Skip to content

Commit e18d1b7

Browse files
darkdocdarkdoc
committed
WIP: working with tgw
1 parent c0891cc commit e18d1b7

10 files changed

Lines changed: 430 additions & 214 deletions

File tree

ansible/group_vars/all

Lines changed: 10 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -29,37 +29,34 @@ ec2_vpcs:
2929
cidr: "192.168.8.0/22"
3030
subnet_cidr: "192.168.8.0/24"
3131
region: west
32-
peer: []
3332

3433
corewest:
3534
# 192.168.12.1 - 192.168.13.254
3635
cidr: "192.168.12.0/23"
3736
subnet_cidr: "192.168.12.0/24"
3837
region: west
39-
peer: []
38+
tgw_peer: westtor
4039

4140
westtor:
4241
# 192.168.14.1 - 192.168.15.254
4342
cidr: "192.168.14.0/23"
4443
subnet_cidr: "192.168.14.0/24"
4544
region: west
46-
peer:
47-
- name: corewest
45+
tgw_peer: corewest
4846

4947
coreeast:
5048
# 192.168.16.1 - 192.168.17.254
5149
cidr: "192.168.16.0/23"
5250
subnet_cidr: "192.168.16.0/24"
5351
region: west # we need this in the same region as the coreclient, we add a nic here from core vm
54-
peer: []
52+
tgw_peer: easttor
5553

5654
easttor:
5755
# 192.168.18.1 - 192.168.19.254
5856
cidr: "192.168.18.0/23"
5957
subnet_cidr: "192.168.18.0/24"
6058
region: east
61-
peer:
62-
- name: coreeast
59+
tgw_peer: coreeast
6360

6461
ec2_vms:
6562
client:
@@ -102,43 +99,40 @@ ec2_vms:
10299
ec2_frrs:
103100
core:
104101
asn: 64666
105-
private_ip: 192.168.8.100
106102
connections:
107103
towest:
108104
remote_ips:
109105
- 192.168.14.100
110-
local_ip: 192.168.8.100
106+
local_ip: 192.168.12.200/24
111107
asn: 64001
112108

113109
toeast:
114110
remote_ips:
115111
- 192.168.18.100
116-
local_ip: 192.168.8.100
112+
local_ip: 192.168.16.200/24
117113
asn: 64002
118114

119115
fixed_advertisements:
120116
- 192.168.8.0/24
121117

122118
westtor:
123119
asn: 64001
124-
private_ip: 192.168.14.100
125120
connections:
126121
tocore:
127122
remote_ips:
128-
- 192.168.8.100
129-
local_ip: 192.168.14.100
123+
- 192.168.12.200
124+
local_ip: 192.168.14.100/24
130125
asn: 64666
131126
# We will extend this list dynamically with the ocp workers ips-asn
132127
fixed_advertisements: []
133128

134129
easttor:
135130
asn: 64002
136-
private_ip: 192.168.18.100
137131
connections:
138132
tocore:
139133
remote_ips:
140-
- 192.168.8.100
141-
local_ip: 192.168.18.100
134+
- 192.168.16.200
135+
local_ip: 192.168.18.100/24
142136
asn: 64666
143137
# We will extend this list dynamically with the ocp workers ips-asn
144138
fixed_advertisements: []

ansible/playbooks/create_tgw.yml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
- name: Set aws region
2+
ansible.builtin.set_fact:
3+
aws_region: "{{ vars[vpc.value.region ~ '_aws_region'] }}"
4+
5+
- name: "Create a new transit gateway for {{ vpc.key }}"
6+
amazon.aws.ec2_transit_gateway:
7+
state: present
8+
region: "{{ aws_region }}"
9+
description: "{{ vpc.key }} tgw"
10+
tags:
11+
Name: "{{ vpc.key }}"
12+
register: created_tgw
13+
14+
# Attach tgw to vpc
15+
- name: "Create a Transit Gateway vpc attachment for {{ vpc.key }}"
16+
amazon.aws.ec2_transit_gateway_vpc_attachment:
17+
state: "present"
18+
region: "{{ aws_region }}"
19+
transit_gateway: "{{ created_tgw.transit_gateway.transit_gateway_id }}"
20+
name: "{{ vpc.key }}-tgw-attach"
21+
subnets:
22+
- "{{ vpc.value.subnet_id }}"
23+
ipv6_support: false
24+
tags:
25+
Name: "{{ vpc.key }}-tgw-attach"
26+
register: created_tgw_vpc_attach
27+
28+
- name: Extend ec2_vpcs variable with newly create info
29+
ansible.builtin.set_fact:
30+
ec2_vpcs: >-
31+
{{
32+
ec2_vpcs | combine({
33+
vpc.key: vpc.value | combine({
34+
'tgw_id': created_tgw.transit_gateway.transit_gateway_id,
35+
'tgw_id_owner_id': created_tgw.transit_gateway.owner_id,
36+
'tgw_route_table_id': created_tgw.transit_gateway.options.association_default_route_table_id,
37+
'tgw_vpc_attachment_id': created_tgw_vpc_attach.attachments | map(attribute='transit_gateway_attachment_id') | first ,
38+
})
39+
}, recursive=True)
40+
}}

ansible/playbooks/create_tgw_routes.yml

Lines changed: 250 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,250 @@
1+
- name: Set aws region
2+
ansible.builtin.set_fact:
3+
aws_region: "{{ vars[vpc.value.region ~ '_aws_region'] }}"
4+
5+
- name: Get peering connection (attachment) between tgw-s
6+
ansible.builtin.shell: |
7+
aws ec2 describe-transit-gateway-peering-attachments \
8+
--region {{ aws_region }} \
9+
--profile {{ aws_profile }} \
10+
--filters Name=transit-gateway-id,Values={{ tgw_id }} Name=state,Values=\[available,initiatingRequest,pendingAcceptance,peering\] \
11+
--output json \
12+
--no-paginate
13+
register: tgw_peering_conn
14+
vars:
15+
tgw_id: "{{ ec2_vpcs[vpc.key].tgw_id }}"
16+
when:
17+
- vpc.key == "corewest" or vpc.key == "coreeast"
18+
19+
- name: Create peering connection (attachment) between tgw-s
20+
ansible.builtin.shell: |
21+
aws ec2 create-transit-gateway-peering-attachment \
22+
--region {{ aws_region }} \
23+
--profile {{ aws_profile }} \
24+
--transit-gateway-id {{ ec2_vpcs[vpc.key].tgw_id }} \
25+
--peer-transit-gateway-id {{ ec2_vpcs[vpc.value.tgw_peer].tgw_id }} \
26+
--peer-region {{ vars[ec2_vpcs[vpc.value.tgw_peer].region ~ '_aws_region'] }} \
27+
--peer-account-id {{ ec2_vpcs[vpc.value.tgw_peer].tgw_id_owner_id }} \
28+
--tag-specifications ResourceType=transit-gateway-attachment,Tags=\[\{Key=Name,Value={{ vpc.key }}-peer-{{ vpc.value.tgw_peer }}-tgw-attach,\}\] \
29+
--output json \
30+
--no-paginate
31+
register: tgw_peering_attachments
32+
when:
33+
- vpc.key == "corewest" or vpc.key == "coreeast"
34+
- tgw_peering_conn_list | length == 0
35+
vars:
36+
tgw_peering_conn_list: "{{ tgw_peering_conn.stdout | from_json | json_query('TransitGatewayPeeringAttachments') }}"
37+
38+
- name: Get peering connection to accept for {{ vpc.key }}"
39+
ansible.builtin.shell: |
40+
aws ec2 describe-transit-gateway-peering-attachments \
41+
--region {{ vars[ec2_vpcs[vpc.value.tgw_peer].region ~ '_aws_region'] }} \
42+
--profile {{ aws_profile }} \
43+
--filters Name=transit-gateway-id,Values={{ tgw_id }} Name=state,Values=\[pendingAcceptance\] \
44+
--output json \
45+
--no-paginate
46+
register: get_tgw_peer_attachment
47+
when:
48+
- vpc.key == "corewest" or vpc.key == "coreeast"
49+
vars:
50+
tgw_id: "{{ ec2_vpcs[vpc.value.tgw_peer].tgw_id }}"
51+
52+
- name: Accept peering connection between tgw-s {{ vpc.key }}
53+
ansible.builtin.shell: |
54+
aws ec2 accept-transit-gateway-peering-attachment \
55+
--transit-gateway-attachment-id {{ tgw_attachment_id }} \
56+
--region {{ vars[ec2_vpcs[vpc.value.tgw_peer].region ~ '_aws_region'] }}
57+
when:
58+
- vpc.key == "corewest" or vpc.key == "coreeast"
59+
- (get_tgw_peer_attachment.stdout | from_json | json_query('TransitGatewayPeeringAttachments')) | length > 0
60+
vars:
61+
tgw_attachment_id: "{{ get_tgw_peer_attachment.stdout | from_json | json_query('TransitGatewayPeeringAttachments') | first | json_query('TransitGatewayAttachmentId') }}"
62+
63+
# retry and wait for peering to be available
64+
- name: Get peering attachment id
65+
ansible.builtin.shell: |
66+
aws ec2 describe-transit-gateway-peering-attachments \
67+
--region {{ aws_region }} \
68+
--profile {{ aws_profile }} \
69+
--filters Name=transit-gateway-id,Values={{ tgw_id }} Name=state,Values=\[available\] \
70+
--output json \
71+
--no-paginate
72+
register: tgw_peering_conn
73+
until: tgw_peering_conn.stdout | from_json | json_query('TransitGatewayPeeringAttachments') | length > 0
74+
delay: 20
75+
retries: 20
76+
vars:
77+
tgw_id: "{{ vpc.value.tgw_id }}"
78+
79+
# Recreate the route always
80+
- name: Get route in tgw for peered tgw
81+
ansible.builtin.shell: |
82+
aws ec2 search-transit-gateway-routes \
83+
--region {{ aws_region }}\
84+
--filters Name=route-search.exact-match,Values={{ ec2_vpcs[vpc.value.tgw_peer].cidr }} \
85+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
86+
register: get_peered_route
87+
88+
- name: Delete route in tgw for peered tgw
89+
ansible.builtin.shell: |
90+
aws ec2 delete-transit-gateway-route \
91+
--region {{ aws_region }}\
92+
--destination-cidr-block {{ ec2_vpcs[vpc.value.tgw_peer].cidr }} \
93+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
94+
when: get_peered_route.stdout | from_json | json_query('Routes') | length > 0
95+
96+
- name: Create route in tgw for peered tgw
97+
ansible.builtin.shell: |
98+
aws ec2 create-transit-gateway-route \
99+
--region {{ aws_region }}\
100+
--destination-cidr-block {{ ec2_vpcs[vpc.value.tgw_peer].cidr }} \
101+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
102+
--transit-gateway-attachment-id {{ tgw_attachment_id }}
103+
vars:
104+
tgw_attachment_id: "{{ tgw_peering_conn.stdout | from_json | json_query('TransitGatewayPeeringAttachments') | first | json_query('TransitGatewayAttachmentId') }}"
105+
106+
# Recreate the route always
107+
- name: Get route in tgw for metallb anycast
108+
ansible.builtin.shell: |
109+
aws ec2 search-transit-gateway-routes \
110+
--region {{ aws_region }}\
111+
--filters Name=route-search.exact-match,Values={{ metallb_address_pool }} \
112+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
113+
register: get_metallb_route
114+
115+
- name: Delete route in tgw for metallb anycast
116+
ansible.builtin.shell: |
117+
aws ec2 delete-transit-gateway-route \
118+
--region {{ aws_region }}\
119+
--destination-cidr-block {{ metallb_address_pool }} \
120+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
121+
when: get_metallb_route.stdout | from_json | json_query('Routes') | length > 0
122+
123+
- name: Create route in tgw for metallb anycast range towards peer attachment if we are in the core* tgw
124+
ansible.builtin.shell: |
125+
aws ec2 create-transit-gateway-route \
126+
--region {{ aws_region }}\
127+
--destination-cidr-block {{ metallb_address_pool }} \
128+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
129+
--transit-gateway-attachment-id {{ tgw_attachment_id }}
130+
when:
131+
- vpc.key == "corewest" or vpc.key == "coreeast"
132+
vars:
133+
tgw_attachment_id: "{{ tgw_peering_conn.stdout | from_json | json_query('TransitGatewayPeeringAttachments') | first | json_query('TransitGatewayAttachmentId') }}"
134+
135+
- name: Create route in tgw for metallb anycast range towards vpc attachment if we are in the tor tgw
136+
ansible.builtin.shell: |
137+
aws ec2 create-transit-gateway-route \
138+
--region {{ aws_region }}\
139+
--destination-cidr-block {{ metallb_address_pool }} \
140+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
141+
--transit-gateway-attachment-id {{ tgw_attachment_id }}
142+
when:
143+
- vpc.key == "westtor" or vpc.key == "easttor"
144+
vars:
145+
tgw_attachment_id: "{{ vpc.value.tgw_vpc_attachment_id }}"
146+
147+
# Recreate the route always
148+
- name: Get route in tgw for for client cidr
149+
ansible.builtin.shell: |
150+
aws ec2 search-transit-gateway-routes \
151+
--region {{ aws_region }}\
152+
--filters Name=route-search.exact-match,Values={{ ec2_vpcs['coreclient']['subnet_cidr'] }} \
153+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
154+
register: get_client_route
155+
156+
- name: Delete route in tgw for metallb anycast
157+
ansible.builtin.shell: |
158+
aws ec2 delete-transit-gateway-route \
159+
--region {{ aws_region }}\
160+
--destination-cidr-block {{ ec2_vpcs['coreclient']['subnet_cidr'] }} \
161+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
162+
when: get_client_route.stdout | from_json | json_query('Routes') | length > 0
163+
164+
- name: Create route in tgw for client cidr range towards peer attachment if we are in the tor tgw
165+
ansible.builtin.shell: |
166+
aws ec2 create-transit-gateway-route \
167+
--region {{ aws_region }}\
168+
--destination-cidr-block {{ ec2_vpcs['coreclient']['subnet_cidr'] }} \
169+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
170+
--transit-gateway-attachment-id {{ tgw_attachment_id }}
171+
when:
172+
- vpc.key == "westtor" or vpc.key == "easttor"
173+
vars:
174+
tgw_attachment_id: "{{ tgw_peering_conn.stdout | from_json | json_query('TransitGatewayPeeringAttachments') | first | json_query('TransitGatewayAttachmentId') }}"
175+
176+
- name: Create route in tgw for client cidr range towards vpc attachment if we are in the core* tgw
177+
ansible.builtin.shell: |
178+
aws ec2 create-transit-gateway-route \
179+
--region {{ aws_region }}\
180+
--destination-cidr-block {{ ec2_vpcs['coreclient']['subnet_cidr'] }} \
181+
--transit-gateway-route-table-id {{ vpc.value.tgw_route_table_id }} \
182+
--transit-gateway-attachment-id {{ tgw_attachment_id }}
183+
when:
184+
- vpc.key == "corewest" or vpc.key == "coreeast"
185+
vars:
186+
tgw_attachment_id: "{{ vpc.value.tgw_vpc_attachment_id }}"
187+
188+
- name: Get nic for core VM
189+
amazon.aws.ec2_eni_info:
190+
filters:
191+
attachment.instance-id: "{{ ec2_vms['core']['instance_id'] }}"
192+
addresses.private-ip-address: "{{ ip_address }}"
193+
profile: "{{ aws_profile }}"
194+
region: "{{ aws_region }}"
195+
register: get_core_vm_nic
196+
when:
197+
- vpc.key == "corewest" or vpc.key == "coreeast"
198+
vars:
199+
ip_address: "{{ (vpc.key == 'corewest') | ternary('192.168.12.200', '192.168.16.200') }}"
200+
201+
- name: Get nic for tor VM
202+
amazon.aws.ec2_eni_info:
203+
filters:
204+
attachment.instance-id: "{{ ec2_vms[vpc.key]['instance_id'] }}"
205+
addresses.private-ip-address: "{{ ip_address }}"
206+
profile: "{{ aws_profile }}"
207+
region: "{{ aws_region }}"
208+
register: get_tor_vm_nic
209+
when:
210+
- vpc.key == "westtor" or vpc.key == "easttor"
211+
vars:
212+
ip_address: "{{ (vpc.key == 'westtor') | ternary('192.168.14.100', '192.168.18.100') }}"
213+
214+
- name: Set routes for the tor vpc-s
215+
ansible.builtin.set_fact:
216+
routes:
217+
- dest: "{{ ec2_vpcs[vpc.value.tgw_peer].cidr }}"
218+
transit_gateway_id: "{{ vpc.value.tgw_id }}"
219+
- dest: "{{ metallb_address_pool }}"
220+
network_interface_id: "{{ vm_eni_id }}"
221+
- dest: "{{ ec2_vpcs['coreclient']['subnet_cidr'] }}"
222+
transit_gateway_id: "{{ vpc.value.tgw_id }}"
223+
when:
224+
- vpc.key == "westtor" or vpc.key == "easttor"
225+
vars:
226+
vm_eni_id: "{{ get_tor_vm_nic.network_interfaces | map(attribute='id') | first }}"
227+
228+
- name: Set routes for the core vpc-s
229+
ansible.builtin.set_fact:
230+
routes:
231+
- dest: "{{ ec2_vpcs[vpc.value.tgw_peer].cidr }}"
232+
transit_gateway_id: "{{ vpc.value.tgw_id }}"
233+
- dest: "{{ metallb_address_pool }}"
234+
transit_gateway_id: "{{ vpc.value.tgw_id }}"
235+
- dest: "{{ ec2_vpcs['coreclient']['subnet_cidr'] }}"
236+
network_interface_id: "{{ vm_eni_id }}"
237+
when:
238+
- vpc.key == "corewest" or vpc.key == "coreeast"
239+
vars:
240+
vm_eni_id: "{{ get_core_vm_nic.network_interfaces | map(attribute='id') | first }}"
241+
242+
- name: Create route in vpc rtbl for metallb, peer, and client
243+
amazon.aws.ec2_vpc_route_table:
244+
vpc_id: "{{ vpc.value.vpc_id }}"
245+
route_table_id: "{{ vpc.value.route_table_id }}"
246+
lookup: id
247+
purge_routes: false
248+
routes: "{{ routes }}"
249+
region: "{{ aws_region }}"
250+
profile: "{{ aws_profile }}"

0 commit comments

Comments
 (0)