...
Sdewan CRD definition:
Calling Sequence:
System 1. System Deployment process
- ICN deploys K8s cluster
...
- and installs kud addon: (1) Multus CNI plugin as default CNI plugin (2) ovn4nfv CNI plugin (3) Sdewan Conf Agent (sdewan-operator) as deployment
- Note: Sdewan-operator includes (1) Sdewan Controller (monitor Sdewan CR) (2) Mwan3conf Controller (monitor Mwan3Conf CR) (3) FirewallConf Controller (monitor FirewallConf CR) (4) IPSec Controller (Monitor IpSec CR)
- Admin (or SDEWAN Conf manager?) creates (1) Network CR (to setup OVN virtual network) (2) Provider Network CR (to setup provider network by configuration network interface on each node)
2. Create SDEWAN CNF Pod process
- SDEWAN conf mgr creates Mwan3Conf CR (or FirewareConf CR, IpSecConf CR), the CRs (for Mwan3Conf CR, it defined the mwan3 policy/rule) are saved in k8s etcd as K8s resources
- SDEWAN conf mgr creates Sdewan CR with below information:
- Node: the CNF pod should be created on which node
- Interfaces: include (1) internal network interface which connect to OVN virtual network (2) provider network interface which connect to provider network
- Configuration: the name of pre-defined Mwan3Conf/FirewallConf/IpSecConf CR
- Sdewan Controller (running inside Sdewan Conf Agent) gets the notification of new-created Sdewan CR, call K8s API to (1) create Sdewan CNF (Pod and Service) on required Node (through NodeSelector) (2) generate /etc/config/network file (through ConfigMap) to create logical interfaces for Sdewan CNF container.
- Note: OpenWRT applications (such as mwan3, firewall, ipsec etc.) do not use system network interfaces (e.g. "eth0", "net1" which can be listed by "ip a") directly, instead, it uses the logical interfaces (such as "lan", "wan1" etc.), and the logical interfaces are map to real network interfaces in file /etc/config/network
- K8s creates the Sdewan CNF pod and call ovn4k8s CNI plugin to attach required network interfaces (defined in Sdewan CR) with the Pod
- When the Pod is ready, Sdewan Controller (running inside Sdewan Conf Agent) call the rest API (through Node's FQDN) to (1) login (2) Set configuration (defined in Mwan3Conf, FirewallConf or IpSecConf) to setup initial rule inside the CNF (3) restart Mwan3 (or Firewall, IpSec) service to apply the rules in the CNF
- Note: the configuration rules can be updated/added/deleted at runtime in Update/Delete Rule process
3. Update/Delete Rule process (use Mwan3conf as example)
- SDEWAN conf mgr updates Mwan3Conf CR (or FirewareConf CR, IpSecConf CR), the CR is saved inside K8s etcd as resource
- K8s notifies Mwan3Conf controller (run inside Sdewan Conf Agent) the CR update/delete event
- Mwan3Conf controller (run inside Sdewan Conf Agent) finds all Sdewan CRs which uses this Mwan3Conf (through Sdewan CR's Mwan3Conf property), then call the rest API (through found CR's node property) to (1) update/delete configuration (2) restart Mwan3 service to apply the change
4. Delete SDEWAN CNF Pod process
- SDEWAN conf mgr deletes Sdewan CR
- K8s notifies Sdewan controller (run inside Sdewan Conf Agent) the CR delete event
- Sdewan controller (run inside Sdewan Conf Agent) finds the Sdewan CNF owned by this deleted CR, call k8s API to delete the CNF
Timeline
Module | Tasks | Owner | Due | Current Status | Description |
---|---|---|---|---|---|
PORs | |||||
POC | Setup IPSec tunnel | Ruoyu | Feb.26 | WW09: setup POC environment by manual configuration (Site-2-Site, Initiator-responder, Initiator-responder with vip) - Done | |
SDEWAN CNF | |||||
Service API | Huifeng | Done | Start/stop/restart/reload SDWAN service, includes: mwan3, firewall/NAT, IpSec. Reference: SDEWAN CNF#SDEWANService | ||
MWAN3 API | Huifeng | Done | Support MWAN3 rule/policy configuration. Reference: SDEWAN CNF#MWAN3 OpenWRT Reference: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 | ||
Firewall API | Huifeng | Design: Feb.26 Implementation: Mar.12 | WW08: Initial design Done WW09: Implementation - 50% WW10: 80% WW11: done | Support firewall configuration for zone (general rule for a group of interfaces), forwarding (iptables forward), rule, redirect (DNAT/SNAT). Reference: SDEWAN CNF#Firewall OpenWRT Reference: https://openwrt.org/docs/guide-user/firewall/firewall_configuration | |
IPSec API | Ruoyu | Design: Feb.26 Implementation: Mar.18 | WW08: Initial design Done WW09: design done (to be reviewed) WW10/11/12: 50% | Support IPSec configuration for remote site, proposal. Reference: https://wiki.akraino.org/display/AK/IPSec+Design#IPSecDesign-IPSecRestAPI OpenWRT Reference: https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/start (Note: OpenWRT Wiki page is out-of-date compare to 18.06 implementation which we used and the current design is based on openwrt ipsec code directly) | |
SDEWAN CNF Controller | |||||
SDEWAN CRD | Cheng | Done | Define a SDWAN CNF with mwan3, firewall and IPSec configuration Reference: Sdewan config Agent | ||
MWAN3 CRD | Cheng | Design: Done Implementation: Feb. 26 | WW08: CRD design done, implementation: - Done | Define MWAN3 configuration (policy, rule) Reference: Sdewan config Agent | |
Firewall CRD | Cheng | Design: Feb.26 Implementation: Mar.12 | WW09: CRD design - Done WW10/11: Done | Define Firewall CRD (zone, forwarding, rule, redirect (NAT)) | |
IPSec CRD | Ruoyu | Design: Feb.26 Implementation: Mar.18 | WW08: initial design done WW09: design done (to be reviewed) WW10/11/12: implementation 80% | Define IPSec CRD (remote site, proposal) Reference: https://wiki.akraino.org/display/AK/IPSec+Design#IPSecDesign-IPSecCRD Scenario design: SD-EWAN Scenarios | |
Integration | CNF controller and CNF Rest API integration | ||||
MWAN3 | Cheng/Huifeng | Feb.26 | WW09: integration - Done | MWAN3 CRD/Restful API integration | |
Firewall | Cheng/Huifeng | Mar.26 | WW12: start to work | Firewall CRD/Restful API integration | |
IPSec | Ruoyu/Huifeng | Apr.1 | IPSec CRD/Restful API integration | ||
SDEWAN demo | E2E demo for SDEWAN solution | ||||
Demo scenario design | All | Apr.8 | Design E2E demo scenario and setup the environment | ||
Demo scenario integration | All | Apr.15 | E2E working flow enabling | ||
Integration with ONAP | All | TBD | Create helm chart which to be integrated in Kud test cases for ONAP | ||
Stretch Goals | |||||
SDWAN Hub Controller | EWAN Config Manager: call EWAN Conf Agent to configure EWAN CNF | Rama | |||
Key | Store key in TPM | Cheng | |||
QAT Support | Investigate how to enable QAT support for IPSec (Client library such as OpenSSL configuration, kernel module is not need in CNF) | Ruoyu |
...