{"id":20074163,"url":"https://github.com/juniper/container-networking-ansible","last_synced_at":"2025-09-02T10:35:35.056Z","repository":{"id":84614466,"uuid":"46751834","full_name":"Juniper/container-networking-ansible","owner":"Juniper","description":"Ansible provisioning for container networking solutions using OpenContrail","archived":false,"fork":false,"pushed_at":"2016-04-21T18:27:59.000Z","size":143,"stargazers_count":11,"open_issues_count":3,"forks_count":16,"subscribers_count":172,"default_branch":"master","last_synced_at":"2025-04-09T04:25:43.314Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Juniper.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-11-23T22:27:05.000Z","updated_at":"2019-02-08T13:14:58.000Z","dependencies_parsed_at":"2023-03-01T18:15:18.111Z","dependency_job_id":null,"html_url":"https://github.com/Juniper/container-networking-ansible","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Juniper%2Fcontainer-networking-ansible","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Juniper%2Fcontainer-networking-ansible/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Juniper%2Fcontainer-networking-ansible/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Juniper%2Fcontainer-networking-ansible/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Juniper","download_url":"https://codeload.github.com/Juniper/container-networking-ansible/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252580021,"owners_count":21771252,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T14:49:38.601Z","updated_at":"2025-05-05T21:31:22.570Z","avatar_url":"https://github.com/Juniper.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# container-networking-ansible\nAnsible provisioning for container networking solutions using OpenContrail\n\nThis repository contains provisioning instructions to install OpenContrail\nas a network overlay for container based cluster management solutions.\n\nThe test directory defines a jenkins workflow that creates and\ninstalls a test cluster and executes an application within the\ncluster.\n\nFor support/questions:\n - Join the slack team at `slack.opencontrail.org`\n - Developers mailing list: dev@lists.opencontrail.org\n\nThe opencontrail playbook consists of the following:\n  - filter_plugins/ip_filters.py\n  - roles/opencontrail{,_facts,_provision}\n\nThe playbooks are designed to be addons to the existing ansible provisioning for kubernetes and openshift.\n\n### Kubernetes\n\n#### Network segmentation and access control\nWhen opencontrail is used as the kubernetes network plugin, it defaults to isolate all pods according to `namespace` and a user defined tag. External traffic is restricted to services that are annotated with a ExternalIP address or have \"type\" set to \"LoadBalancer\". This causes the opencontrail public to allocate an address on the public network and assign it to all the pods in this service.\n\nServices in the `kube-system` namespace are also available to all Pods, irrespective of the namespace of the pod. This is configured via the `cluster-service` option in /etc/kubernetes/network.conf. The cluster-service network is also connected to the underlay network where masters and nodes are present.\n\nPods are expected to communicate with the master via its ClusterIP address.\n\n#### Deployment\nThe kubernetes ansible playbook at https://github.com/kubernetes/contrib.\n\n- edit ansible/group_vars/all.yml\n```\nnetworking: opencontrail\n```\n\n- inventory file:\n```\n[opencontrail:children]\nmasters\nnodes\ngateways\n\n[opencontrail:vars]\nopencontrail_public_subnet=192.0.2.0/24\nopencontrail_kube_release=1.1\n\n```\n\n- patch ansible/cluster.yml according to:\nhttps://github.com/kubernetes/contrib/pull/261\n\n- run the ansible/cluster.yml playbook (e.g. via ansible/setup.sh)\n\n### OpenShift\n\n#### Network segmentation and access control\n\nThere are several differences in design from a plain-vanilla kubernetes cluster deployment and an openshift deployment:\n- OpenShift expects all external traffic to be delivered through the router service. The openshift router pod is a TCP load-balancer (ha-proxy by default) that performs SSL termination and delivers traffic to the pods that implement the service.\n- OpenShift pods (builder/deployer) have the nasty habbit of trying to reach the master through its infrastructure IP address (rather than using the ClusterIP).\n- OpenShift STI builder pods expect to be able to access external git repositories as well as package repositories for popular languages (python, ruby, etc...).\n- OpenShift builder pods use the docker daemon in the node and expect it to be able to talk to the docker-repository service running as a pod (in the overlay).\n- Deployer pods expect to be able to pull images from the docker-repository into the node docker daemon.\n\n* In current test scripts, we expect the builder pods to use an http proxy in order to fetch software packages. The builder pods are spawned in the namespace of the user `project`. To provide direct external access, one would need to do so for all pods currently. Future versions of the contrail-kubernetes plugin should support source-nat for outbound access to the public network. It is also possible to add a set of prefixes that contain the software and artifact repositories used by the builder to the global `cluster-service` network.\n* All the traffic between underlay and overlay is expected to occur based on the `cluster-service` gateway configured for ```default:default```\n\n#### Deployment\n- inventory file:\n```\n[OSEv3:children]\nmasters\nnodes\netcd\n\n# Set variables common for all OSEv3 hosts\n[OSEv3:vars]\n\nuse_openshift_sdn = false\nsdn_network_plugin_name = opencontrail\n\n[opencontrail:children]\nmasters\nnodes\ngateways\n\n[opencontrail:vars]\nopencontrail_public_subnet=192.0.2.0/24\nopencontrail_kube_release=origin-1.1\n```\n\n- provision opencontrail with the following playbook:\n```\n- hosts:\n    - masters\n    - nodes\n    - gateways\n  sudo: yes\n  roles:\n    - openshift_facts\n    - opencontrail_facts\n    - opencontrail\n  vars:\n    opencontrail_cluster_type: openshift\n  tags:\n    - opencontrail\n```\n\n- patch openshift-ansible with the following delta:\nhttps://github.com/openshift/openshift-ansible/compare/master...pedro-r-marques:opencontrail\n\n- install openshift via the ansible playbook\n- run the opencontrail_provision role\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuniper%2Fcontainer-networking-ansible","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjuniper%2Fcontainer-networking-ansible","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuniper%2Fcontainer-networking-ansible/lists"}