Feat(eos_designs): Allow to disable IPsec on dynamic peers for a path…

…-group avd (aristanetworks#3695)
Vibhu-gslab · Mar 5, 2024 · 2c5e5fc · 2c5e5fc
1 parent 368c63f
commit 2c5e5fc
Show file tree

Hide file tree

Showing 23 changed files with 130 additions and 32 deletions.
diff --git a/..._collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg b/..._collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg
@@ -25,10 +25,19 @@ router path-selection
          name autovpn-rr2
          ipv4 address 10.8.8.8
    !
+   path-group MPLS id 100
+      !
+      local interface Ethernet2
+      !
+      peer dynamic
+         ipsec disabled
+   !
    load-balance policy LB-DEFAULT-AUTOVPN-POLICY-CONTROL-PLANE
+      path-group MPLS
       path-group INET priority 42
    !
    load-balance policy LB-DEFAULT-AUTOVPN-POLICY-IT
+      path-group MPLS
       path-group INET priority 2
    !
    load-balance policy LB-PROD-AUTOVPN-POLICY-DEFAULT
@@ -101,6 +110,12 @@ interface Ethernet1
    ip address dhcp
    dhcp client accept default-route
 !
+interface Ethernet2
+   description MPLS-SP-1_Cat6
+   no shutdown
+   no switchport
+   ip address 10.14.14.14/31
+!
 interface Loopback0
    description Router_ID
    no shutdown

diff --git a/...molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg b/...molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg
@@ -78,11 +78,13 @@ router path-selection
       peer dynamic
    !
    path-group MPLS id 100
+      ipsec profile CP-PROFILE
       !
       local interface Ethernet2
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...ctions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg b/...ctions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg
@@ -132,6 +132,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...ions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg b/...ions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg
@@ -124,6 +124,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg b/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg
@@ -152,6 +152,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg b/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg
@@ -152,6 +152,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml b/...s/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml
@@ -108,6 +108,12 @@ ethernet_interfaces:
   type: routed
   description: Comcast_666
   dhcp_client_accept_default_route: true
+- name: Ethernet2
+  peer_type: l3_interface
+  ip_address: 10.14.14.14/31
+  shutdown: false
+  type: routed
+  description: MPLS-SP-1_Cat6
 loopback_interfaces:
 - name: Loopback0
   description: Router_ID
@@ -205,13 +211,22 @@ router_path_selection:
       ipv4_addresses:
       - 10.8.8.8
     ipsec_profile: AUTOVPN
+  - name: MPLS
+    id: 100
+    local_interfaces:
+    - name: Ethernet2
+    dynamic_peers:
+      enabled: true
+      ipsec: false
   load_balance_policies:
   - name: LB-DEFAULT-AUTOVPN-POLICY-CONTROL-PLANE
     path_groups:
+    - name: MPLS
     - name: INET
       priority: 42
   - name: LB-DEFAULT-AUTOVPN-POLICY-IT
     path_groups:
+    - name: MPLS
     - name: INET
       priority: 2
   - name: LB-PROD-AUTOVPN-POLICY-VOICE

diff --git a/...s_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml b/...s_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml
@@ -335,11 +335,13 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder
       ipv4_addresses:
       - 172.16.0.1
+    ipsec_profile: CP-PROFILE
   - name: LTE
     id: 102
     local_interfaces:

diff --git a/...ta/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml b/...ta/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml
@@ -510,6 +510,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/.../avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge2B.yml b/.../avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge2B.yml
@@ -561,6 +561,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1A.yml b/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1A.yml
@@ -573,6 +573,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1B.yml b/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1B.yml
@@ -573,6 +573,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/...ections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/...ections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml
@@ -55,6 +55,10 @@ wan_router:
           wan_circuit_id: 666
           ip_address: dhcp
           dhcp_accept_default_route: true
+        - name: Ethernet2
+          wan_carrier: MPLS-SP-1
+          wan_circuit_id: Cat6
+          ip_address: 10.14.14.14/31
 
 wan_rr:
   defaults:
@@ -83,7 +87,9 @@ wan_rr:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: False
+    ipsec:
+      static_peers: false
+      dynamic_peers: false
     id: 100
   - name: INET
     id: 101
@@ -98,6 +104,8 @@ wan_carriers:
     path_group: INET
   - name: ATT
     path_group: INET
+  - name: MPLS-SP-1
+    path_group: MPLS
 
 # SVI and L2VLAN is inserted to ensure these are *not* rendered.
 tenants:

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/...s/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml
@@ -248,7 +248,10 @@ wan_rr:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: false
+    ipsec:
+      static_peers: false
+      dynamic_peers: false
+    # TODO remove one once auto-id is implemented - for now required in schema
     id: 100
     dps_keepalive:
       interval: 300

diff --git a/...ions/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/UPLINK_LAN_TESTS.yml b/...ions/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/UPLINK_LAN_TESTS.yml
@@ -91,8 +91,8 @@ wan_mode: cv-pathfinder
 wan_route_servers: []
 wan_path_groups:
   - name: INET
-    ipsec: false
-    # TODO remove one once auto-id is implemented - for now required in schema
+    ipsec:
+      static_peers: false
     id: 100
 wan_carriers:
   - name: Comcast

diff --git a/...vd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml b/...vd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml
@@ -53,7 +53,9 @@ wan_router:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: False
+    ipsec:
+      static_peers: false
+      dynamic_peers: false
     id: 100
   - name: INET
     id: 101

diff --git a/...e/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-custom-default-policy.yml b/...e/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-custom-default-policy.yml
@@ -68,7 +68,8 @@ wan_router:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: false
+    ipsec:
+      static_peers: false
     # TODO remove one once auto-id is implemented - for now required in schema
     id: 100
   - name: INET

diff --git a/...ecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml b/...ecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml
@@ -75,7 +75,8 @@ wan_router:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: false
+    ipsec:
+      dynamic_peers: false
     # TODO remove one once auto-id is implemented - for now required in schema
     id: 100
   - name: INET

diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-path-groups.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-path-groups.md
@@ -11,7 +11,9 @@
     | [<samp>&nbsp;&nbsp;-&nbsp;name</samp>](## "wan_path_groups.[].name") | String | Required, Unique |  |  | Path-group name. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;id</samp>](## "wan_path_groups.[].id") | Integer | Required |  |  | Path-group id.<br><br>TODO: Required until an auto ID algorithm is implemented. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;description</samp>](## "wan_path_groups.[].description") | String |  |  |  | Additional information about the path-group for documentation purposes. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;ipsec</samp>](## "wan_path_groups.[].ipsec") | Boolean |  | `True` |  | Flag to configure IPsec at the path-group level.<br><br>When set to `true`, IPsec is enabled for both the static and dynamic peers. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;ipsec</samp>](## "wan_path_groups.[].ipsec") | Dictionary |  |  |  | Configuration of IPSec at the path-group level. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dynamic_peers</samp>](## "wan_path_groups.[].ipsec.dynamic_peers") | Boolean |  | `True` |  | Enable IPSec for dynamic peers. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;static_peers</samp>](## "wan_path_groups.[].ipsec.static_peers") | Boolean |  | `True` |  | Enable IPSec for static peers. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;import_path_groups</samp>](## "wan_path_groups.[].import_path_groups") | List, items: Dictionary |  |  |  | List of path-groups to import in this path-group. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-&nbsp;remote</samp>](## "wan_path_groups.[].import_path_groups.[].remote") | String |  |  |  | Remote path-group to import. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;local</samp>](## "wan_path_groups.[].import_path_groups.[].local") | String |  |  |  | Optional, if not set, the path-group `name` is used as local. |
@@ -39,10 +41,14 @@
         # Additional information about the path-group for documentation purposes.
         description: <str>
 
-        # Flag to configure IPsec at the path-group level.
-        #
-        # When set to `true`, IPsec is enabled for both the static and dynamic peers.
-        ipsec: <bool; default=True>
+        # Configuration of IPSec at the path-group level.
+        ipsec:
+
+          # Enable IPSec for dynamic peers.
+          dynamic_peers: <bool; default=True>
+
+          # Enable IPSec for static peers.
+          static_peers: <bool; default=True>
 
         # List of path-groups to import in this path-group.
         import_path_groups:

diff --git a/..._collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py b/..._collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py
@@ -68,18 +68,21 @@ def _get_path_groups(self) -> list:
 
         for path_group in path_groups_to_configure:
             pg_name = path_group.get("name")
+            ipsec = path_group.get("ipsec", {})
+            is_local_pg = pg_name in local_path_groups_names
+            disable_dynamic_peer_ipsec = is_local_pg and not ipsec.get("dynamic_peers", True)
 
             path_group_data = {
                 "name": pg_name,
                 "id": self._get_path_group_id(pg_name, path_group.get("id")),
                 "local_interfaces": self._get_local_interfaces_for_path_group(pg_name),
-                "dynamic_peers": self._get_dynamic_peers(),
+                "dynamic_peers": self._get_dynamic_peers(disable_dynamic_peer_ipsec),
                 "static_peers": self._get_static_peers_for_path_group(pg_name),
             }
 
-            if pg_name in local_path_groups_names:
+            if is_local_pg:
                 # On pathfinder IPsec profile is not required for non local path_groups
-                if path_group.get("ipsec", True):
+                if ipsec.get("static_peers", True):
                     path_group_data["ipsec_profile"] = self._cp_ipsec_profile_name
 
                 # KeepAlive config is not required for non local path_groups
@@ -178,13 +181,17 @@ def _get_local_interfaces_for_path_group(self, path_group_name: str) -> list | N
 
         return local_interfaces
 
-    def _get_dynamic_peers(self) -> dict | None:
+    def _get_dynamic_peers(self, disable_ipsec: bool) -> dict | None:
         """
-        TODO support ip_local and ipsec ?
+        TODO support ip_local ?
         """
         if not self.shared_utils.is_wan_client:
             return None
-        return {"enabled": True}
+
+        dynamic_peers = {"enabled": True}
+        if disable_ipsec:
+            dynamic_peers["ipsec"] = False
+        return dynamic_peers
 
     def _get_static_peers_for_path_group(self, path_group_name: str) -> list | None:
         """

diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json
diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml
diff --git a/...lections/arista/avd/roles/eos_designs/schemas/schema_fragments/wan_path_groups.schema.yml b/...lections/arista/avd/roles/eos_designs/schemas/schema_fragments/wan_path_groups.schema.yml
@@ -31,12 +31,18 @@ keys:
           type: str
           description: Additional information about the path-group for documentation purposes.
         ipsec:
-          type: bool
+          type: dict
           description: |-
-            Flag to configure IPsec at the path-group level.
-
-            When set to `true`, IPsec is enabled for both the static and dynamic peers.
-          default: true
+            Configuration of IPSec at the path-group level.
+          keys:
+            dynamic_peers:
+              type: bool
+              description: Enable IPSec for dynamic peers.
+              default: true
+            static_peers:
+              type: bool
+              description: Enable IPSec for static peers.
+              default: true
         import_path_groups:
           type: list
           description: List of path-groups to import in this path-group.