-03-18 17:38:36 -0700243 Created ../production/ace-test/ansible/hosts.ini
244 Created ../production/ace-test/ansible/extra_vars.yml
245
Zack Williams794532a2021-03-18 17:38:36 -0700246
Hyunsun Moon2b2bf9a2021-08-01 05:29:48 -0700247Submit your change
Hyunsun Moona703edf2021-07-29 15:55:15 -0700248------------------
Zack Williams794532a2021-03-18 17:38:36 -0700249
250.. code-block:: shell
251
252 $ cd $WORKDIR/aether-pod-configs/production
253 $ git status
254 On branch tools
255 Changes not staged for commit:
256
257 modified: cluster_map.tfvars
258 modified: user_map.tfvars
259 modified: vpn_map.tfvars
260
261 Untracked files:
262 (use "git add <file>..." to include in what will be committed)
263
264 ace-test/
265
266 $ git add .
267 $ git commit -m "Add test ACE"
268 $ git review
269
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700270After the change is merged, wait for a while until the post-merge job finishes.
Zack Williams794532a2021-03-18 17:38:36 -0700271
272Verify VPN connection
273---------------------
274
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700275You can verify the VPN connections by checking
Zack Williams794532a2021-03-18 17:38:36 -0700276the routing table on the management node and trying to ping to one of the
277central cluster VMs.
278
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700279Be sure there are two tunnel interfaces, `gcp_tunnel1` and `gcp_tunnel2`,
280and three routing entries via one of the tunnel interfaces.
Zack Williams794532a2021-03-18 17:38:36 -0700281
282.. code-block:: shell
283
284 # Verify routings
285 $ netstat -rn
286 Kernel IP routing table
287 Destination Gateway Genmask Flags MSS Window irtt Iface
Hyunsun Moona703edf2021-07-29 15:55:15 -0700288 0.0.0.0 66.201.42.209 0.0.0.0 UG 0 0 0 eno1
289 10.32.4.0 0.0.0.0 255.255.255.128 U 0 0 0 eno2
290 10.32.4.128 0.0.0.0 255.255.255.128 U 0 0 0 mgmt800
Zack Williams794532a2021-03-18 17:38:36 -0700291 10.45.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1
292 10.52.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1
Hyunsun Moona703edf2021-07-29 15:55:15 -0700293 10.33.128.0 10.32.4.138 255.255.128.0 UG 0 0 0 mgmt800
Zack Williams794532a2021-03-18 17:38:36 -0700294 10.168.0.0 169.254.0.9 255.255.240.0 UG 0 0 0 gcp_tunnel1
Hyunsun Moona703edf2021-07-29 15:55:15 -0700295 66.201.42.208 0.0.0.0 255.255.252.0 U 0 0 0 eno1
Zack Williams794532a2021-03-18 17:38:36 -0700296 169.254.0.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel1
297 169.254.1.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel2
298
299 # Verify ACC VM access
300 $ ping 10.168.0.6
301
Hyunsun Moona703edf2021-07-29 15:55:15 -0700302 # Verify ACC K8S Service access
Zack Williams794532a2021-03-18 17:38:36 -0700303 $ nslookup kube-dns.kube-system.svc.prd.acc.gcp.aetherproject.net 10.52.128.10
304
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700305You can also login to GCP console and check if the edge subnets exist in
306**VPC Network > Routes > Dynamic**.
Zack Williams794532a2021-03-18 17:38:36 -0700307
308
309Post VPN setup
310--------------
311
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700312Once you verify the VPN connections, update ``ansible`` directory name to
313``_ansible`` to prevent the ansible playbook from being rerun.
Zack Williams794532a2021-03-18 17:38:36 -0700314
315.. code-block:: shell
316
317 $ cd $WORKDIR/aether-pod-configs/production/$ACE_NAME
318 $ mv ansible _ansible
319 $ git add .
Hyunsun Moona703edf2021-07-29 15:55:15 -0700320 $ git commit -m "Ansible done for test ACE"
Zack Williams794532a2021-03-18 17:38:36 -0700321 $ git review
322
323.. _add_ace_to_vpn:
324
325Add another ACE to an existing VPN connection
326"""""""""""""""""""""""""""""""""""""""""""""
327
328VPN connections can be shared when there are multiple ACE clusters in a site.
Hyunsun Moonfabe9742021-08-01 06:41:44 -0700329In order to add another cluster to an existing VPN connection, you'll have to SSH into the
Zack Williams794532a2021-03-18 17:38:36 -0700330management node and manually update BIRD configuration.
331
332.. note::
333
334 This step needs improvements in the future.
335
336.. code-block:: shell
337
338 $ sudo vi /etc/bird/bird.conf
339 protocol static {
Hyunsun Moona703edf2021-07-29 15:55:15 -0700340 # Routings for the existing cluster
Zack Williams794532a2021-03-18 17:38:36 -0700341 ...
Hyunsun Moona703edf2021-07-29 15:55:15 -0700342 route 10.33.128.0/17 via 10.32.4.138;
Zack Williams794532a2021-03-18 17:38:36 -0700343
344 # Add routings for the new ACE's K8S cluster IP range via cluster nodes
345 # TODO: Configure iBGP peering with Calico nodes and dynamically learn these routings
346 route <NEW-ACE-CLUSTER-IP> via <SERVER1>
347 route <NEW-ACE-CLUSTER-IP> via <SERVER2>
348 route <NEW-ACE-CLUSTER-IP> via <SERVER3>
349 }
350
351 filter gcp_tunnel_out {
352 # Add the new ACE's K8S cluster IP range and the management subnet if required to the list
Hyunsun Moona703edf2021-07-29 15:55:15 -0700353 if (net ~ [ 10.32.4.0/24, 10.33.128.0/17, <NEW-ACE-CLUSTER-MGMT-SUBNET>, <NEW-ACE-CLUSTER-IP-RANGE> ]) then accept;
Zack Williams794532a2021-03-18 17:38:36 -0700354 else reject;
355 }
356 # Save and exit
357
358 $ sudo birdc configure
359
360 # Confirm the static routes are added
361 $ sudo birdc show route
362