9 changed files with 68 additions and 195 deletions
--- a/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh
+++ b/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh
@ -1,25 +1,10 @@
 #!/bin/bash
 set -e

-# shellcheck source=/dev/null
 . /conf/init-cdn-db.conf

-# Create database named after user, then create a schema named the same as the
-# user which is also owned by that user. Because search_path (SHOW
-# search_path;) starts with "$user" by default this means any tables will be
-# created in that user-specific SCHEMA by default instead of falling back to
-# "public". This follows the "secure schema usage pattern" summarized as
-# "Constrain ordinary users to user-private schemas" from
-# https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
-#
-# "In PostgreSQL 15 and later, the default configuration supports this usage
-# pattern. In prior versions, or when using a database that has been upgraded
-# from a prior version, you will need to remove the public CREATE privilege
-# from the public schema"
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER cdn WITH PASSWORD '${cdn_password:?}';
+	CREATE USER cdn WITH PASSWORD '$cdn_password';
 	CREATE DATABASE cdn;
 	GRANT ALL PRIVILEGES ON DATABASE cdn TO cdn;
-	\c cdn;
-	CREATE SCHEMA cdn AUTHORIZATION cdn;
 EOSQL
--- a/global/overlay/etc/puppet/modules/cdn/files/l4lb/sunet-l4lb-namespace
+++ b/global/overlay/etc/puppet/modules/cdn/files/l4lb/sunet-l4lb-namespace
@ -13,9 +13,7 @@ pylint sunet-l4lb-namespace
 mypy --strict sunet-l4lb-namespace
 """

-import ipaddress
 import json
-import os
 import shlex
 import subprocess
 import sys
@ -23,7 +21,6 @@ import sys

 def run_command(cmd: str) -> subprocess.CompletedProcess[str]:
    """Execute subprocess command"""
-    print(f"{cmd}")
    args = shlex.split(cmd)
    try:
        proc = subprocess.run(args, capture_output=True, check=True, encoding="utf-8")
@ -38,15 +35,12 @@ def run_command(cmd: str) -> subprocess.CompletedProcess[str]:
    return proc


-def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
+def configure_interfaces(
    namespace: str, if_data: dict[str, dict[str, list[str]]]
 ) -> None:
    """Configure interfaces"""
-    proc = run_command(f"ip netns exec {namespace} ip -j addr show")
+    proc = run_command("ip netns exec l4lb ip -j addr show")
    namespace_ifs = json.loads(proc.stdout)
-
-    ipv4_key = "ipv4"
-    ipv6_key = "ipv6"
    for if_name, data in if_data.items():
        if_exists = next(
            (True for interface in namespace_ifs if interface["ifname"] == if_name),
@ -60,15 +54,10 @@ def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
            else:
                run_command(f"ip link set {if_name} netns {namespace}")

-            run_command(f"ip netns exec {namespace} ip link set {if_name} up")
-
        proc = run_command(f"ip netns exec {namespace} ip -j addr show dev {if_name}")
        if_conf = json.loads(proc.stdout)
-
-        # Add missing addresses from config
-        if ipv4_key in data:
-            for configured_ipv4_cidr in data[ipv4_key]:
-                ip4, prefix = configured_ipv4_cidr.split("/")
+        for ipv4_cidr in data["ipv4"]:
+            ip4, prefix = ipv4_cidr.split("/")
            v4_addr_exists = next(
                (
                    True
@ -79,10 +68,9 @@ def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
            )
            if not v4_addr_exists:
                run_command(
-                        f"ip netns exec {namespace} ip addr add {configured_ipv4_cidr} dev {if_name}"  # pylint: disable=line-too-long
+                    f"ip netns exec {namespace} ip addr add {ipv4_cidr} dev {if_name}"
                )
-        if ipv6_key in data:
-            for ipv6_cidr in data[ipv6_key]:
+        for ipv6_cidr in data["ipv6"]:
            ip6, prefix = ipv6_cidr.split("/")
            v6_addr_exists = next(
                (
@ -97,36 +85,7 @@ def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
                    f"ip netns exec {namespace} ip addr add {ipv6_cidr} dev {if_name}"
                )

-        # Remove no longer configured addresseses
-        for addr_info in if_conf[0]["addr_info"]:
-            # Ignore addresses like fe80
-            if addr_info["scope"] != "global":
-                continue
-
-            cidr = "/".join((addr_info["local"], str(addr_info["prefixlen"])))
-
-            # We need strict=False because otherwise ip_network() gets angry if
-            # there are host bits set in the address (which of course there is
-            # because we are parsing actual interface configs, not pure
-            # "networks")
-            cidr_net = ipaddress.ip_network(cidr, strict=False)
-
-            needs_removal = False
-            if cidr_net.version == 4:
-                if ipv4_key not in data or cidr not in data[ipv4_key]:
-                    needs_removal = True
-            elif cidr_net.version == 6:
-                if ipv6_key not in data or cidr not in data[ipv6_key]:
-                    needs_removal = True
-            else:
-                raise ValueError(
-                    f"Expected IPv4 or IPv6, got something else: {cidr_net.version}"
-                )
-
-            if needs_removal:
-                run_command(
-                    f"ip netns exec {namespace} ip addr del {cidr} dev {if_name}"
-                )
+        run_command(f"ip netns exec {namespace} ip link set {if_name} up")


 def setup_namespaces(netns_data: dict[str, dict[str, dict[str, list[str]]]]) -> None:
@ -143,15 +102,6 @@ def setup_namespaces(netns_data: dict[str, dict[str, dict[str, list[str]]]]) ->
        # Make localhost available
        run_command(f"ip netns exec {namespace} ip link set lo up")

-        # (Re)load the nft ruleset for the given namespace
-        nft_ruleset = f"/opt/sunet-cdn/l4lb/conf/nft-{namespace}.conf"
-        if os.path.isfile(nft_ruleset):
-            run_command(f"ip netns exec {namespace} nft -f {nft_ruleset}")
-        else:
-            print(
-                f"WARNING: no nft ruleset found for namespace '{namespace}' ({nft_ruleset}), the namespace will not be firewalled"  # pylint: disable=line-too-long
-            )
-
        configure_interfaces(namespace, if_data)


@ -179,30 +129,10 @@ def main() -> None:
    #    }
    #  }
    # }
-
-    input_files = [
-        "/opt/sunet-cdn/l4lb/conf/netns-base.json",
-        "/opt/sunet-cdn/l4lb/conf/netns-sunet-cdn-agent.json",
-    ]
-
-    merged_netns_data: dict[str, dict[str, dict[str, list[str]]]] = {}
-    for input_file in input_files:
-        try:
-            with open(input_file, encoding="utf-8") as f:
+    with open("/opt/sunet-cdn/l4lb/conf/netns.json", encoding="utf-8") as f:
        netns_data = json.load(f)

-            # Combine interface config from multiple files belonging to the same namespace
-            for ns, ns_data in netns_data.items():
-                if ns in merged_netns_data:
-                    merged_netns_data[ns].update(ns_data)
-                else:
-                    merged_netns_data[ns] = ns_data
-
-        except FileNotFoundError:
-            print(f"skipping nonexistant file '{input_file}'")
-            continue
-
-    setup_namespaces(merged_netns_data)
+    setup_namespaces(netns_data)


 if __name__ == "__main__":
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@ -3,7 +3,7 @@ class cdn::cache(
  Hash[String, Integer] $customers = {
    customer1 => 1000000000,
  },
-  String $sunet_cdn_purger_version = '0.0.8',
+  String $sunet_cdnp_version = '0.0.6',
  Hash[String, String] $acme_url = {
    test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
  },
@ -155,51 +155,51 @@ class cdn::cache(
    creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
  }

-  $sunet_cdn_purger_dir = '/var/lib/sunet-cdn-purger'
-  $sunet_cdn_purger_file = "sunet-cdn-purger_${sunet_cdn_purger_version}_linux_${facts[os][architecture]}.tar.gz"
-  $sunet_cdn_purger_url = "https://github.com/SUNET/sunet-cdn-purger/releases/download/v${sunet_cdn_purger_version}/${sunet_cdn_purger_file}"
+  $sunet_cdnp_dir = '/var/lib/sunet-cdnp'
+  $sunet_cdnp_file = "sunet-cdnp_${sunet_cdnp_version}_linux_${facts[os][architecture]}.tar.gz"
+  $sunet_cdnp_url = "https://github.com/SUNET/sunet-cdnp/releases/download/v${sunet_cdnp_version}/${sunet_cdnp_file}"
  # Create directory for managing CDP purger
-  file { $sunet_cdn_purger_dir:
+  file { $sunet_cdnp_dir:
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

-  exec { "curl -LO ${sunet_cdn_purger_url}":
-    creates => "${sunet_cdn_purger_dir}/${sunet_cdn_purger_file}",
-    cwd     => $sunet_cdn_purger_dir,
-    notify  => Exec['extract sunet-cdn-purger'],
+  exec { "curl -LO ${sunet_cdnp_url}":
+    creates => "${sunet_cdnp_dir}/${sunet_cdnp_file}",
+    cwd     => $sunet_cdnp_dir,
+    notify  => Exec['extract sunet-cdnp'],
  }

-  exec { 'extract sunet-cdn-purger':
-    command     => "tar -xzf ${sunet_cdn_purger_file} sunet-cdn-purger",
-    cwd         => $sunet_cdn_purger_dir,
+  exec { 'extract sunet-cdnp':
+    command     => "tar -xzf ${sunet_cdnp_file} sunet-cdnp",
+    cwd         => $sunet_cdnp_dir,
    refreshonly => true,
-    notify      => Service['sunet-cdn-purger'],
+    notify      => Service['sunet-cdnp'],
  }

-  file { "${sunet_cdn_purger_dir}/sunet-cdn-purger":
+  file { "${sunet_cdnp_dir}/sunet-cdnp":
    owner => 'root',
    group => 'root',
    mode  => '0755',
  }

-  file { '/usr/local/bin/sunet-cdn-purger':
+  file { '/usr/local/bin/sunet-cdnp':
    ensure => link,
-    target => "${sunet_cdn_purger_dir}/sunet-cdn-purger",
+    target => "${sunet_cdnp_dir}/sunet-cdnp",
  }

-  file { '/etc/systemd/system/sunet-cdn-purger.service':
+  file { '/etc/systemd/system/sunet-cdnp.service':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
-    content => template('cdn/cache/sunet-cdn-purger.service.erb'),
+    content => template('cdn/cache/sunet-cdnp.service.erb'),
    notify  => [Class['sunet::systemd_reload']],
  }

-  service { 'sunet-cdn-purger':
+  service { 'sunet-cdnp':
    ensure => 'running',
    enable => true,
  }
--- a/global/overlay/etc/puppet/modules/cdn/manifests/l4lb.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/l4lb.pp
@ -17,8 +17,6 @@ class cdn::l4lb(

  include sunet::systemd_reload

-  package {'conntrack': ensure => installed }
-
  package {'bird2': ensure => installed }

  file { '/opt/sunet-cdn':
@ -56,20 +54,12 @@ class cdn::l4lb(
    mode   => '0640',
  }

-  file { '/opt/sunet-cdn/l4lb/conf/netns-base.json':
+  file { '/opt/sunet-cdn/l4lb/conf/netns.json':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
-    content => template('cdn/l4lb/netns-base.json.erb'),
-  }
-
-  file { '/opt/sunet-cdn/l4lb/conf/nft-l4lb.conf':
-    ensure  => file,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => template('cdn/l4lb/nft-l4lb.conf.erb'),
+    content => template('cdn/l4lb/netns.json.erb'),
  }

  file { '/usr/local/bin/sunet-l4lb-namespace':
--- a/global/overlay/etc/puppet/modules/cdn/templates/cache/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/cache/docker-compose.yml.erb
@ -40,7 +40,7 @@ services:
    # We build our own varnish with the slash vmod present. We use the slash
    # "fellow" storage backend to be able to persist cached content to disk, so
    # it is retained in case of a restart of the container or machine.
-    image: "platform.sunet.se/sunet-cdn/cdn-varnish@sha256:248b1ca861f1a8bb548845b656526210ef7015ba71c0e264dc4619da16407b40"
+    image: "platform.sunet.se/sunet-cdn/cdn-varnish:af7f7d11e61acf9f6113811615d1baa46daf3bd1"
    # Use the same custom user as is used for haproxy.
    user: <%= @customer_uid %>:<%= @customer_uid %>
    volumes:
--- a/global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-purger.service.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-purger.service.erb
@ -6,7 +6,7 @@ After=docker.service

 [Service]
 Type=simple
-ExecStart=/usr/local/bin/sunet-cdn-purger \
+ExecStart=/usr/local/bin/sunet-cdnp \
  -mqtt-ca-file /usr/local/share/ca-certificates/step_ca_root.crt \
  -mqtt-client-key-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/privkey.pem \
  -mqtt-client-cert-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/fullchain.pem \
--- a/global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb
@ -4,7 +4,7 @@ services:
    environment:
      - POSTGRES_PASSWORD=<%= @db_secrets['postgres_password'] %>
    ports:
-      - "5432:5432"
+      - "5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - /opt/sunet-cdn/db/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
--- a/global/overlay/etc/puppet/modules/cdn/templates/l4lb/netns-base.json.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/l4lb/netns-base.json.erb
@ -15,6 +15,14 @@
      "ipv6": [
        "2001:6b0:2006:75::1/127"
      ]
+    },
+    "dummy0": {
+      "ipv4": [
+        "188.240.152.1/32"
+      ],
+      "ipv6": [
+        "2001:6b0:2100::1/128"
+      ]
    }
  }
 }
--- a/global/overlay/etc/puppet/modules/cdn/templates/l4lb/nft-l4lb.conf.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/l4lb/nft-l4lb.conf.erb
@ -1,40 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
-        chain input {
-                type filter hook input priority 0; policy drop;
-
-                # accept any localhost traffic
-                iif lo counter accept
-
-                # accept icmp
-                ip protocol icmp counter accept
-                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded,
-                                                 parameter-problem, echo-request, mld-listener-query,
-                                                 nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
-                                                 nd-neighbor-advert } counter accept
-
-                # accept traffic originated from us
-                ct state established counter accept
-                # silently drop invalid packets
-                ct state invalid counter drop
-        }
-        chain forward {
-                type filter hook forward priority 0; policy drop;
-        }
-        chain output {
-                type filter hook output priority 0;
-        }
-}
-
-# HTTP and HTTPS
-add rule inet filter input tcp dport 80 counter accept comment "l4lb HTTP"
-add rule inet filter input tcp dport 443 counter accept comment "l4lb HTTPS"
-
-# BGP
-add rule inet filter input ip saddr { 130.242.64.232 } tcp dport 179 counter accept comment "tug-r11-v4"
-add rule inet filter input ip saddr { 130.242.64.234 } tcp dport 179 counter accept comment "tug-r12-v4"
-add rule inet filter input ip6 saddr { 2001:6b0:2006:74:: } tcp dport 179 counter accept comment "tug-r11-v6"
-add rule inet filter input ip6 saddr { 2001:6b0:2006:75:: } tcp dport 179 counter accept comment "tug-r12-v6"