generate /etc/config/network file
| Table of Contents |
|---|
In ICN's SDWAN usages, SFC (Service Function Chain) is designed to support Corp networks to connect to external internet with security connection. The SFC includes Security VNF (e.g. firewall etc.), WAN Opt CNF and SDWAN VNF/CNF, and SDWAN module is worked as software defined router which can be used to defined the rules when connect to external internet. Below diagram shows where SDWAN module located in the whole system.
...
Below diagrams describe CRD definition and the interaction the calling sequence of SDEWAN Conf Mgr, K8s, Sdewan CNF and Sdewan Conf Agent.
Sdewan CRD definition:
Calling Sequence:
...
- ICN deploys K8s cluster and installs kud addon: (1) Multus CNI plugin as default CNI plugin (2) ovn4nfv CNI plugin (3) Sdewan Conf Agent (sdewan-operator) as deployment
- Note: Sdewan-operator includes (1) Sdewan Controller (monitor Sdewan CR) (2) Mwan3conf Controller (monitor Mwan3Conf CR) (3) FirewallConf Controller (monitor FirewallConf CR) (4) IPSec Controller (Monitor IpSec CR)
- Admin (or SDEWAN Conf manager?) creates (1) Network CR (to setup OVN virtual network) (2) Provider Network CR (to setup provider network by configuration network interface on each node)
2. Create SDEWAN CNF (Pod) process
- SDEWAN conf mgr creates Mwan3Conf CR (or FirewareConf CR, IpSecConf CR), the CRs (for Mwan3Conf CR, it defined the mwan3 policy/rule) are saved in k8s etcd as K8s resources
- SDEWAN conf mgr creates Sdewan CR with below information:
- Node: the CNF pod should be created on which node
- Interfaces: include (1) internal network interface which connect to OVN virtual network (2) provider network interface which connect to provider network
- Configuration: the name of pre-defined Mwan3Conf/FirewallConf/IpSecConf CR
- Sdewan Controller (running inside Sdewan Conf Agent) gets the notification of new-created Sdewan CR, call K8s API to (1) create Sdewan CNF (Pod and Service) on required Node (through NodeSelector) (2) Create ConfigMap which stores logical network interface information(used to generate /etc/config/network file (through ConfigMap) to create logical interfaces for in Sdewan CNF container).
- Note: OpenWRT applications (such as mwan3, firewall, ipsec etc.) do not use system network interfaces (e.g. "eth0", "net1" which can be listed by "ip a") directly, instead, it uses the logical interfaces (such as "lan", "wan1" etc.), and the logical interfaces are map to real network interfaces in file /etc/config/network
- K8s creates the Sdewan CNF pod and call ovn4k8s CNI plugin to attach required network interfaces (defined in Sdewan CR) with the Pod
- When the Pod is ready(through k8s readiness check), Sdewan Controller (running inside Sdewan Conf Agent) call the rest API (through Node's FQDN) to (1) login (2) Set configuration (defined in Mwan3Conf, FirewallConf or IpSecConf) to setup initial rule inside the CNF (3) restart Mwan3 (or Firewall, IpSec) service to apply the rules in the CNF
- Note: the configuration rules can be updated/added/deleted at runtime in Update/Delete Rule process
...
- SDEWAN conf mgr updates Mwan3Conf CR (or FirewareConf CR, IpSecConf CR), the CR is saved inside K8s etcd as resource
- K8s notifies Mwan3Conf controller (run inside Sdewan Conf Agent) the CR update/delete event
- Mwan3Conf controller (run inside Sdewan Conf Agent) finds all Sdewan CRs which uses this Mwan3Conf (through Sdewan CR's Mwan3Conf property), then call the rest API (through found CR's node property) to (1) update/delete configuration (2) restart update the status of the found Sdewan CRs to trigger Sdewan controller's Reconcile which updates/deletes new Mwan3Conf and restarts Mwan3 service to apply the change.
4. Delete SDEWAN CNF (Pod) process
- SDEWAN conf mgr deletes Sdewan CR
- K8s notifies Sdewan controller (run inside Sdewan Conf Agent) the CR delete event
- Sdewan controller (run inside Sdewan Conf Agent) finds the Sdewan CNF owned by this deleted CR, call k8s API to delete the CNF
...