From e5ba4e27f1d6417e67a08b6acbeea34f8de9d59d Mon Sep 17 00:00:00 2001 From: "Jason R. Rokeach" <1076569+jrokeach@users.noreply.github.com> Date: Thu, 2 Nov 2023 22:33:01 -0400 Subject: [PATCH 1/2] Base 3clientgroups example --- examples/3clientgroups/bgppeer-global.yml | 10 + .../3clientgroups/meshrr-3clientgroups.yaml | 513 ++++++++++++++++++ .../meshrr-defaultonly-clients.yml | 26 + .../meshrr-fulltable-clients.yml | 25 + .../meshrr-partialtable-clients copy.yml | 25 + 5 files changed, 599 insertions(+) create mode 100644 examples/3clientgroups/bgppeer-global.yml create mode 100644 examples/3clientgroups/meshrr-3clientgroups.yaml create mode 100644 examples/3clientgroups/meshrr-defaultonly-clients.yml create mode 100644 examples/3clientgroups/meshrr-fulltable-clients.yml create mode 100644 examples/3clientgroups/meshrr-partialtable-clients copy.yml diff --git a/examples/3clientgroups/bgppeer-global.yml b/examples/3clientgroups/bgppeer-global.yml new file mode 100644 index 0000000..acd6e75 --- /dev/null +++ b/examples/3clientgroups/bgppeer-global.yml @@ -0,0 +1,10 @@ +apiVersion: metallb.io/v1beta2 +kind: BGPPeer +metadata: + name: global-lo1 + namespace: metallb +spec: + myASN: 65001 + peerASN: 65000 + peerAddress: 10.0.0.0 + ebgpMultiHop: True diff --git a/examples/3clientgroups/meshrr-3clientgroups.yaml b/examples/3clientgroups/meshrr-3clientgroups.yaml new file mode 100644 index 0000000..78515f2 --- /dev/null +++ b/examples/3clientgroups/meshrr-3clientgroups.yaml @@ -0,0 +1,513 @@ +--- +apiVersion: v1 +data: + config: | + system { + root-authentication { + encrypted-password "{{ encrypted_root_pw }}"; ## SECRET-DATA + } + login { + user meshrr { + class super-user; + uid 100; + authentication { + ssh-ed25519 "ssh-ed25519 TBD"; ## SECRET-DATA + } + } + } + services { + netconf { + ssh; + } + } + license { + keys { + key "{{ LICENSE_KEY }}"; + } + } + processes { + routing { + bgp { + rib-sharding; + update-threading; + } + } + } + } + groups { + MESHRR { + protocols { + bgp { + group MESHRR-MESH { + type internal + } + group MESHRR-FULLTABLE-CLIENTS { + type internal; + passive; + cluster {{ POD_IP }}; + } + group MESHRR-PARTIALTABLE-CLIENTS { + type internal; + passive; + export PARTIALTABLE-OUT; + cluster {{ POD_IP }}; + } + group MESHRR-DEFAULTONLY-CLIENTS { + type internal; + passive; + export DEFAULTONLY-OUT; + cluster {{ POD_IP }}; + } + } + } + } + } + policy-options { + policy-statement DEFAULTONLY-OUT { + from { + route-filter 0.0.0.0/0 exact; + } + then accept; + } + policy-statement PARTIALTABLE-OUT { + from { + as-path-calc-length 0 orlower; + } + then accept; + } + policy-statement UPSTREAM-OUT { + term DROP-INREGION-ONLY { + from community INREGION-ONLY; + then reject; + } + term INREGION-PREFERRED { + from community INREGION-PREFERRED; + then { + local-preference 20; + } + } + then accept; + } + community INREGION-ONLY members 65000:101; + community INREGION-PREFERRED members 65000:102; + } + routing-options { + autonomous-system {{ asn }}; + router-id {{ POD_IP }}; + } + protocols { + bgp { + apply-groups MESHRR; + family inet { + unicast { + nexthop-resolution { + no-resolution; + } + no-install; + } + } + } + } +kind: ConfigMap +metadata: + creationTimestamp: null + name: 3clientgroups-config +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: meshrr-3clientgroups-conf +data: + meshrr.conf.yml: |+ + encrypted_root_pw: NOLOGIN + asn: "65000" + mode: ipv4rr + bgpgroups: + - name: MESHRR-MESH + type: mesh + source: + sourcetype: dns + hostname: meshrr-3clientgroups + - name: MESHRR-FULLTABLE-CLIENTS + type: mesh + source: + sourcetype: dns + hostname: meshrr-fulltable-clients + - name: MESHRR-PARTIALTABLE-CLIENTS + type: mesh + source: + sourcetype: dns + hostname: meshrr-partialtable-clients + - name: MESHRR-DEFAULTONLY-CLIENTS + type: mesh + source: + sourcetype: dns + hostname: meshrr-defaultonly-clients +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: meshrr-3clientgroups + namespace: metallb +spec: + addresses: + - 172.19.1.1/32 + - 172.19.1.2/32 + autoAssign: false +--- +apiVersion: metallb.io/v1beta1 +kind: BGPAdvertisement +metadata: + name: meshrr-3clientgroups + namespace: metallb +spec: + ipAddressPools: + - meshrr-3clientgroups +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: meshrr-3clientgroups-a + annotations: + metallb.universe.tf/address-pool: meshrr-3clientgroups +spec: + ports: + - name: bgp + port: 179 + protocol: TCP + targetPort: bgp + selector: + app: meshrr + redundancy_group: a + sessionAffinity: None + type: LoadBalancer + loadBalancerIP: 172.19.1.1 + externalTrafficPolicy: Local +status: + loadBalancer: {} +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: meshrr-3clientgroups-b + annotations: + metallb.universe.tf/address-pool: meshrr-3clientgroups +spec: + ports: + - name: bgp + port: 179 + protocol: TCP + targetPort: bgp + selector: + app: meshrr + redundancy_group: b + sessionAffinity: None + type: LoadBalancer + loadBalancerIP: 172.19.1.2 + externalTrafficPolicy: Local +status: + loadBalancer: {} +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: meshrr-3clientgroups +spec: + clusterIP: None + ports: + - name: bgp + port: 179 + protocol: TCP + targetPort: bgp + selector: + app: meshrr + sessionAffinity: None + type: ClusterIP +status: + loadBalancer: {} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: meshrr-3clientgroups-a + labels: + app: meshrr + redundancy_group: a +spec: + selector: + matchLabels: + app: meshrr + minReadySeconds: 5 + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app: meshrr + redundancy_group: a + spec: + dnsPolicy: ClusterFirst + terminationGracePeriodSeconds: 30 + volumes: + - name: config + emptyDir: {} + - name: ssh-id + emptyDir: {} + - name: meshrr-conf + configMap: + defaultMode: 256 + items: + - key: meshrr.conf.yml + mode: 256 + path: meshrr.conf.yml + name: meshrr-3clientgroups-conf + optional: false + - configMap: + defaultMode: 256 + items: + - key: config + mode: 256 + path: juniper.conf.j2 + name: 3clientgroups-config + optional: false + name: override-config + initContainers: + - name: meshrr-init + image: ghcr.io/juniper/meshrr:next + imagePullPolicy: IfNotPresent + args: ["init"] + volumeMounts: + - name: ssh-id + mountPath: /secret/ssh/ + - name: config + mountPath: /config/ + - name: meshrr-conf + mountPath: /opt/meshrr/conf/meshrr.conf.yml + readOnly: true + subPath: meshrr.conf.yml + - mountPath: /opt/meshrr/conf/juniper.conf.j2 + name: override-config + readOnly: true + subPath: juniper.conf.j2 + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: LICENSE_KEY + valueFrom: + secretKeyRef: + name: crpd-license + key: crpd-license + containers: + - name: crpd + image: localhost/juniper/crpd:23.2R1.13 + imagePullPolicy: Never + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 2 + successThreshold: 1 + tcpSocket: + port: bgp + timeoutSeconds: 3 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 2 + tcpSocket: + port: bgp + timeoutSeconds: 3 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + ports: + - name: bgp + containerPort: 179 + protocol: TCP + volumeMounts: + - name: config + mountPath: /config/ + securityContext: + allowPrivilegeEscalation: true + privileged: true + runAsNonRoot: false + - name: meshrr + image: ghcr.io/juniper/meshrr:next + imagePullPolicy: IfNotPresent + args: ["sidecar"] + startupProbe: + exec: + command: + - cat + - /tmp/connected-to-crpd + initialDelaySeconds: 5 + periodSeconds: 3 + volumeMounts: + - name: ssh-id + mountPath: /secret/ssh/ + - name: meshrr-conf + mountPath: /opt/meshrr/conf/meshrr.conf.yml + readOnly: true + subPath: meshrr.conf.yml + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: redundancy_group + operator: In + values: + - a + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: meshrr-3clientgroups-b + labels: + app: meshrr + redundancy_group: b +spec: + selector: + matchLabels: + app: meshrr + minReadySeconds: 5 + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app: meshrr + redundancy_group: b + spec: + dnsPolicy: ClusterFirst + terminationGracePeriodSeconds: 30 + volumes: + - name: config + emptyDir: {} + - name: ssh-id + emptyDir: {} + - name: meshrr-conf + configMap: + defaultMode: 256 + items: + - key: meshrr.conf.yml + mode: 256 + path: meshrr.conf.yml + name: meshrr-3clientgroups-conf + optional: false + - configMap: + defaultMode: 256 + items: + - key: config + mode: 256 + path: juniper.conf.j2 + name: 3clientgroups-config + optional: false + name: override-config + initContainers: + - name: meshrr-init + image: ghcr.io/juniper/meshrr:next + imagePullPolicy: IfNotPresent + args: ["init"] + volumeMounts: + - name: ssh-id + mountPath: /secret/ssh/ + - name: config + mountPath: /config/ + - name: meshrr-conf + mountPath: /opt/meshrr/conf/meshrr.conf.yml + readOnly: true + subPath: meshrr.conf.yml + - mountPath: /opt/meshrr/conf/juniper.conf.j2 + name: override-config + readOnly: true + subPath: juniper.conf.j2 + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: LICENSE_KEY + valueFrom: + secretKeyRef: + name: crpd-license + key: crpd-license + containers: + - name: crpd + image: localhost/juniper/crpd:23.2R1.13 + imagePullPolicy: Never + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 2 + successThreshold: 1 + tcpSocket: + port: bgp + timeoutSeconds: 3 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 2 + successThreshold: 2 + tcpSocket: + port: bgp + timeoutSeconds: 3 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + ports: + - name: bgp + containerPort: 179 + protocol: TCP + volumeMounts: + - name: config + mountPath: /config/ + securityContext: + allowPrivilegeEscalation: true + privileged: true + runAsNonRoot: false + - name: meshrr + image: ghcr.io/juniper/meshrr:next + imagePullPolicy: IfNotPresent + args: ["sidecar"] + startupProbe: + exec: + command: + - cat + - /tmp/connected-to-crpd + initialDelaySeconds: 5 + periodSeconds: 3 + volumeMounts: + - name: ssh-id + mountPath: /secret/ssh/ + - name: meshrr-conf + mountPath: /opt/meshrr/conf/meshrr.conf.yml + readOnly: true + subPath: meshrr.conf.yml + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: redundancy_group + operator: In + values: + - b \ No newline at end of file diff --git a/examples/3clientgroups/meshrr-defaultonly-clients.yml b/examples/3clientgroups/meshrr-defaultonly-clients.yml new file mode 100644 index 0000000..2fc7715 --- /dev/null +++ b/examples/3clientgroups/meshrr-defaultonly-clients.yml @@ -0,0 +1,26 @@ +--- +kind: "Service" +apiVersion: "v1" +metadata: + name: "meshrr-defaultonly-clients" +spec: + clusterIP: None + ports: + - name: "bgp" + protocol: "TCP" + port: 179 + targetPort: 179 +--- +kind: "Endpoints" +apiVersion: "v1" +metadata: + name: "meshrr-defaultonly-clients" +subsets: + - addresses: + - ip: "192.0.2.4" + - ip: "192.0.2.5" + - ip: "192.0.2.56" + ports: + - + port: 179 + name: "bgp" \ No newline at end of file diff --git a/examples/3clientgroups/meshrr-fulltable-clients.yml b/examples/3clientgroups/meshrr-fulltable-clients.yml new file mode 100644 index 0000000..fb66040 --- /dev/null +++ b/examples/3clientgroups/meshrr-fulltable-clients.yml @@ -0,0 +1,25 @@ +--- +kind: "Service" +apiVersion: "v1" +metadata: + name: "meshrr-fulltable-clients" +spec: + clusterIP: None + ports: + - name: "bgp" + protocol: "TCP" + port: 179 + targetPort: 179 +--- +kind: "Endpoints" +apiVersion: "v1" +metadata: + name: "meshrr-fulltable-clients" +subsets: + - addresses: + - ip: "1.2.3.4" + - ip: "4.5.6.7" + ports: + - + port: 179 + name: "bgp" \ No newline at end of file diff --git a/examples/3clientgroups/meshrr-partialtable-clients copy.yml b/examples/3clientgroups/meshrr-partialtable-clients copy.yml new file mode 100644 index 0000000..18dfce6 --- /dev/null +++ b/examples/3clientgroups/meshrr-partialtable-clients copy.yml @@ -0,0 +1,25 @@ +--- +kind: "Service" +apiVersion: "v1" +metadata: + name: "meshrr-partialtable-clients" +spec: + clusterIP: None + ports: + - name: "bgp" + protocol: "TCP" + port: 179 + targetPort: 179 +--- +kind: "Endpoints" +apiVersion: "v1" +metadata: + name: "meshrr-partialtable-clients" +subsets: + - addresses: + - ip: "2.3.4.5" + - ip: "6.7.8.9" + ports: + - + port: 179 + name: "bgp" \ No newline at end of file From ed6d5cb1e5f24be533a9889645c81b146f9a9e2d Mon Sep 17 00:00:00 2001 From: "Jason R. Rokeach" <1076569+jrokeach@users.noreply.github.com> Date: Tue, 7 Nov 2023 10:32:23 -0500 Subject: [PATCH 2/2] Junos config cleanup --- .../3clientgroups/meshrr-3clientgroups.yaml | 32 +++++++++---------- ...py.yml => meshrr-partialtable-clients.yml} | 0 2 files changed, 16 insertions(+), 16 deletions(-) rename examples/3clientgroups/{meshrr-partialtable-clients copy.yml => meshrr-partialtable-clients.yml} (100%) diff --git a/examples/3clientgroups/meshrr-3clientgroups.yaml b/examples/3clientgroups/meshrr-3clientgroups.yaml index 78515f2..d9e5cbb 100644 --- a/examples/3clientgroups/meshrr-3clientgroups.yaml +++ b/examples/3clientgroups/meshrr-3clientgroups.yaml @@ -3,10 +3,12 @@ apiVersion: v1 data: config: | system { + /* Required, though use of a variable is optional */ root-authentication { encrypted-password "{{ encrypted_root_pw }}"; ## SECRET-DATA } login { + /* Required for meshrr authentication */ user meshrr { class super-user; uid 100; @@ -20,6 +22,7 @@ data: ssh; } } + /* Required for licensing unless using an alternative approach. */ license { keys { key "{{ LICENSE_KEY }}"; @@ -38,20 +41,24 @@ data: MESHRR { protocols { bgp { + /* Mesh {% if bgpgroups_mesh['MESHRR-MESH'].max_peers is defined %}max_peers:{{ bgpgroups_mesh['MESHRR-MESH'].max_peers }} {% endif %}group from {{ bgpgroups_mesh['MESHRR-MESH'].source.sourcetype }}:{{ bgpgroups_mesh['MESHRR-MESH'].source.hostname }} */ group MESHRR-MESH { type internal } + /* Mesh {% if bgpgroups_mesh['MESHRR-FULLTABLE-CLIENTS'].max_peers is defined %}max_peers:{{ bgpgroups_mesh['MESHRR-FULLTABLE-CLIENTS'].max_peers }} {% endif %}group from {{ bgpgroups_mesh['MESHRR-FULLTABLE-CLIENTS'].source.sourcetype }}:{{ bgpgroups_mesh['MESHRR-FULLTABLE-CLIENTS'].source.hostname }} */ group MESHRR-FULLTABLE-CLIENTS { type internal; passive; cluster {{ POD_IP }}; } + /* Mesh {% if bgpgroups_mesh['MESHRR-PARTIALTABLE-CLIENTS'].max_peers is defined %}max_peers:{{ bgpgroups_mesh['MESHRR-PARTIALTABLE-CLIENTS'].max_peers }} {% endif %}group from {{ bgpgroups_mesh['MESHRR-PARTIALTABLE-CLIENTS'].source.sourcetype }}:{{ bgpgroups_mesh['MESHRR-PARTIALTABLE-CLIENTS'].source.hostname }} */ group MESHRR-PARTIALTABLE-CLIENTS { type internal; passive; export PARTIALTABLE-OUT; cluster {{ POD_IP }}; } + /* Mesh {% if bgpgroups_mesh['MESHRR-DEFAULTONLY-CLIENTS'].max_peers is defined %}max_peers:{{ bgpgroups_mesh['MESHRR-DEFAULTONLY-CLIENTS'].max_peers }} {% endif %}group from {{ bgpgroups_mesh['MESHRR-DEFAULTONLY-CLIENTS'].source.sourcetype }}:{{ bgpgroups_mesh['MESHRR-DEFAULTONLY-CLIENTS'].source.hostname }} */ group MESHRR-DEFAULTONLY-CLIENTS { type internal; passive; @@ -70,26 +77,19 @@ data: then accept; } policy-statement PARTIALTABLE-OUT { - from { - as-path-calc-length 0 orlower; - } - then accept; - } - policy-statement UPSTREAM-OUT { - term DROP-INREGION-ONLY { - from community INREGION-ONLY; - then reject; + term SAME-AS { + from { + as-path-calc-length 0 orlower; + } + then accept; } - term INREGION-PREFERRED { - from community INREGION-PREFERRED; - then { - local-preference 20; + term DEFAULT { + from { + route-filter 0.0.0.0/0 exact; } + then accept; } - then accept; } - community INREGION-ONLY members 65000:101; - community INREGION-PREFERRED members 65000:102; } routing-options { autonomous-system {{ asn }}; diff --git a/examples/3clientgroups/meshrr-partialtable-clients copy.yml b/examples/3clientgroups/meshrr-partialtable-clients.yml similarity index 100% rename from examples/3clientgroups/meshrr-partialtable-clients copy.yml rename to examples/3clientgroups/meshrr-partialtable-clients.yml