Reference Architecture 22.06

New Components:
- FlexRAN software (v.22.03) Timer Mode on bare-metal with Ubuntu 22.04 real-time kernel
- Istio mTLS key protection using SGX

New Platform:
- QCT (Quanta Computer) Servers with 4th Gen Intel Xeon Scalable processor MCC (40 cores) CPU (dual and single)

Updates/Changes:
- Intel Ethernet Operator enabled by default in all supported profiles

Removed Support:
- Ubuntu 21.10 as base operating system

Co-authored-by: Ali Shah, Syed Faraz <[email protected]>
Co-authored-by: Gherghe, Calin <[email protected]>
Co-authored-by: Kubin, Lukas <[email protected]>
Co-authored-by: Liu, Mark <[email protected]>
Co-authored-by: Mlynek, Krystian <[email protected]>
Co-authored-by: Park, Seungweon <[email protected]>
Co-authored-by: Prokes, Jiri <[email protected]>
Co-authored-by: Puzikov, Dmitrii <[email protected]>

docs/flexran_guide.md

@@ -0,0 +1,5 @@
+# Intel(R) FlexRAN(TM) Readme
+
+A formal PDF Quick Start Guide for Intel(R) FlexRAN(TM) deployment using the RA playbooks is published at this URL:
+https://networkbuilders.intel.com/solutionslibrary/network-and-cloud-edge-reference-system-architecture-flexran-software-single-server-quick-start-guide
+

docs/generate_profiles.md

@@ -69,7 +69,7 @@ At the moment, Container Experience Kits supports the following profiles:
 * build_your_own
 
 Profile's name will be passed to the make command via the required `PROFILE` parameter. Each profile includes some specific sort of functionalities. Choose the profile that suits you the most via inspecting the examples generated [here](#creating-sample-profiles).
-If you would like to know more about CEK profiles read section 2.2 in [here](https://networkbuilders.intel.com/solutionslibrary/container-bare-metal-for-2nd-3rd-generation-intel-xeon-scalable-processor).
+If you would like to know more about CEK profiles read section 2.2 in [here](https://networkbuilders.intel.com/solutionslibrary/network-and-cloud-edge-container-bare-metal-reference-system-architecture-user-guide).
 
 
 ## Example Commands

docs/vm_config_guide.md

@@ -53,7 +53,7 @@ Next section provides VM related configuration options.
 The first option defines VM image distribution of cloud image, which will be used inside VMs.
   Currently supported distributions are: "ubuntu" and "rocky". Default is "ubuntu"
 Following two options define VM image version for Ubuntu and for Rocky.
-  Currently supported ubuntu versions are: "20.04", "21.10" and "22.04". Default is "20.04"
+  Currently supported ubuntu versions are: "20.04" and "22.04". Default is "20.04"
   Currently supported rocky version is: "8.5". Default is "8.5"
 Default VM image distribution is "ubuntu" and default version is "20.04"
 Setting for VM image can be done just on the first VM host. It is common for all VMs across all VM hosts.

generate/playbook_templates/infra_playbook.j2

@@ -62,6 +62,8 @@
       when: iommu_enabled | default(true) | bool or on_vms | default(false) | bool
     - role: bootstrap/set_rdt_kernel_flags
       when: telegraf_enabled | default(true) | bool
+    - role: bootstrap/set_intel_flexran_kernel_flags
+      when: intel_flexran_enabled | default(false) | bool
 {%- if playbook_name in ['full_nfv', 'remote_fp', 'on_prem', 'build_your_own'] %}
     - role: bootstrap/configure_sst
       tags: sst

generate/playbook_templates/intel_playbook.j2

@@ -4,9 +4,22 @@
   roles:
     - role: cluster_defaults
       tags: defaults
+    - role: remove_kubespray_host_dns_settings
+      tags: remove-kubespray-host-dns-settings
+      when:
+        - remove_kubespray_host_dns_settings | default(false) | bool
     - role: nfd_install
       tags: nfd
       when: nfd_enabled | default(true) | bool
+    - role: operator_framework
+      tags: operator-framework
+      when:
+        - intel_ethernet_operator_enabled | default(false) | bool or
+          intel_sriov_fec_operator_enabled | default(false) | bool
+    - role: intel_ethernet_operator
+      tags: intel-ethernet-operator
+      when:
+        - intel_ethernet_operator_enabled | default(false) | bool
     - role: sriov_dp_install
       tags: sriov-net-dp
       when:
@@ -18,10 +31,6 @@
         - sriov_network_operator_enabled | default(true) | bool
         - not sriov_net_dp_enabled | default(false) | bool
         - not sriov_cni_enabled | default(false) | bool
-    - role: intel_ethernet_operator
-      tags: intel-ethernet-operator
-      when:
-        - intel_ethernet_operator_enabled | default(false) | bool
 {%- if playbook_name in ['access', 'full_nfv', 'on_prem', 'regional_dc', 'remote_fp', 'storage', 'build_your_own'] %}
     - role: intel_dp_operator
       tags: dp-operator
@@ -96,6 +105,12 @@
       when:
         - intel_sriov_fec_operator_enabled | default(false) | bool
 {%- endif %}
+{%- if playbook_name in ['access', 'full_nfv', 'build_your_own'] %}
+    - role: intel_flexran
+      tags: intel-flexran
+      when:
+        - intel_flexran_enabled | default(false) | bool
+{%- endif %}
 {%- if playbook_name in ['access', 'full_nfv', 'on_prem', 'regional_dc', 'remote_fp', 'build_your_own'] %}
     - role: service_mesh_install
       tags: service-mesh

generate/profiles_templates/common/group_vars.j2

@@ -265,16 +265,22 @@ kmra:
 {%- if service_mesh and service_mesh.enabled in ['on', 'optional'] %}
 # Service mesh deployment
 # https://istio.io/latest/docs/setup/install/istioctl/
+# Intel Istio
+# https://github.com/intel/istio
 
 # for all available options, please, refer to the 'roles/service_mesh_install/vars/main.yml;
+# for the options dependencies and compatibility, please, refer to the official CEK documentation;
 service_mesh:
   enabled: {% if service_mesh.enabled == 'on' %}true{% else %}false{% endif %}   # enable Service Mesh
-  # available profiles are: 'default', 'demo', 'minimal', 'external', 'empty', 'preview'
+  # available profiles are: 'default', 'demo', 'minimal', 'external', 'empty', 'preview',
+  # 'sgx-mtls', 'intel-qat-hw', 'intel-qat-sw', 'intel-cryptomb'
   # if custom profile needs to be deployed, please, place the file named '<profile_name>.yaml'
   # into the directory 'roles/service_mesh_install/files/profiles/'
   # 'custom-ca' profile name is reserved for usage by sgx_signer if sgx_signer option is enabled
-  # any name provided will be overwritten in this case
+  # any profile name provided will be overwritten in this case
   profile: {% if service_mesh.sgx_signer == 'on' and arch in ['icx', 'spr'] %}custom-ca{% else %}default{% endif %}
+  intel_preview:
+    enabled: {% if service_mesh.intel_preview == 'on' %}true{% else %}false{% endif %}  # enable intel istio preview
   {%- if service_mesh.tcpip_bypass_ebpf in ['on', 'optional'] %}
   tcpip_bypass_ebpf:
     enabled: {% if service_mesh.tcpip_bypass_ebpf == 'on' %}true{% else %}false{% endif %}  # enable tcp/ip ebpf bypass demo
@@ -288,6 +294,14 @@ service_mesh:
     enabled: {% if service_mesh.sgx_signer == 'on' %}true{% else %}false{% endif %}   # enable automated key management integration
     name: sgx-signer
   {%- endif %}
+  {%- if service_mesh.intel_preview in ['on', 'optional'] %}
+  # uncomment following section and enable intel_preview if sgx-mtls profile is selected
+  {% if service_mesh.intel_preview == 'optional' %}#{% endif %}set:
+  {% if service_mesh.intel_preview == 'optional' %}#  {% endif %}- values.global.proxy.sgx.enabled=true
+  {% if service_mesh.intel_preview == 'optional' %}#  {% endif %}- values.global.proxy.sgx.certExtensionValidationEnabled=true
+  {% if service_mesh.intel_preview == 'optional' %}#  {% endif %}- values.gateways.sgx.enabled=true
+  {% if service_mesh.intel_preview == 'optional' %}#  {% endif %}- values.gateways.sgx.certExtensionValidationEnabled=true
+  {%- endif %}
 {% endif %}
 
 {%- if tcs in ['on', 'optional'] and
@@ -358,11 +372,14 @@ firewall_enabled: {% if firewall == "on" %}true{% else %}false{% endif %}
 ## Proxy configuration ##
 #http_proxy: "http://proxy.example.com:1080"
 #https_proxy: "http://proxy.example.com:1080"
-#additional_no_proxy: ".example.com,mirror_ip"  #no need to include the following (will be added automatically): localhost, 127.0.0.1, controllerIP, nodesIPs
+#additional_no_proxy: ".example.com,mirror_ip"  # no need to include the following (will be added automatically): localhost, 127.0.0.1, controllerIPs, nodesIPs
 
 # (Ubuntu only) disables DNS stub listener which may cause issues on Ubuntu
 dns_disable_stub_listener: true
 
+# Remove the block between ansible markers set by kubespray in dhclient & hosts files to avoid DNS & LDAP issues (connection loss) after K8s setup after reboot
+remove_kubespray_host_dns_settings: true
+
 # Kubernetes cluster name, also will be used as DNS domain
 cluster_name: cluster.local
 
@@ -434,10 +451,9 @@ kube_proxy_nodeport_addresses_cidr: 127.0.0.0/8
 # Docker registry running on the cluster allows us to store images not available on Docker Hub
 # The range of valid ports is 30000-32767
 registry_enable: {% if registry == 'on' %}true{% else %}false{% endif %}
-registry_nodeport: 30500
+registry_nodeport: "30500"
 registry_local_address: "localhost:{{ '{{' }} registry_nodeport {{ '}}' }}"
 {%- endif %}
-
 {%- if cert_manager in ['on', 'optional'] %}
 cert_manager_enable: {% if cert_manager == 'on' %}true{% else %}false{% endif %}
 {%- endif %}
@@ -465,7 +481,7 @@ minio_deploy_test_mode: true                          # true (Test Mode) - use a
 # Intel Cloud Native Data Plane.
 {%- if cndp_dp in ['on', 'optional'] %}
 cndp_dp_enabled: {% if cndp_dp == 'on' %}true{% else %}false{% endif %}
-{% if cndp_dp == 'on' %}
+{%- if cndp_dp == 'on' %}
 cndp_net_attach_def_enabled: true         # Whether or not to create NetworkAttachmentDefinition resource.
 cndp_net_attach_def_conf:
   name: cndp-cni-afxdp0              # (Optional) Name of NetworkAttachmentDefinition resource.

generate/profiles_templates/common/host_vars.j2

@@ -80,7 +80,7 @@ dataplane_interfaces: []
 
 {%- if ddp in ['on', 'optional'] %}
 # install Intel x700 & x800 series NICs DDP packages
-install_ddp_packages: {% if ddp == "on"%}true{% else %}false{% endif %}
+install_ddp_packages: {% if ddp == 'on' and nic == 'fvl'%}true{% else %}false{% endif %}
 # If following error appears: "Flashing failed: Operation not permitted"
 # run deployment with update_nic_firmware: true
 # or
@@ -148,13 +148,18 @@ intel_ethernet_operator:
   fw_update: {% if intel_ethernet_operator.fw_update == 'on' and nic == 'cvl' %}true{% else %}false{% endif %}                     # perform firmware update on PFs listed in dataplane_interfaces
   # NodeFlowConfig manifests local path
   # For more information refer to:
-  # https://github.com/smart-edge-open/intel-ethernet-operator/blob/main/docs/flowconfig-daemon/creating-rules.md
+  # https://github.com/intel/intel-ethernet-operator/blob/main/docs/flowconfig-daemon/creating-rules.md
   # node_flow_config_dir: /tmp/node_flow_config
 {% endif %}
 
 {%- if intel_sriov_fec_operator in ['on', 'optional'] %}
 # Wireless FEC H/W Accelerator Device (e.g. ACC100) PCI ID
-fec_acc: {{ fec_acc_dev }}  # must be string in [a-fA-F0-9]{4}:[a-fA-F0-9]{2}:[01][a-fA-F0-9].[0-7] format
+fec_acc: "0000:27:00.0"  # must be string in [a-fA-F0-9]{4}:[a-fA-F0-9]{2}:[01][a-fA-F0-9].[0-7] format
+{% endif %}
+
+{%- if intel_flexran in ['on', 'optional'] %}
+# Intel FlexRAN
+intel_flexran_enabled: {% if intel_flexran == 'on' %}true{% else %}false{% endif %} # if true, deploy FlexRAN
 {% endif %}
 
 {%- if qat in ['on', 'optional'] %}
@@ -369,13 +374,13 @@ cndp_dp_pools:
 #
 {%- if secondary_host == 'true' %}
 # Do not set VM image info here - do it just on the first vm_host
-# secondary vm_host - do not change dhcp settings here
+# Secondary vm_host - do not change dhcp settings here
 dhcp: []
 {% else %}
 # Default VM image version is Ubuntu 20.04 - focal
-# Supported VM image disributions ['ubuntu', 'rocky']
+# Supported VM image distributions ['ubuntu', 'rocky']
 #vm_image_distribution: "ubuntu"
-# Supported VM image ubuntu versions ['20.04', '21.04', '21.10', '22.04']
+# Supported VM image ubuntu versions ['20.04', '22.04']
 #vm_image_version_ubuntu: "22.04"
 # Supported VM image rocky versions ['8.5']
 #vm_image_version_rocky: "8.5"

generate/profiles_templates/k8s/profiles.yml

@@ -59,12 +59,14 @@
 #     tcpip_bypass_ebpf
 #     tls_splicing
 #     sgx_signer
+#     intel_preview
 # - intel_ethernet_operator
 #     enabled
 #     flow_config
 #     ddp
 #     fw_update
 # - intel_sriov_fec_operator
+# - intel_flexran
 
 ---
 access:
@@ -118,6 +120,7 @@ access:
     tcpip_bypass_ebpf: off
     tls_splicing: off
     sgx_signer: off
+    intel_preview: off
   wireguard: on
   multus: on
   firewall: optional
@@ -135,6 +138,7 @@ access:
     ddp: optional
     fw_update: optional
   intel_sriov_fec_operator: on
+  intel_flexran: on
 
 basic:
   name: basic
@@ -216,6 +220,7 @@ full_nfv:
     tcpip_bypass_ebpf: on
     tls_splicing: on
     sgx_signer: on
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -227,11 +232,12 @@ full_nfv:
   registry: on
   hugepages: on
   intel_ethernet_operator:
-    enabled: optional
+    enabled: on
     flow_config: optional
-    ddp: optional
+    ddp: on
     fw_update: optional
   intel_sriov_fec_operator: optional
+  intel_flexran: optional
 
 on_prem:
   name: on_prem
@@ -274,6 +280,7 @@ on_prem:
     tcpip_bypass_ebpf: on
     tls_splicing: on
     sgx_signer: on
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -316,6 +323,7 @@ regional_dc:
     enabled: on
     tcpip_bypass_ebpf: on
     tls_splicing: on
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -373,6 +381,7 @@ remote_fp:
     tcpip_bypass_ebpf: optional
     tls_splicing: optional
     sgx_signer: optional
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -383,9 +392,9 @@ remote_fp:
   registry: on
   hugepages: on
   intel_ethernet_operator:
-    enabled: optional
+    enabled: on
     flow_config: optional
-    ddp: optional
+    ddp: on
     fw_update: optional
 
 storage:
@@ -471,6 +480,7 @@ build_your_own:
     tcpip_bypass_ebpf: optional
     tls_splicing: optional
     sgx_signer: optional
+    intel_preview: optional
   wireguard: optional
   multus: optional
   firewall: optional
@@ -486,4 +496,5 @@ build_your_own:
     flow_config: optional
     ddp: optional
     fw_update: optional
-  intel_sriov_fec_operator: optional
+  intel_sriov_fec_operator: optional
+  intel_flexran: optional

generate/profiles_templates/vm/vm_host_profiles.yml

@@ -57,6 +57,7 @@
 #     tcpip_bypass_ebpf
 #     tls_splicing
 #     sgx_signer
+#     intel_preview
 # - intel_ethernet_operator
 #     enabled
 #     flow_config
@@ -99,6 +100,7 @@ access:
     enabled: on
     tcpip_bypass_ebpf: on
     tls_splicing: on
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -190,6 +192,7 @@ full_nfv:
     tcpip_bypass_ebpf: on
     tls_splicing: on
     sgx_signer: optional
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -245,6 +248,7 @@ on_prem:
     tcpip_bypass_ebpf: on
     tls_splicing: on
     sgx_signer: optional
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -287,6 +291,7 @@ regional_dc:
     enabled: on
     tcpip_bypass_ebpf: on
     tls_splicing: on
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -343,6 +348,7 @@ remote_fp:
     tcpip_bypass_ebpf: optional
     tls_splicing: optional
     sgx_signer: optional
+    intel_preview: optional
   wireguard: on
   multus: on
   firewall: optional
@@ -404,6 +410,7 @@ build_your_own:
     tcpip_bypass_ebpf: optional
     tls_splicing: optional
     sgx_signer: optional
+    intel_preview: optional
   wireguard: optional
   multus: optional
   firewall: optional