Skip to content

Commit 1df06e8

Browse files
juniorjunior
authored
Merge pull request #25 from junior/5G-NF-Infra-Example_tuning
5G NF infra example tuning and NodePool cloud init support
2 parents a11c886 + 247ee55 commit 1df06e8

File tree

10 files changed

+267
-123
lines changed

10 files changed

+267
-123
lines changed

.terraform.lock.hcl

Lines changed: 42 additions & 20 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.8.10
1+
0.8.11

examples/5G-NF-Infra/networking.tf

Lines changed: 126 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -19,86 +19,122 @@ locals {
1919

2020
# Extra Security Lists for the 5G NF
2121
locals {
22-
extra_security_lists = [
23-
{
24-
security_list_name = "5gc_oam_security_list"
25-
display_name = "5GC OAM Security List"
26-
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
27-
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
28-
},
29-
{
30-
security_list_name = "5gc_signalling_security_list"
31-
display_name = "5GC Signalling (SBI) Security List"
32-
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
33-
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
34-
},
35-
{
36-
security_list_name = "5g_ran_security_list"
37-
display_name = "5G RAN Security List"
38-
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
39-
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
40-
},
41-
{
42-
security_list_name = "legal_intercept_security_list"
43-
display_name = "Legal Intercept Security List"
44-
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
45-
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
46-
},
47-
{
48-
security_list_name = "5g_epc_security_list"
49-
display_name = "5G EPC Security List"
50-
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
51-
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
22+
extra_security_lists = [{
23+
security_list_name = "5gc_oam_security_list"
24+
display_name = "5GC OAM Security List"
25+
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
26+
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
27+
}, {
28+
security_list_name = "5gc_signalling_security_list"
29+
display_name = "5GC Signalling (SBI) Security List"
30+
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
31+
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
32+
}, {
33+
security_list_name = "5g_ran_security_list"
34+
display_name = "5G RAN Security List"
35+
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
36+
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
37+
}, {
38+
security_list_name = "legal_intercept_security_list"
39+
display_name = "Legal Intercept Security List"
40+
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
41+
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
42+
}, {
43+
security_list_name = "5g_epc_security_list"
44+
display_name = "5G EPC Security List"
45+
ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
46+
egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
47+
}, {
48+
security_list_name = "5g_for_pods_security_list"
49+
display_name = "5G subnets x pods Security List"
50+
ingress_security_rules = [{
51+
description = "Allow 5GC OAM to pod communication"
52+
source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR")
53+
source_type = "CIDR_BLOCK"
54+
protocol = local.security_list_ports.all_protocols
55+
stateless = false
56+
tcp_options = { max = -1, min = -1, source_port_range = null }
57+
udp_options = { max = -1, min = -1, source_port_range = null }
58+
icmp_options = null
59+
}, {
60+
description = "Allow 5GC Signalling (SBI) to pod communication"
61+
source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR")
62+
source_type = "CIDR_BLOCK"
63+
protocol = local.security_list_ports.all_protocols
64+
stateless = false
65+
tcp_options = { max = -1, min = -1, source_port_range = null }
66+
udp_options = { max = -1, min = -1, source_port_range = null }
67+
icmp_options = null
5268
}, {
53-
security_list_name = "5g_for_pods_security_list"
54-
display_name = "5G subnets x pods Security List"
55-
ingress_security_rules = [{
56-
description = "Allow 5GC OAM to pod communication"
57-
source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR")
58-
source_type = "CIDR_BLOCK"
59-
protocol = local.security_list_ports.all_protocols
60-
stateless = false
61-
tcp_options = { max = -1, min = -1, source_port_range = null }
62-
udp_options = { max = -1, min = -1, source_port_range = null }
63-
icmp_options = null
64-
}, {
65-
description = "Allow 5GC Signalling (SBI) to pod communication"
66-
source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR")
67-
source_type = "CIDR_BLOCK"
68-
protocol = local.security_list_ports.all_protocols
69-
stateless = false
70-
tcp_options = { max = -1, min = -1, source_port_range = null }
71-
udp_options = { max = -1, min = -1, source_port_range = null }
72-
icmp_options = null
73-
}, {
74-
description = "Allow 5G RAN to pod communication"
75-
source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR")
76-
source_type = "CIDR_BLOCK"
77-
protocol = local.security_list_ports.all_protocols
78-
stateless = false
79-
tcp_options = { max = -1, min = -1, source_port_range = null }
80-
udp_options = { max = -1, min = -1, source_port_range = null }
81-
icmp_options = null
82-
}, {
83-
description = "Allow 5G Legal Intercept to pod communication"
84-
source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR")
85-
source_type = "CIDR_BLOCK"
86-
protocol = local.security_list_ports.all_protocols
87-
stateless = false
88-
tcp_options = { max = -1, min = -1, source_port_range = null }
89-
udp_options = { max = -1, min = -1, source_port_range = null }
90-
icmp_options = null
91-
}, {
92-
description = "Allow 5G EPC to pod communication"
93-
source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR")
94-
source_type = "CIDR_BLOCK"
95-
protocol = local.security_list_ports.all_protocols
96-
stateless = false
97-
tcp_options = { max = -1, min = -1, source_port_range = null }
98-
udp_options = { max = -1, min = -1, source_port_range = null }
99-
icmp_options = null
100-
}]
101-
egress_security_rules = []
69+
description = "Allow 5G RAN to pod communication"
70+
source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR")
71+
source_type = "CIDR_BLOCK"
72+
protocol = local.security_list_ports.all_protocols
73+
stateless = false
74+
tcp_options = { max = -1, min = -1, source_port_range = null }
75+
udp_options = { max = -1, min = -1, source_port_range = null }
76+
icmp_options = null
77+
}, {
78+
description = "Allow 5G Legal Intercept to pod communication"
79+
source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR")
80+
source_type = "CIDR_BLOCK"
81+
protocol = local.security_list_ports.all_protocols
82+
stateless = false
83+
tcp_options = { max = -1, min = -1, source_port_range = null }
84+
udp_options = { max = -1, min = -1, source_port_range = null }
85+
icmp_options = null
86+
}, {
87+
description = "Allow 5G EPC to pod communication"
88+
source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR")
89+
source_type = "CIDR_BLOCK"
90+
protocol = local.security_list_ports.all_protocols
91+
stateless = false
92+
tcp_options = { max = -1, min = -1, source_port_range = null }
93+
udp_options = { max = -1, min = -1, source_port_range = null }
94+
icmp_options = null
95+
}, {
96+
description = "Stream Control Transmission Protocol (SCTP) Ingress"
97+
source = lookup(local.network_cidrs, "ALL-CIDR")
98+
source_type = "CIDR_BLOCK"
99+
protocol = local.security_list_ports.sctp_protocol_number
100+
stateless = false
101+
tcp_options = { max = -1, min = -1, source_port_range = null }
102+
udp_options = { max = -1, min = -1, source_port_range = null }
103+
icmp_options = null
104+
}, ]
105+
egress_security_rules = [{
106+
description = "Stream Control Transmission Protocol (SCTP) Egress"
107+
destination = lookup(local.network_cidrs, "ALL-CIDR")
108+
destination_type = "CIDR_BLOCK"
109+
protocol = local.security_list_ports.sctp_protocol_number
110+
stateless = false
111+
tcp_options = { max = -1, min = -1, source_port_range = null }
112+
udp_options = { max = -1, min = -1, source_port_range = null }
113+
icmp_options = null
114+
}, ]
115+
}, {
116+
security_list_name = "5g_sctp_security_list"
117+
display_name = "Enable SCTP Security List"
118+
ingress_security_rules = [{
119+
description = "Stream Control Transmission Protocol (SCTP) Ingress"
120+
source = lookup(local.network_cidrs, "ALL-CIDR")
121+
source_type = "CIDR_BLOCK"
122+
protocol = local.security_list_ports.sctp_protocol_number
123+
stateless = false
124+
tcp_options = { max = -1, min = -1, source_port_range = null }
125+
udp_options = { max = -1, min = -1, source_port_range = null }
126+
icmp_options = null
127+
}]
128+
egress_security_rules = [{
129+
description = "Stream Control Transmission Protocol (SCTP) Egress"
130+
destination = lookup(local.network_cidrs, "ALL-CIDR")
131+
destination_type = "CIDR_BLOCK"
132+
protocol = local.security_list_ports.sctp_protocol_number
133+
stateless = false
134+
tcp_options = { max = -1, min = -1, source_port_range = null }
135+
udp_options = { max = -1, min = -1, source_port_range = null }
136+
icmp_options = null
137+
}]
102138
},
103139
]
104140
common_5g_security_list_ingress_rules = [{
@@ -169,6 +205,7 @@ locals {
169205
tcp_protocol_number = "6"
170206
udp_protocol_number = "17"
171207
icmp_protocol_number = "1"
208+
sctp_protocol_number = "132"
172209
all_protocols = "all"
173210
}
174211
}
@@ -255,25 +292,25 @@ data "oci_containerengine_node_pool" "node_pool_1" {
255292
}
256293

257294
# 5G NF VNICs attachments for each node in the node pool
258-
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_oam" {
295+
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_signalling" {
259296
count = var.node_pool_initial_num_worker_nodes_1
260297
create_vnic_details {
261-
display_name = "5GC-OAM vnic"
262-
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
263-
subnet_id = module.oke-quickstart.subnets["5GC_OAM_subnet"].subnet_id
298+
display_name = "5GC-Signalling vnic"
299+
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
300+
subnet_id = module.oke-quickstart.subnets["5GC_Signalling_subnet"].subnet_id
264301
defined_tags = {}
265-
freeform_tags = { "Network" : "5GC-OAM" }
302+
freeform_tags = { "Network" : "5GC-Signalling" }
266303
}
267304
instance_id = data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id
268305
}
269-
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_signalling" {
306+
resource "oci_core_vnic_attachment" "vnic_attachment_5gc_oam" {
270307
count = var.node_pool_initial_num_worker_nodes_1
271308
create_vnic_details {
272-
display_name = "5GC-Signalling vnic"
273-
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
274-
subnet_id = module.oke-quickstart.subnets["5GC_Signalling_subnet"].subnet_id
309+
display_name = "5GC-OAM vnic"
310+
private_ip = [for hostnum in range(4, 15) : cidrhost(lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR"), hostnum)][index(data.oci_containerengine_node_pool.node_pool_1.nodes.*.id, data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id)]
311+
subnet_id = module.oke-quickstart.subnets["5GC_OAM_subnet"].subnet_id
275312
defined_tags = {}
276-
freeform_tags = { "Network" : "5GC-Signalling" }
313+
freeform_tags = { "Network" : "5GC-OAM" }
277314
}
278315
instance_id = data.oci_containerengine_node_pool.node_pool_1.nodes[count.index].id
279316
}

0 commit comments

Comments
 (0)