kubernetes net now supports local net zones

author: Christian Pointner <equinox@spreadspace.org> 2018-02-04 22:00:26 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2018-02-04 22:00:26 +0100
commit: 6965c27eb1092f6ce6404b5ee49f564730d11d67 (patch)
tree: 68599fdbb0a19164c090675b0c5f82aee7648096 /roles
parent: cleanup works now (diff)
3 files changed, 60 insertions, 9 deletions
diff --git a/roles/kubernetes-net/filter_plugins/kubenet.py b/roles/kubernetes-net/filter_plugins/kubenet.py
new file mode 100644
index 00000000..c1312dd8
--- /dev/null
+++ b/roles/kubernetes-net/filter_plugins/kubenet.py
@@ -0,0 +1,33 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible import errors
+
+
+def direct_net_zone(data, myname, peer):
+    try:
+        zones = []
+        for zone in data:
+            if myname in data[zone]['node_interface'] and peer in data[zone]['node_interface']:
+                zones.append(zone)
+
+        if not zones:
+            return ""
+        if len(zones) > 1:
+            raise errors.AnsibleFilterError("host '%s' and '%s' have multiple direct net zones in common: %s" %
+                                            (myname, peer, zones.join(',')))
+        return zones[0]
+
+    except Exception as e:
+        raise errors.AnsibleFilterError("direct_net_zones(): %s" % str(e))
+
+
+class FilterModule(object):
+
+    ''' Kubernetes Network Filters '''
+    filter_map = {
+        'direct_net_zone': direct_net_zone,
+    }
+
+    def filters(self):
+        return self.filter_map
diff --git a/roles/kubernetes-net/tasks/add.yaml b/roles/kubernetes-net/tasks/add.yaml
index d0a8449f..f4e422c6 100644
--- a/roles/kubernetes-net/tasks/add.yaml
+++ b/roles/kubernetes-net/tasks/add.yaml
@@ -51,7 +51,7 @@
     state: started
     enabled: yes
 
-- name: get list of currently installed kubenet peers installed
+- name: get list of currently installed kubenet peers
   find:
     path: /etc/systemd/system/
     pattern: "kubenet-peer-*.service"
@@ -80,9 +80,11 @@
 
 - name: install systemd units for every kubenet peer
   with_items: "{{ kubenet_peers_to_add }}"
+  loop_control:
+    loop_var: peer
   template:
     src: kubenet-peer.service.j2
-    dest: "/etc/systemd/system/kubenet-peer-{{ item }}.service"
+    dest: "/etc/systemd/system/kubenet-peer-{{ peer }}.service"
   # TODO: notify restart for peers that change...
 
 - name: make sure kubenet peer services are started and enabled
diff --git a/roles/kubernetes-net/templates/kubenet-peer.service.j2 b/roles/kubernetes-net/templates/kubenet-peer.service.j2
index a076512d..bee211af 100644
--- a/roles/kubernetes-net/templates/kubenet-peer.service.j2
+++ b/roles/kubernetes-net/templates/kubenet-peer.service.j2
@@ -1,19 +1,35 @@
 [Unit]
-Description=Kubernetes Network Peer {{ item }}
+Description=Kubernetes Network Peer {{ peer }}
 After=network.target
 Requires=kubenet-interfaces.service
 After=kubenet-interfaces.service
 
-{% set wg_pubkey = hostvars[item].kubenet_wireguard_pubkey.stdout -%}
-{% set wg_host = hostvars[item].external_ip | default(hostvars[item].ansible_default_ipv4.address) -%}
-{% set wg_port = hostvars[item].kubenet_wireguard_port -%}
-{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[item]) | ipaddr('address') -%}
-{% set pod_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[item]) -%}
-{% set wg_allowedips = tun_ip + "/32," + pod_net %}
+{% set pod_net_peer = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[peer]) -%}
+{% set direct_zone = kubernetes.direct_net_zones | direct_net_zone(inventory_hostname, peer) -%}
+{% if direct_zone %}
+{% set direct_ip = kubernetes.direct_net_zones[direct_zone].transfer_net | ipaddr(kubernetes.net_index[inventory_hostname]) %}
+{% set direct_interface = kubernetes.direct_net_zones[direct_zone].node_interface[inventory_hostname] %}
+{% set direct_ip_peer = kubernetes.direct_net_zones[direct_zone].transfer_net | ipaddr(kubernetes.net_index[peer]) %}
+{% else %}
+{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[peer]) -%}
+{% set wg_pubkey = hostvars[peer].kubenet_wireguard_pubkey.stdout -%}
+{% set wg_host = hostvars[peer].external_ip | default(hostvars[peer].ansible_default_ipv4.address) -%}
+{% set wg_port = hostvars[peer].kubenet_wireguard_port -%}
+{% set wg_allowedips = (tun_ip | ipaddr('address')) + "/32," + pod_net_peer %}
+{% endif %}
 [Service]
 Type=oneshot
+{% if direct_zone %}
+ExecStart=/sbin/ip addr add {{ direct_ip }} dev {{ direct_interface }}
+ExecStart=/sbin/ip link set up dev {{ direct_interface }}
+ExecStart=/sbin/ip route add {{ pod_net_peer }} via {{ direct_ip_peer | ipaddr('address') }}
+ExecStop=/sbin/ip route del {{ pod_net_peer }}
+ExecStop=/sbin/ip link set down dev {{ direct_interface }}
+ExecStop=/sbin/ip addr del {{ direct_ip }} dev {{ direct_interface }}
+{% else %}
 ExecStart=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10
 ExecStop=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} remove
+{% endif %}
 RemainAfterExit=yes
 
 [Install]
author	Christian Pointner <equinox@spreadspace.org>	2018-02-04 22:00:26 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2018-02-04 22:00:26 +0100
commit	6965c27eb1092f6ce6404b5ee49f564730d11d67 (patch)
tree	68599fdbb0a19164c090675b0c5f82aee7648096 /roles
parent	cleanup works now (diff)