Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
support ovn ipsec
- Loading branch information
Showing
2 changed files
with
109 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| #!/bin/bash | ||
| set -euo pipefail | ||
|
|
||
| OVN_NB_POD= | ||
|
|
||
| showHelp(){ | ||
| echo "sh ipsec.sh [init|start|stop|status]" | ||
| } | ||
|
|
||
| getOvnCentralPod(){ | ||
| NB_POD=$(kubectl get pod -n kube-system -l ovn-nb-leader=true | grep ovn-central | head -n 1 | awk '{print $1}') | ||
| if [ -z "$NB_POD" ]; then | ||
| echo "nb leader not exists" | ||
| exit 1 | ||
| fi | ||
| OVN_NB_POD=$NB_POD | ||
| } | ||
|
|
||
| initIpsec (){ | ||
| podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'` | ||
| for pod in $podNames; do | ||
| caPod=$pod | ||
| break | ||
| done | ||
|
|
||
| echo " Initing CA $caPod " | ||
| kubectl exec -it $caPod -n kube-system -- ovs-pki init --force > /dev/null | ||
|
|
||
| for pod in $podNames; do | ||
| echo " Initing privkey,req,cert file on pod $pod " | ||
| systemId=$(kubectl exec -it ${pod} -n kube-system -- ovs-vsctl get Open_vSwitch . external_ids:system-id | tr -d '"' | tr -d '\r') | ||
|
|
||
| kubectl exec -it $pod -n kube-system -- ovs-pki req -u $systemId --force > /dev/null | ||
| kubectl exec -it $pod -n kube-system -- mv "${systemId}-privkey.pem" /etc/ipsec.d/private/ | ||
| kubectl exec -it $pod -n kube-system -- mv "${systemId}-req.pem" /etc/ipsec.d/reqs/ | ||
|
|
||
| if [[ $pod == $caPod ]]; then | ||
| kubectl exec -it $pod -n kube-system -- rm -f "/etc/ipsec.d/reqs/${systemId}-cert.pem" > /dev/null | ||
| kubectl exec -it $pod -n kube-system -- ovs-pki sign -b "/etc/ipsec.d/reqs/${systemId}" switch > /dev/null | ||
| kubectl exec -it $pod -n kube-system -- mv "/etc/ipsec.d/reqs/${systemId}-cert.pem" /etc/ipsec.d/certs/ | ||
| kubectl exec -it $pod -n kube-system -- cp /var/lib/openvswitch/pki/switchca/cacert.pem /etc/ipsec.d/cacerts/ > /dev/null | ||
| else | ||
| kubectl cp "${pod}:/etc/ipsec.d/reqs/${systemId}-req.pem" "${systemId}-req.pem" -n kube-system > /dev/null | ||
| kubectl cp "${systemId}-req.pem" "${caPod}:/kube-ovn/" -n kube-system > /dev/null | ||
| # ovs-pki sign do not have options --force so rm cert first | ||
| kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-cert.pem" | ||
| kubectl exec -it $caPod -n kube-system -- ovs-pki sign -b ${systemId} switch > /dev/null | ||
| kubectl cp "${caPod}:/kube-ovn/${systemId}-cert.pem" "${systemId}-cert.pem" -n kube-system > /dev/null | ||
| kubectl cp "${systemId}-cert.pem" "${pod}:/etc/ipsec.d/certs/" -n kube-system > /dev/null | ||
|
|
||
| kubectl cp "${caPod}:/var/lib/openvswitch/pki/switchca/cacert.pem" cacert.pem -n kube-system > /dev/null | ||
| kubectl cp cacert.pem "${pod}:/etc/ipsec.d/cacerts/" -n kube-system > /dev/null | ||
|
|
||
| # clean temp files | ||
| kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-req.pem" | ||
| kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-cert.pem" | ||
| rm -f ${systemId}-req.pem | ||
| rm -f ${systemId}-cert.pem | ||
| rm -f cacert.pem | ||
| fi | ||
|
|
||
| kubectl exec -it $pod -n kube-system -- ovs-vsctl set Open_vSwitch . \ | ||
| other_config:certificate=/etc/ipsec.d/certs/"${systemId}-cert.pem" \ | ||
| other_config:private_key=/etc/ipsec.d/private/"${systemId}-privkey.pem" \ | ||
| other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem | ||
| done | ||
|
|
||
| echo " Enabling ovn ipsec " | ||
| kubectl ko nbctl set nb_global . ipsec=true | ||
|
|
||
| for pod in $podNames; do | ||
| echo " Starting pod ${pod} ipsec service" | ||
| kubectl exec -it -n kube-system $pod -- service openvswitch-ipsec restart > /dev/null | ||
| kubectl exec -it -n kube-system $pod -- service ipsec restart > /dev/null | ||
| done | ||
|
|
||
| echo " Kube-OVN ipsec init successfully, it may take a few seconds to setup ipsec completely " | ||
| } | ||
|
|
||
| getOvnCentralPod | ||
| subcommand="$1"; shift | ||
|
|
||
| case $subcommand in | ||
| init) | ||
| initIpsec | ||
| ;; | ||
| start) | ||
| kubectl exec "$OVN_NB_POD" -n kube-system -c ovn-central -- ovn-nbctl set nb_global . ipsec=true | ||
| echo " Kube-OVN ipsec started " | ||
| ;; | ||
| stop) | ||
| kubectl exec "$OVN_NB_POD" -n kube-system -c ovn-central -- ovn-nbctl set nb_global . ipsec=false | ||
| echo " Kube-OVN ipsec stopped " | ||
| ;; | ||
| status) | ||
| podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'` | ||
| for pod in $podNames; do | ||
| echo " Pod {$pod} ipsec status..." | ||
| kubectl exec -it $pod -n kube-system -- ovs-appctl -t ovs-monitor-ipsec tunnels/show | ||
| done | ||
| ;; | ||
| *) | ||
| showHelp | ||
| exit 1 | ||
| ;; | ||
| esac |