X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=heat%2FvIPsec%2FvIPsec%2Fbase_vipsec.yaml;h=68150115df7edc36d0d204fd95e406e6220b0b23;hb=676591091ff3c154193213b26103c694f1a5f1be;hp=993612e33231a84d5e398b7ea1d2dd8dfecaff90;hpb=845800d65fc2f25286c74551a1d5dd00e2798df5;p=demo.git diff --git a/heat/vIPsec/vIPsec/base_vipsec.yaml b/heat/vIPsec/vIPsec/base_vipsec.yaml index 993612e3..68150115 100644 --- a/heat/vIPsec/vIPsec/base_vipsec.yaml +++ b/heat/vIPsec/vIPsec/base_vipsec.yaml @@ -31,10 +31,10 @@ description: Heat template that deploys vIPsec demo app for ONAP ############## parameters: - vipsec_image_name: + basic_image_name: type: string label: Image name or ID - description: Image to be used for compute instance + description: Image to be used for IPsec compute instance ipsec_flavor_name: type: string label: IPsec Flavor @@ -51,18 +51,26 @@ parameters: type: string label: Public network name or ID description: Public network that enables remote connection to VNF - external_net_id: - type: string - label: External network name or ID - description: External network that connects the two IPsec gateways protected_clientA_private_net_id: type: string - label: Unprotected private network name or ID + label: protected private network name or ID description: Private network that connects vPacketGenerator with vIPsec gateway A protected_clientB_private_net_id: type: string label: Protected private network name or ID description: Private network that connects vIPsec gateway B with vSink + protected_clientA_provider_net_id: + type: string + label: Provider network name or ID for client A + description: Private network that connects vPacketGenerator with vIPsec gateway A + protected_clientB_provider_net_id: + type: string + label: Provider network name or ID for client B + description: Private network that connects vIPsec gateway B with vSink + ipsec_provider_net_id: + type: string + label: Provider network name or ID between IPsec gateways + description: Private network that connects vIPsec gateway B with vIPsec gateway A onap_private_net_id: type: string label: ONAP management network name or ID @@ -75,10 +83,6 @@ parameters: type: string label: IPsec private network name or ID description: Private network that connects the two IPsec VNFs - ipsec_private_subnet_id: - type: string - label: IPsec sub-network name or ID - description: Private sub-network that connects the two IPsec VNFs protected_clientA_private_net_cidr: type: string label: Unprotected private network CIDR @@ -223,18 +227,6 @@ parameters: type: string label: Cloud environment description: Cloud environment (e.g., openstack, rackspace) - sec_group: - type: string - description: ONAP Security Group - sdnc_model_name: - type: string - description: SDNC Model Name metatada - sdnc_model_version: - type: string - description: SDNC Model Version metatada - sdnc_artifact_name: - type: string - description: SDNC Artifact Name metatada input_device_interface_A: type: string description: Device BDF name for the interface @@ -296,15 +288,73 @@ resources: public_key: { get_param: pub_key } save_private_key: false - protected_clientA_private_network: + security_group_ipsec: + type: OS::Neutron::SecurityGroup + properties: + name: "ipsec_sg" + rules: + - {direction: ingress, remote_ip_prefix: 0.0.0.0/0, protocol: icmp } + - {direction: ingress, remote_ip_prefix: 0.0.0.0/0, protocol: tcp, port_range_min: 22, port_range_max: 22} + + onap_private_net: type: OS::Neutron::Net + properties: + name: { get_param: onap_private_net_id } + + onap_private_subnet: + type: OS::Neutron::Subnet + properties: + name: { get_param: onap_private_subnet_id } + network_id: { get_resource: onap_private_net } + cidr: { get_param: onap_private_net_cidr } + dns_nameservers: [ "8.8.8.8" ] + + router: + type: OS::Neutron::Router + properties: + name: + list_join: ['-', [{ get_param: 'OS::stack_name' }, 'router']] + external_gateway_info: + network: { get_param: public_net_id } + + oam_router_interface: + type: OS::Neutron::RouterInterface + properties: + router_id: { get_resource: router } + subnet_id: { get_resource: onap_private_subnet } + + ipsec_0_floating_ip: + type: OS::Neutron::FloatingIP + properties: + floating_network_id: { get_param: public_net_id } + port_id: { get_resource: vipsec_A_private_1_port } + + ipsec_1_floating_ip: + type: OS::Neutron::FloatingIP + properties: + floating_network_id: { get_param: public_net_id } + port_id: { get_resource: vipsec_B_private_1_port } + + protected_clientA_private_network: + type: OS::Neutron::ProviderNet properties: name: { get_param: protected_clientA_private_net_id } + physical_network: { get_param: protected_clientA_provider_net_id } + network_type: vlan protected_clientB_private_network: - type: OS::Neutron::Net + type: OS::Neutron::ProviderNet properties: name: { get_param: protected_clientB_private_net_id } + physical_network: { get_param: protected_clientB_provider_net_id } + network_type: vlan + + protected_ipsec_network: + type: OS::Neutron::ProviderNet + properties: + name: { get_param: ipsec_private_net_id } + physical_network: { get_param: ipsec_provider_net_id } + network_type: vlan protected_clientA_private_subnet: type: OS::Neutron::Subnet @@ -318,89 +368,93 @@ resources: network_id: { get_resource: protected_clientB_private_network } cidr: { get_param: protected_clientB_private_net_cidr } + ipsec_private_subnet: + type: OS::Neutron::Subnet + properties: + network_id: { get_resource: protected_ipsec_network } + cidr: { get_param: ipsec_private_net_cidr } + # Virtual IPsec instantiation vipsec_A_private_0_port: type: OS::Neutron::Port properties: network: { get_resource: protected_clientA_private_network } binding:vnic_type: { get_param: vipsec_A_private_0_port_vnic_type} - fixed_ips: [{"subnet": { get_resource: protected_clientA_private_subnet}, "ipaddress": { get_param: vipsec_A_private_ip_0 }}] + fixed_ips: [{"subnet": { get_resource: protected_clientA_private_subnet}, "ip_address": { get_param: vipsec_A_private_ip_0 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vipsec_A_private_1_port: type: OS::Neutron::Port properties: - #allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}] - network: { get_param: onap_private_net_id } + network: { get_resource: onap_private_net } binding:vnic_type: { get_param: vipsec_private_1_port_vnic_type} - fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vipsec_A_private_ip_1 }}] + fixed_ips: [{"subnet": { get_resource: onap_private_subnet }, "ip_address": { get_param: vipsec_A_private_ip_1 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vipsec_A_private_2_port: type: OS::Neutron::Port properties: - #allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}] - network: { get_param: ipsec_private_net_id } + allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}] + network: { get_resource: protected_ipsec_network } binding:vnic_type: { get_param: vipsec_private_2_port_vnic_type} - fixed_ips: [{"subnet": { get_param: ipsec_private_subnet_id }, "ip_address": { get_param: vipsec_A_private_ip_2 }}] + fixed_ips: [{"subnet": { get_resource: ipsec_private_subnet }, "ip_address": { get_param: vipsec_A_private_ip_2 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vipsec_B_private_0_port: type: OS::Neutron::Port properties: network: { get_resource: protected_clientB_private_network } binding:vnic_type: { get_param: vipsec_B_private_0_port_vnic_type} - fixed_ips: [{"subnet": { get_resource: protected_clientB_private_subnet}, "ipaddress": { get_param: vipsec_B_private_ip_0 }}] + fixed_ips: [{"subnet": { get_resource: protected_clientB_private_subnet}, "ip_address": { get_param: vipsec_B_private_ip_0 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vipsec_B_private_1_port: type: OS::Neutron::Port properties: - #allowed_address_pairs: [{ "ip_address": { get_param: vpg_private_ip_0 }}] - network: { get_param: onap_private_net_id } + network: { get_resource: onap_private_net } binding:vnic_type: { get_param: vipsec_private_1_port_vnic_type} - fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vipsec_B_private_ip_1 }}] + fixed_ips: [{"subnet": { get_resource: onap_private_subnet }, "ip_address": { get_param: vipsec_B_private_ip_1 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vipsec_B_private_2_port: type: OS::Neutron::Port properties: - network: { get_param: ipsec_private_net_id } + network: { get_resource: protected_ipsec_network } binding:vnic_type: { get_param: vipsec_private_2_port_vnic_type} - fixed_ips: [{"subnet": { get_param: ipsec_private_subnet_id }, "ip_address": { get_param: vipsec_B_private_ip_2 }}] + fixed_ips: [{"subnet": { get_resource: ipsec_private_subnet }, "ip_address": { get_param: vipsec_B_private_ip_2 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vipsec_0: type: OS::Nova::Server properties: - image: { get_param: vipsec_image_name } + image: { get_param: basic_image_name } flavor: { get_param: ipsec_flavor_name } name: { get_param: vipsec_name_0 } key_name: { get_resource: my_keypair } networks: - - network: { get_param: public_net_id } - port: { get_resource: vipsec_A_private_0_port } - port: { get_resource: vipsec_A_private_1_port } + - port: { get_resource: vipsec_A_private_2_port } metadata: { vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }} user_data_format: RAW user_data: str_replace: params: - __dcae_collector_ip__ : { get_param: dcae_collector_ip } - __dcae_collector_port__ : { get_param: dcae_collector_port } - __demo_artifacts_version__ : { get_param: demo_artifacts_version } - __install_script_version__ : { get_param: install_script_version } - __vipsec_A_private_ip_0__ : { get_param: vipsec_A_private_ip_0 } - __vipsec_A_private_ip_1__ : { get_param: vipsec_A_private_ip_1 } - __protected_clientA_private_net_cidr__ : { get_param: protected_clientA_private_net_cidr } - __onap_private_net_cidr__ : { get_param: onap_private_net_cidr } - __cloud_env__ : { get_param: cloud_env } + __dcae_collector_ip__: { get_param: dcae_collector_ip } + __dcae_collector_port__: { get_param: dcae_collector_port } + __demo_artifacts_version__: { get_param: demo_artifacts_version } + __install_script_version__: { get_param: install_script_version } + __vipsec_A_private_ip_0__: { get_param: vipsec_A_private_ip_0 } + __vipsec_A_private_ip_1__: { get_param: vipsec_A_private_ip_1 } + __protected_clientA_private_net_cidr__: { get_param: protected_clientA_private_net_cidr } + __onap_private_net_cidr__: { get_param: onap_private_net_cidr } + __cloud_env__: { get_param: cloud_env } __nexus_artifact_repo__: { get_param: nexus_artifact_repo } __vpp_config__: { get_param: vpp_config } __ipsec_config__: { get_param: ipsec_config } @@ -434,10 +488,23 @@ resources: # Download and run install script apt-get update - cd /root/comms/dpdk/x86_64-native-linuxapp-gcc/kmod - modeprobe uio - insmod igb_uio.ko + wget https://packagecloud.io/install/repositories/fdio/release/script.deb.sh + bash ./script.deb.sh + apt install -y vpp + apt install -y vpp-plugin-dpdk + apt install -y make gcc libnuma-dev python cd /opt + git clone http://dpdk.org/git/dpdk + cd dpdk + export RTE_TARGET=x86_64-native-linuxapp-gcc/ + export DESTDIR=/opt/dpdk + export RTE_SDK=/opt/dpdk + make install T=x86_64-native-linux-gcc + modprobe uio + insmod x86_64-native-linux-gcc/kmod/igb_uio.ko + python ./usertools/dpdk-devbind.py -b igb_uio 00:06.0 + python ./usertools/dpdk-devbind.py -b igb_uio 00:05.0 + cd /opt/config cat > __vpp_config__<< NEWFILE unix { @@ -470,14 +537,13 @@ resources: } vdev crypto_aesni_gcm0 - num-mbufs 370000 no-multi-seg } NEWFILE cat > __ipsec_config__<< NEWFILE - + set interface state __input_interface__ up set interface state __output_interface__ up @@ -501,7 +567,7 @@ resources: ipsec policy add spd 1 inbound priority 100 action protect sa 2 remote-ip-range 004.0.0.0-004.0.0.0 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass - + NEWFILE vpp -c __vpp_config__ @@ -509,28 +575,28 @@ resources: vipsec_1: type: OS::Nova::Server properties: - image: { get_param: vipsec_image_name } + image: { get_param: basic_image_name } flavor: { get_param: ipsec_flavor_name } name: { get_param: vipsec_name_1 } key_name: { get_resource: my_keypair } networks: - - network: { get_param: public_net_id } - port: { get_resource: vipsec_B_private_0_port } - port: { get_resource: vipsec_B_private_1_port } + - port: { get_resource: vipsec_B_private_2_port } metadata: { vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }} user_data_format: RAW user_data: str_replace: params: - __dcae_collector_ip__ : { get_param: dcae_collector_ip } - __dcae_collector_port__ : { get_param: dcae_collector_port } - __demo_artifacts_version__ : { get_param: demo_artifacts_version } - __install_script_version__ : { get_param: install_script_version } - __vipsec_A_private_ip_0__ : { get_param: vipsec_B_private_ip_0 } - __vipsec_A_private_ip_1__ : { get_param: vipsec_B_private_ip_1 } - __protected_clientA_private_net_cidr__ : { get_param: protected_clientB_private_net_cidr } - __onap_private_net_cidr__ : { get_param: onap_private_net_cidr } - __cloud_env__ : { get_param: cloud_env } + __dcae_collector_ip__: { get_param: dcae_collector_ip } + __dcae_collector_port__: { get_param: dcae_collector_port } + __demo_artifacts_version__: { get_param: demo_artifacts_version } + __install_script_version__: { get_param: install_script_version } + __vipsec_A_private_ip_0__: { get_param: vipsec_B_private_ip_0 } + __vipsec_A_private_ip_1__: { get_param: vipsec_B_private_ip_1 } + __protected_clientA_private_net_cidr__: { get_param: protected_clientB_private_net_cidr } + __onap_private_net_cidr__: { get_param: onap_private_net_cidr } + __cloud_env__: { get_param: cloud_env } __nexus_artifact_repo__: { get_param: nexus_artifact_repo } __vpp_config__: { get_param: vpp_config } __ipsec_config__: { get_param: ipsec_config } @@ -564,10 +630,23 @@ resources: # Download and run install script apt-get update - cd /root/comms/dpdk/x86_64-native-linuxapp-gcc/kmod - modeprobe uio - insmod igb_uio.ko + wget https://packagecloud.io/install/repositories/fdio/release/script.deb.sh + bash ./script.deb.sh + apt install -y vpp + apt install -y vpp-plugin-dpdk + apt install -y make gcc libnuma-dev python cd /opt + git clone http://dpdk.org/git/dpdk + cd /opt/dpdk + export RTE_TARGET=x86_64-native-linuxapp-gcc/ + export DESTDIR=/opt/dpdk + export RTE_SDK=/opt/dpdk + make install T=x86_64-native-linux-gcc + modprobe uio + insmod x86_64-native-linux-gcc/kmod/igb_uio.ko + python ./usertools/dpdk-devbind.py -b igb_uio 00:05.0 + python ./usertools/dpdk-devbind.py -b igb_uio 00:06.0 + cd /opt/config cat > __vpp_config__<< NEWFILE unix { @@ -600,14 +679,13 @@ resources: } vdev crypto_aesni_gcm0 - num-mbufs 370000 no-multi-seg } NEWFILE cat > __ipsec_config__<< NEWFILE - + set interface state __input_interface__ up set interface state __output_interface__ up @@ -631,7 +709,7 @@ resources: ipsec policy add spd 1 inbound priority 100 action protect sa 2 remote-ip-range 004.0.0.0-004.0.0.0 ipsec policy add spd 1 inbound priority 90 protocol 50 action bypass ipsec policy add spd 1 outbound priority 90 protocol 50 action bypass - + NEWFILE vpp -c __vpp_config__ @@ -645,26 +723,32 @@ resources: binding:vnic_type: { get_param: vpg_private_0_port_vnic_type} fixed_ips: [{"subnet": { get_resource: protected_clientA_private_subnet }, "ip_address": { get_param: vpg_private_ip_0 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vpg_private_1_port: type: OS::Neutron::Port properties: - network: { get_param: onap_private_net_id } + network: { get_resource: onap_private_net } binding:vnic_type: { get_param: vpg_private_1_port_vnic_type} - fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vpg_private_ip_1 }}] + fixed_ips: [{"subnet": { get_resource: onap_private_subnet }, "ip_address": { get_param: vpg_private_ip_1 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } + + + vpg_0_floating_ip: + type: OS::Neutron::FloatingIP + properties: + floating_network_id: { get_param: public_net_id } + port_id: { get_resource: vpg_private_1_port } vpg_0: type: OS::Nova::Server properties: - image: { get_param: vipsec_image_name } + image: { get_param: basic_image_name } flavor: { get_param: packetgen_flavor_name } name: { get_param: vpg_name_0 } key_name: { get_resource: my_keypair } networks: - - network: { get_param: public_net_id } - port: { get_resource: vpg_private_0_port } - port: { get_resource: vpg_private_1_port } metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }} @@ -675,27 +759,27 @@ resources: __ipsec_ipaddr__: { get_param: vipsec_A_private_ip_0 } __protected_clientB_net_cidr__: { get_param: protected_clientB_private_net_cidr } __sink_ipaddr__: { get_param: vsn_private_ip_0 } - __demo_artifacts_version__ : { get_param: demo_artifacts_version } - __install_script_version__ : { get_param: install_script_version } - __vpg_private_ip_0__ : { get_param: vpg_private_ip_0 } - __vpg_private_ip_1__ : { get_param: vpg_private_ip_1 } - __protected_clientA_net_cidr__ : { get_param: protected_clientA_private_net_cidr } - __onap_private_net_cidr__ : { get_param: onap_private_net_cidr } - __cloud_env__ : { get_param: cloud_env } + __demo_artifacts_version__: { get_param: demo_artifacts_version } + __install_script_version__: { get_param: install_script_version } + __vpg_private_ip_0__: { get_param: vpg_private_ip_0 } + __vpg_private_ip_1__: { get_param: vpg_private_ip_1 } + __protected_clientA_net_cidr__: { get_param: protected_clientA_private_net_cidr } + __onap_private_net_cidr__: { get_param: onap_private_net_cidr } + __cloud_env__: { get_param: cloud_env } __nexus_artifact_repo__: { get_param: nexus_artifact_repo } template: | #!/bin/bash # Create configuration files mkdir /opt/config - echo "__ipsec_ipaddr__" > /opt/config/fw_ipaddr.txt + echo "__ipsec_ipaddr__" > /opt/config/vipsec_ipaddr.txt echo "__protected_clientB_net_cidr__" > /opt/config/protected_clientB_net_cidr.txt echo "__sink_ipaddr__" > /opt/config/sink_ipaddr.txt echo "__demo_artifacts_version__" > /opt/config/demo_artifacts_version.txt echo "__install_script_version__" > /opt/config/install_script_version.txt echo "__vpg_private_ip_0__" > /opt/config/vpg_private_ip_0.txt echo "__vpg_private_ip_1__" > /opt/config/vpg_private_ip_1.txt - echo "__protected_clientB_private_net_cidr__" > /opt/config/protected_clientA_net_cidr.txt + echo "__protected_clientA__net_cidr__" > /opt/config/protected_clientA_net_cidr.txt echo "__onap_private_net_cidr__" > /opt/config/onap_private_net_cidr.txt echo "__cloud_env__" > /opt/config/cloud_env.txt echo "__nexus_artifact_repo__" > /opt/config/nexus_artifact_repo.txt @@ -719,26 +803,31 @@ resources: binding:vnic_type: { get_param: vsn_private_0_port_vnic_type} fixed_ips: [{"subnet": { get_resource: protected_clientB_private_subnet }, "ip_address": { get_param: vsn_private_ip_0 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } vsn_private_1_port: type: OS::Neutron::Port properties: - network: { get_param: onap_private_net_id } + network: { get_resource: onap_private_net } binding:vnic_type: { get_param: vsn_private_1_port_vnic_type} - fixed_ips: [{"subnet": { get_param: onap_private_subnet_id }, "ip_address": { get_param: vsn_private_ip_1 }}] + fixed_ips: [{"subnet": { get_resource: onap_private_subnet }, "ip_address": { get_param: vsn_private_ip_1 }}] security_groups: - - { get_param: sec_group } + - { get_resource: security_group_ipsec } + + vsn_floating_ip: + type: OS::Neutron::FloatingIP + properties: + floating_network_id: { get_param: public_net_id } + port_id: { get_resource: vsn_private_1_port } vsn_0: type: OS::Nova::Server properties: - image: { get_param: vipsec_image_name } + image: { get_param: basic_image_name } flavor: { get_param: sink_flavor_name } name: { get_param: vsn_name_0 } key_name: { get_resource: my_keypair } networks: - - network: { get_param: public_net_id } - port: { get_resource: vsn_private_0_port } - port: { get_resource: vsn_private_1_port } metadata: {vnf_id: { get_param: vnf_id }, vf_module_id: { get_param: vf_module_id }} @@ -748,12 +837,12 @@ resources: params: __protected_net_gw__: { get_param: vipsec_B_private_ip_0 } __protected_net_A__: { get_param: protected_clientA_private_net_cidr } - __install_script_version__ : { get_param: install_script_version } - __vsn_private_ip_0__ : { get_param: vsn_private_ip_0 } - __vsn_private_ip_1__ : { get_param: vsn_private_ip_1 } - __protected_clientB_private_net_cidr__ : { get_param: protected_clientB_private_net_cidr } - __onap_private_net_cidr__ : { get_param: onap_private_net_cidr } - __cloud_env__ : { get_param: cloud_env } + __install_script_version__: { get_param: install_script_version } + __vsn_private_ip_0__: { get_param: vsn_private_ip_0 } + __vsn_private_ip_1__: { get_param: vsn_private_ip_1 } + __protected_clientB_private_net_cidr__: { get_param: protected_clientB_private_net_cidr } + __onap_private_net_cidr__: { get_param: onap_private_net_cidr } + __cloud_env__: { get_param: cloud_env } __nexus_artifact_repo__: { get_param: nexus_artifact_repo } template: | #!/bin/bash