Feat(eos_designs): Allow to disable IPsec on dynamic peers for a path…

…-group avd
aristanetworks · Mar 4, 2024 · e9ce8c9 · e9ce8c9
1 parent fb69491
commit e9ce8c9
Show file tree

Hide file tree

Showing 20 changed files with 88 additions and 28 deletions.
diff --git a/...molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg b/...molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg
@@ -78,11 +78,13 @@ router path-selection
       peer dynamic
    !
    path-group MPLS id 100
+      ipsec profile CP-PROFILE
       !
       local interface Ethernet2
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...ctions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg b/...ctions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg
@@ -132,6 +132,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...ions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg b/...ions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg
@@ -124,6 +124,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg b/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg
@@ -152,6 +152,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg b/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg
@@ -152,6 +152,7 @@ router path-selection
          stun server-profile MPLS-cv-pathfinder-pathfinder-Ethernet2
       !
       peer dynamic
+         ipsec disabled
       !
       peer static router-ip 192.168.144.1
          name cv-pathfinder-pathfinder

diff --git a/...s_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml b/...s_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml
@@ -335,11 +335,13 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder
       ipv4_addresses:
       - 172.16.0.1
+    ipsec_profile: CP-PROFILE
   - name: LTE
     id: 102
     local_interfaces:

diff --git a/...ta/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml b/...ta/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml
@@ -510,6 +510,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/.../avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge2B.yml b/.../avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge2B.yml
@@ -561,6 +561,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1A.yml b/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1A.yml
@@ -573,6 +573,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1B.yml b/...d/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit1B.yml
@@ -573,6 +573,7 @@ router_path_selection:
         - MPLS-cv-pathfinder-pathfinder-Ethernet2
     dynamic_peers:
       enabled: true
+      ipsec: false
     static_peers:
     - router_ip: 192.168.144.1
       name: cv-pathfinder-pathfinder

diff --git a/...ections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/...ections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml
@@ -83,7 +83,9 @@ wan_rr:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: False
+    ipsec:
+      static_peers: false
+      dynamic_peers: false
     id: 100
   - name: INET
     id: 101

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/...s/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml
@@ -242,7 +242,9 @@ wan_rr:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: false
+    ipsec:
+      static_peers: false
+      dynamic_peers: false
     # TODO remove one once auto-id is implemented - for now required in schema
     id: 100
     dps_keepalive:

diff --git a/...vd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml b/...vd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml
@@ -53,7 +53,9 @@ wan_router:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: False
+    ipsec:
+      static_peers: false
+      dynamic_peers: false
     id: 100
   - name: INET
     id: 101

diff --git a/...e/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-custom-default-policy.yml b/...e/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-custom-default-policy.yml
@@ -68,7 +68,8 @@ wan_router:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: false
+    ipsec:
+      static_peers: false
     # TODO remove one once auto-id is implemented - for now required in schema
     id: 100
   - name: INET

diff --git a/...ecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml b/...ecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml
@@ -75,7 +75,8 @@ wan_router:
 
 wan_path_groups:
   - name: MPLS
-    ipsec: false
+    ipsec:
+      dynamic_peers: false
     # TODO remove one once auto-id is implemented - for now required in schema
     id: 100
   - name: INET

diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-path-groups.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-path-groups.md
@@ -11,7 +11,9 @@
     | [<samp>&nbsp;&nbsp;-&nbsp;name</samp>](## "wan_path_groups.[].name") | String | Required, Unique |  |  | Path-group name. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;id</samp>](## "wan_path_groups.[].id") | Integer | Required |  |  | Path-group id.<br><br>TODO: Required until an auto ID algorithm is implemented. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;description</samp>](## "wan_path_groups.[].description") | String |  |  |  | Additional information about the path-group for documentation purposes. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;ipsec</samp>](## "wan_path_groups.[].ipsec") | Boolean |  | `True` |  | Flag to configure IPsec at the path-group level.<br><br>When set to `true`, IPsec is enabled for both the static and dynamic peers. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;ipsec</samp>](## "wan_path_groups.[].ipsec") | Dictionary |  |  |  | Flag to configure IPsec at the path-group level. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dynamic_peers</samp>](## "wan_path_groups.[].ipsec.dynamic_peers") | Boolean |  | `True` |  | When set to `true`, IPsec is enabled for dynamic peers. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;static_peers</samp>](## "wan_path_groups.[].ipsec.static_peers") | Boolean |  | `True` |  | When set to `true`, IPsec is enabled for static peers. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;import_path_groups</samp>](## "wan_path_groups.[].import_path_groups") | List, items: Dictionary |  |  |  | List of [ath-groups to import in this path-group. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-&nbsp;remote</samp>](## "wan_path_groups.[].import_path_groups.[].remote") | String |  |  |  | Remote path-group to import. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;local</samp>](## "wan_path_groups.[].import_path_groups.[].local") | String |  |  |  | Optional, if not set, the path-group `name` is used as local. |
@@ -38,9 +40,13 @@
         description: <str>
 
         # Flag to configure IPsec at the path-group level.
-        #
-        # When set to `true`, IPsec is enabled for both the static and dynamic peers.
-        ipsec: <bool; default=True>
+        ipsec:
+
+          # When set to `true`, IPsec is enabled for dynamic peers.
+          dynamic_peers: <bool; default=True>
+
+          # When set to `true`, IPsec is enabled for static peers.
+          static_peers: <bool; default=True>
 
         # List of [ath-groups to import in this path-group.
         import_path_groups:

diff --git a/..._collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py b/..._collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py
@@ -68,18 +68,20 @@ def _get_path_groups(self) -> list:
 
         for path_group in path_groups_to_configure:
             pg_name = path_group.get("name")
+            ipsec = path_group.get("ipsec", {})
+            is_local_pg = pg_name in local_path_groups_names
 
             path_group_data = {
                 "name": pg_name,
                 "id": self._get_path_group_id(pg_name, path_group.get("id")),
                 "local_interfaces": self._get_local_interfaces_for_path_group(pg_name),
-                "dynamic_peers": self._get_dynamic_peers(),
+                "dynamic_peers": self._get_dynamic_peers(is_local_pg, ipsec),
                 "static_peers": self._get_static_peers_for_path_group(pg_name),
             }
 
-            if pg_name in local_path_groups_names:
+            if is_local_pg:
                 # On pathfinder IPsec profile is not required for non local path_groups
-                if path_group.get("ipsec", True):
+                if ipsec.get("static_peers", True):
                     path_group_data["ipsec_profile"] = self._cp_ipsec_profile_name
 
                 # KeepAlive config is not required for non local path_groups
@@ -178,13 +180,17 @@ def _get_local_interfaces_for_path_group(self, path_group_name: str) -> list | N
 
         return local_interfaces
 
-    def _get_dynamic_peers(self) -> dict | None:
+    def _get_dynamic_peers(self, is_local_pg, ipsec) -> dict | None:
         """
-        TODO support ip_local and ipsec ?
+        TODO support ip_local ?
         """
         if not self.shared_utils.is_wan_client:
             return None
-        return {"enabled": True}
+
+        dynamic_peers = {"enabled": True}
+        if is_local_pg and not ipsec.get("dynamic_peers", True):
+            dynamic_peers["ipsec"] = False
+        return dynamic_peers
 
     def _get_static_peers_for_path_group(self, path_group_name: str) -> list | None:
         """

diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json
diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml
diff --git a/...lections/arista/avd/roles/eos_designs/schemas/schema_fragments/wan_path_groups.schema.yml b/...lections/arista/avd/roles/eos_designs/schemas/schema_fragments/wan_path_groups.schema.yml
@@ -31,12 +31,18 @@ keys:
           type: str
           description: Additional information about the path-group for documentation purposes.
         ipsec:
-          type: bool
+          type: dict
           description: |-
             Flag to configure IPsec at the path-group level.
-
-            When set to `true`, IPsec is enabled for both the static and dynamic peers.
-          default: true
+          keys:
+            dynamic_peers:
+              type: bool
+              description: When set to `true`, IPsec is enabled for dynamic peers.
+              default: true
+            static_peers:
+              type: bool
+              description: When set to `true`, IPsec is enabled for static peers.
+              default: true
         import_path_groups:
           type: list
           description: List of [ath-groups to import in this path-group.