Skip to content

Commit

Permalink
5G NF Infra example: sctp seclist
Browse files Browse the repository at this point in the history
Signed-off-by: junior <[email protected]>
  • Loading branch information
junior committed Dec 12, 2022
1 parent a11c886 commit 3a4f80e
Show file tree
Hide file tree
Showing 2 changed files with 137 additions and 97 deletions.
215 changes: 126 additions & 89 deletions examples/5G-NF-Infra/networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,86 +19,122 @@ locals {

# Extra Security Lists for the 5G NF
locals {
extra_security_lists = [
{
security_list_name = "5gc_oam_security_list"
display_name = "5GC OAM Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
},
{
security_list_name = "5gc_signalling_security_list"
display_name = "5GC Signalling (SBI) Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
},
{
security_list_name = "5g_ran_security_list"
display_name = "5G RAN Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
},
{
security_list_name = "legal_intercept_security_list"
display_name = "Legal Intercept Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
},
{
security_list_name = "5g_epc_security_list"
display_name = "5G EPC Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
extra_security_lists = [{
security_list_name = "5gc_oam_security_list"
display_name = "5GC OAM Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
}, {
security_list_name = "5gc_signalling_security_list"
display_name = "5GC Signalling (SBI) Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
}, {
security_list_name = "5g_ran_security_list"
display_name = "5G RAN Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
}, {
security_list_name = "legal_intercept_security_list"
display_name = "Legal Intercept Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
}, {
security_list_name = "5g_epc_security_list"
display_name = "5G EPC Security List"
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
}, {
security_list_name = "5g_for_pods_security_list"
display_name = "5G subnets x pods Security List"
ingress_security_rules = [{
description = "Allow 5GC OAM to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5GC Signalling (SBI) to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
security_list_name = "5g_for_pods_security_list"
display_name = "5G subnets x pods Security List"
ingress_security_rules = [{
description = "Allow 5GC OAM to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5GC Signalling (SBI) to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5G RAN to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5G Legal Intercept to pod communication"
source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5G EPC to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}]
egress_security_rules = []
description = "Allow 5G RAN to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5G Legal Intercept to pod communication"
source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Allow 5G EPC to pod communication"
source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.all_protocols
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, {
description = "Stream Control Transmission Protocol (SCTP) Ingress"
source = lookup(local.network_cidrs, "ALL-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.sctp_protocol_number
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, ]
egress_security_rules = [{
description = "Stream Control Transmission Protocol (SCTP) Egress"
destination = lookup(local.network_cidrs, "ALL-CIDR")
destination_type = "CIDR_BLOCK"
protocol = local.security_list_ports.sctp_protocol_number
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}, ]
}, {
security_list_name = "5g_sctp_security_list"
display_name = "Enable SCTP Security List"
ingress_security_rules = [{
description = "Stream Control Transmission Protocol (SCTP) Ingress"
source = lookup(local.network_cidrs, "ALL-CIDR")
source_type = "CIDR_BLOCK"
protocol = local.security_list_ports.sctp_protocol_number
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}]
egress_security_rules = [{
description = "Stream Control Transmission Protocol (SCTP) Egress"
destination = lookup(local.network_cidrs, "ALL-CIDR")
destination_type = "CIDR_BLOCK"
protocol = local.security_list_ports.sctp_protocol_number
stateless = false
tcp_options = { max = -1, min = -1, source_port_range = null }
udp_options = { max = -1, min = -1, source_port_range = null }
icmp_options = null
}]
},
]
common_5g_security_list_ingress_rules = [{
Expand Down Expand Up @@ -169,6 +205,7 @@ locals {
tcp_protocol_number = "6"
udp_protocol_number = "17"
icmp_protocol_number = "1"
sctp_protocol_number = "132"
all_protocols = "all"
}
}
Expand Down Expand Up @@ -255,25 +292,25 @@ data "oci_containerengine_node_pool" "node_pool_1" {
}

# 5G NF VNICs attachments for each node in the node pool
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_oam" {
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_signalling" {
count = var.node_pool_initial_num_worker_nodes_1
create_vnic_details {
display_name = "5GC-OAM vnic"
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
subnet_id = module.oke-quickstart.subnets["5GC_OAM_subnet"].subnet_id
display_name = "5GC-Signalling vnic"
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
subnet_id = module.oke-quickstart.subnets["5GC_Signalling_subnet"].subnet_id
defined_tags = {}
freeform_tags = { "Network" : "5GC-OAM" }
freeform_tags = { "Network" : "5GC-Signalling" }
}
instance_id = data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id
}
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_signalling" {
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_oam" {
count = var.node_pool_initial_num_worker_nodes_1
create_vnic_details {
display_name = "5GC-Signalling vnic"
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
subnet_id = module.oke-quickstart.subnets["5GC_Signalling_subnet"].subnet_id
display_name = "5GC-OAM vnic"
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
subnet_id = module.oke-quickstart.subnets["5GC_OAM_subnet"].subnet_id
defined_tags = {}
freeform_tags = { "Network" : "5GC-Signalling" }
freeform_tags = { "Network" : "5GC-OAM" }
}
instance_id = data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id
}
Expand Down
19 changes: 11 additions & 8 deletions examples/5G-NF-Infra/oke.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,17 @@ module "oke-quickstart" {
extra_subnets = local.extra_subnets

# OKE Node Pool 1 arguments
node_pool_cni_type_1 = "OCI_VCN_IP_NATIVE" # Use "FLANNEL_OVERLAY" for overlay network or "OCI_VCN_IP_NATIVE" for VCN Native PODs Network. If the node pool 1 uses the OCI_VCN_IP_NATIVE, the cluster will also be configured with same cni
cluster_autoscaler_enabled = true
node_pool_name_1 = "pool1"
node_pool_initial_num_worker_nodes_1 = var.node_pool_initial_num_worker_nodes_1 # Minimum number of nodes in the node pool
node_pool_max_num_worker_nodes_1 = var.node_pool_max_num_worker_nodes_1 # Maximum number of nodes in the node pool
node_pool_instance_shape_1 = var.node_pool_instance_shape_1
extra_security_list_name_for_nodes = "5g_for_pods_security_list"
extra_security_list_name_for_vcn_native_pod_networking = "5g_for_pods_security_list"
node_pool_cni_type_1 = "OCI_VCN_IP_NATIVE" # Use "FLANNEL_OVERLAY" for overlay network or "OCI_VCN_IP_NATIVE" for VCN Native PODs Network. If the node pool 1 uses the OCI_VCN_IP_NATIVE, the cluster will also be configured with same cni
cluster_autoscaler_enabled = true
node_pool_name_1 = "pool1"
node_pool_initial_num_worker_nodes_1 = var.node_pool_initial_num_worker_nodes_1 # Minimum number of nodes in the node pool
node_pool_max_num_worker_nodes_1 = var.node_pool_max_num_worker_nodes_1 # Maximum number of nodes in the node pool
node_pool_instance_shape_1 = var.node_pool_instance_shape_1
extra_initial_node_labels_1 = [{ key = "cnf", value = "amf01" }] # Extra initial node labels for node pool 1. Example: "[{ key = "app.something/key1", value = "value1" }]"

# Extra Security Lists
extra_security_list_name_for_nodes = "5g_for_pods_security_list" # ["5g_for_pods_security_list", "5g_sctp_security_list"]
extra_security_list_name_for_vcn_native_pod_networking = "5g_for_pods_security_list" # ["5g_for_pods_security_list", "5g_sctp_security_list"]

# Cluster Tools
# ingress_nginx_enabled = true
Expand Down

0 comments on commit 3a4f80e

Please sign in to comment.