Created
April 19, 2024 19:36
-
-
Save hyvanix/a259bb0fdd21c8617856f8fbc6f1ed76 to your computer and use it in GitHub Desktop.
Quick and dirty jumpstart to peer Cilium with OpenBSD using the built-in OpenBGPD routing daemon.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: "cilium.io/v2alpha1" | |
| kind: CiliumBGPPeeringPolicy | |
| metadata: | |
| name: cilium-bgp-peering-policy | |
| spec: | |
| nodeSelector: | |
| matchLabels: | |
| bgp: active | |
| virtualRouters: | |
| - localASN: 65432 | |
| exportPodCIDR: true | |
| neighbors: | |
| - peerAddress: '192.168.42.1/32' | |
| peerASN: 65432 | |
| serviceSelector: | |
| matchExpressions: | |
| - {key: gateway, operator: In, values: ['active']} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #--------------------------------------------------------------------------------------------------------- | |
| # Quick and dirty jumpstart to Peer Cilium with OpenBSD using the built-in OpenBGPD routing daemon. | |
| # Note: this is for demonstration purposes only and does not cover vital infomration such as protecting | |
| # your network with the built in packet filter PF. Advance at your own risk. | |
| # | |
| # Start by installing OpenBSD 7.5 and then follow the shell script below: | |
| #--------------------------------------------------------------------------------------------------------- | |
| #!/bin/sh | |
| # Enable IP Forwarding | |
| echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf | |
| sysctl net.inet.ip.forwarding=1 | |
| # Enable BGP Daemon | |
| rcctl enable bgpd | |
| # Create BGP Daemon configuration file | |
| cat << EOF > /etc/bgpd.conf | |
| # define our own ASN as a macro | |
| ASN="65432" | |
| # global configuration | |
| AS $ASN | |
| router-id 192.168.42.1 | |
| # list of networks that may be originated by our ASN | |
| prefix-set mynetworks { | |
| 10.0.0.0/8 | |
| 172.16.20.0/24 | |
| } | |
| include "/var/db/rpki-client/openbgpd" | |
| # assume simple network with 3 routers in IBGP full mesh | |
| group "ibgp mesh" { | |
| remote-as $ASN | |
| # use loopback for IBGP sessions, assume it's distributed in OSPF | |
| local-address 192.168.42.1 | |
| neighbor 192.168.42.101 # Cilium Peer # 1 | |
| neighbor 192.168.42.102 # Cilium Peer # 2 | |
| } | |
| ## rules section | |
| # IBGP: allow all updates to and from our IBGP neighbors | |
| allow from ibgp | |
| allow to ibgp | |
| EOF | |
| # Start BGP Daemon | |
| rcctl start bgpd | |
| #--------------------------------------------------------------------------------------------------------- | |
| # Once BGP is running you can connect your Cilium Peers | |
| # A file such as the above `cilium-bgp-peering-policy.yaml` should be sufficient. | |
| #--------------------------------------------------------------------------------------------------------- | |
| #--------------------------------------------------------------------------------------------------------- | |
| # Once you have peered Cilium and OpenBGPD you can view BGP routes from the OpenBSD command line: | |
| #--------------------------------------------------------------------------------------------------------- | |
| # bgpctl show fib bgp | |
| # flags: B = BGP, C = Connected, S = Static | |
| # N = BGP Nexthop reachable via this route | |
| # r = reject route, b = blackhole route | |
| # flags prio destination gateway | |
| # B 48 10.0.1.0/24 192.168.42.101 | |
| # B 48 10.0.2.0/24 192.168.42.102 | |
| # B 48 172.16.20.1/32 192.168.42.101 | |
| # That's all folks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment