From 3a4f80eb71df99a5a9463a21721a5edf0d333207 Mon Sep 17 00:00:00 2001 From: junior Date: Sun, 11 Dec 2022 19:23:20 -0600 Subject: [PATCH] 5G NF Infra example: sctp seclist Signed-off-by: junior --- examples/5G-NF-Infra/networking.tf | 215 +++++++++++++++++------------ examples/5G-NF-Infra/oke.tf | 19 +-- 2 files changed, 137 insertions(+), 97 deletions(-) diff --git a/examples/5G-NF-Infra/networking.tf b/examples/5G-NF-Infra/networking.tf index a51feef..cbdb872 100644 --- a/examples/5G-NF-Infra/networking.tf +++ b/examples/5G-NF-Infra/networking.tf @@ -19,86 +19,122 @@ locals { # Extra Security Lists for the 5G NF locals { - extra_security_lists = [ - { - security_list_name = "5gc_oam_security_list" - display_name = "5GC OAM Security List" - ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) - egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) - }, - { - security_list_name = "5gc_signalling_security_list" - display_name = "5GC Signalling (SBI) Security List" - ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) - egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) - }, - { - security_list_name = "5g_ran_security_list" - display_name = "5G RAN Security List" - ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) - egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) - }, - { - security_list_name = "legal_intercept_security_list" - display_name = "Legal Intercept Security List" - ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) - egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) - }, - { - security_list_name = "5g_epc_security_list" - display_name = "5G EPC Security List" - ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) - egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) + extra_security_lists = [{ + security_list_name = "5gc_oam_security_list" + display_name = "5GC OAM Security List" + ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) + egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) + }, { + security_list_name = "5gc_signalling_security_list" + display_name = "5GC Signalling (SBI) Security List" + ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) + egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) + }, { + security_list_name = "5g_ran_security_list" + display_name = "5G RAN Security List" + ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) + egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) + }, { + security_list_name = "legal_intercept_security_list" + display_name = "Legal Intercept Security List" + ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) + egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) + }, { + security_list_name = "5g_epc_security_list" + display_name = "5G EPC Security List" + ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules) + egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules) + }, { + security_list_name = "5g_for_pods_security_list" + display_name = "5G subnets x pods Security List" + ingress_security_rules = [{ + description = "Allow 5GC OAM to pod communication" + source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.all_protocols + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }, { + description = "Allow 5GC Signalling (SBI) to pod communication" + source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.all_protocols + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null }, { - security_list_name = "5g_for_pods_security_list" - display_name = "5G subnets x pods Security List" - ingress_security_rules = [{ - description = "Allow 5GC OAM to pod communication" - source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR") - source_type = "CIDR_BLOCK" - protocol = local.security_list_ports.all_protocols - stateless = false - tcp_options = { max = -1, min = -1, source_port_range = null } - udp_options = { max = -1, min = -1, source_port_range = null } - icmp_options = null - }, { - description = "Allow 5GC Signalling (SBI) to pod communication" - source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR") - source_type = "CIDR_BLOCK" - protocol = local.security_list_ports.all_protocols - stateless = false - tcp_options = { max = -1, min = -1, source_port_range = null } - udp_options = { max = -1, min = -1, source_port_range = null } - icmp_options = null - }, { - description = "Allow 5G RAN to pod communication" - source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR") - source_type = "CIDR_BLOCK" - protocol = local.security_list_ports.all_protocols - stateless = false - tcp_options = { max = -1, min = -1, source_port_range = null } - udp_options = { max = -1, min = -1, source_port_range = null } - icmp_options = null - }, { - description = "Allow 5G Legal Intercept to pod communication" - source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR") - source_type = "CIDR_BLOCK" - protocol = local.security_list_ports.all_protocols - stateless = false - tcp_options = { max = -1, min = -1, source_port_range = null } - udp_options = { max = -1, min = -1, source_port_range = null } - icmp_options = null - }, { - description = "Allow 5G EPC to pod communication" - source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR") - source_type = "CIDR_BLOCK" - protocol = local.security_list_ports.all_protocols - stateless = false - tcp_options = { max = -1, min = -1, source_port_range = null } - udp_options = { max = -1, min = -1, source_port_range = null } - icmp_options = null - }] - egress_security_rules = [] + description = "Allow 5G RAN to pod communication" + source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.all_protocols + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }, { + description = "Allow 5G Legal Intercept to pod communication" + source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.all_protocols + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }, { + description = "Allow 5G EPC to pod communication" + source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.all_protocols + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }, { + description = "Stream Control Transmission Protocol (SCTP) Ingress" + source = lookup(local.network_cidrs, "ALL-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.sctp_protocol_number + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }, ] + egress_security_rules = [{ + description = "Stream Control Transmission Protocol (SCTP) Egress" + destination = lookup(local.network_cidrs, "ALL-CIDR") + destination_type = "CIDR_BLOCK" + protocol = local.security_list_ports.sctp_protocol_number + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }, ] + }, { + security_list_name = "5g_sctp_security_list" + display_name = "Enable SCTP Security List" + ingress_security_rules = [{ + description = "Stream Control Transmission Protocol (SCTP) Ingress" + source = lookup(local.network_cidrs, "ALL-CIDR") + source_type = "CIDR_BLOCK" + protocol = local.security_list_ports.sctp_protocol_number + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }] + egress_security_rules = [{ + description = "Stream Control Transmission Protocol (SCTP) Egress" + destination = lookup(local.network_cidrs, "ALL-CIDR") + destination_type = "CIDR_BLOCK" + protocol = local.security_list_ports.sctp_protocol_number + stateless = false + tcp_options = { max = -1, min = -1, source_port_range = null } + udp_options = { max = -1, min = -1, source_port_range = null } + icmp_options = null + }] }, ] common_5g_security_list_ingress_rules = [{ @@ -169,6 +205,7 @@ locals { tcp_protocol_number = "6" udp_protocol_number = "17" icmp_protocol_number = "1" + sctp_protocol_number = "132" all_protocols = "all" } } @@ -255,25 +292,25 @@ data "oci_containerengine_node_pool" "node_pool_1" { } # 5G NF VNICs attachments for each node in the node pool -resource "oci_core_vnic_attachment" "vnic_attachment_5gc_oam" { +resource "oci_core_vnic_attachment" "vnic_attachment_5gc_signalling" { count = var.node_pool_initial_num_worker_nodes_1 create_vnic_details { - display_name = "5GC-OAM vnic" - private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)] - subnet_id = module.oke-quickstart.subnets["5GC_OAM_subnet"].subnet_id + display_name = "5GC-Signalling vnic" + private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)] + subnet_id = module.oke-quickstart.subnets["5GC_Signalling_subnet"].subnet_id defined_tags = {} - freeform_tags = { "Network" : "5GC-OAM" } + freeform_tags = { "Network" : "5GC-Signalling" } } instance_id = data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id } -resource "oci_core_vnic_attachment" "vnic_attachment_5gc_signalling" { +resource "oci_core_vnic_attachment" "vnic_attachment_5gc_oam" { count = var.node_pool_initial_num_worker_nodes_1 create_vnic_details { - display_name = "5GC-Signalling vnic" - private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)] - subnet_id = module.oke-quickstart.subnets["5GC_Signalling_subnet"].subnet_id + display_name = "5GC-OAM vnic" + private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)] + subnet_id = module.oke-quickstart.subnets["5GC_OAM_subnet"].subnet_id defined_tags = {} - freeform_tags = { "Network" : "5GC-Signalling" } + freeform_tags = { "Network" : "5GC-OAM" } } instance_id = data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id } diff --git a/examples/5G-NF-Infra/oke.tf b/examples/5G-NF-Infra/oke.tf index 18c47b9..228c537 100644 --- a/examples/5G-NF-Infra/oke.tf +++ b/examples/5G-NF-Infra/oke.tf @@ -26,14 +26,17 @@ module "oke-quickstart" { extra_subnets = local.extra_subnets # OKE Node Pool 1 arguments - node_pool_cni_type_1 = "OCI_VCN_IP_NATIVE" # Use "FLANNEL_OVERLAY" for overlay network or "OCI_VCN_IP_NATIVE" for VCN Native PODs Network. If the node pool 1 uses the OCI_VCN_IP_NATIVE, the cluster will also be configured with same cni - cluster_autoscaler_enabled = true - node_pool_name_1 = "pool1" - node_pool_initial_num_worker_nodes_1 = var.node_pool_initial_num_worker_nodes_1 # Minimum number of nodes in the node pool - node_pool_max_num_worker_nodes_1 = var.node_pool_max_num_worker_nodes_1 # Maximum number of nodes in the node pool - node_pool_instance_shape_1 = var.node_pool_instance_shape_1 - extra_security_list_name_for_nodes = "5g_for_pods_security_list" - extra_security_list_name_for_vcn_native_pod_networking = "5g_for_pods_security_list" + node_pool_cni_type_1 = "OCI_VCN_IP_NATIVE" # Use "FLANNEL_OVERLAY" for overlay network or "OCI_VCN_IP_NATIVE" for VCN Native PODs Network. If the node pool 1 uses the OCI_VCN_IP_NATIVE, the cluster will also be configured with same cni + cluster_autoscaler_enabled = true + node_pool_name_1 = "pool1" + node_pool_initial_num_worker_nodes_1 = var.node_pool_initial_num_worker_nodes_1 # Minimum number of nodes in the node pool + node_pool_max_num_worker_nodes_1 = var.node_pool_max_num_worker_nodes_1 # Maximum number of nodes in the node pool + node_pool_instance_shape_1 = var.node_pool_instance_shape_1 + extra_initial_node_labels_1 = [{ key = "cnf", value = "amf01" }] # Extra initial node labels for node pool 1. Example: "[{ key = "app.something/key1", value = "value1" }]" + + # Extra Security Lists + extra_security_list_name_for_nodes = "5g_for_pods_security_list" # ["5g_for_pods_security_list", "5g_sctp_security_list"] + extra_security_list_name_for_vcn_native_pod_networking = "5g_for_pods_security_list" # ["5g_for_pods_security_list", "5g_sctp_security_list"] # Cluster Tools # ingress_nginx_enabled = true