Files

Jean-Gabriel Gill-Couture 6c664e9f34 docs(roadmap): add phases 7-8 for OPNsense and HA OKD production

Add Phase 7 (OPNsense & Bare-Metal Network Automation) tracking current
progress on OPNsense Scores, codegen, and Brocade integration. Details
the UpdateHostScore requirement and HostNetworkConfigurationScore rework
needed for LAGG LACP 802.3ad.

Add Phase 8 (HA OKD Production Deployment) describing the target
architecture with LAGG/CARP/multi-WAN/BINAT and validation checklist.

Update current state section to reflect opnsense-codegen branch progress.

2026-03-25 23:20:35 -04:00

3.3 KiB

Raw Permalink Blame History

Phase 7: OPNsense & Bare-Metal Network Automation

Goal

Complete the OPNsense API coverage and Brocade switch integration to enable fully automated bare-metal HA cluster provisioning with LAGG, CARP VIP, multi-WAN, and BINAT.

Status: In Progress

Done

opnsense-codegen pipeline: XML model parsing, IR generation, Rust code generation with serde helpers
11 generated API modules covering firewall, interfaces (VLAN, LAGG, VIP), HAProxy, DNSMasq, Caddy, WireGuard
9 OPNsense Scores: VlanScore, LaggScore, VipScore, DnatScore, FirewallRuleScore, OutboundNatScore, BinatScore, NodeExporterScore, OPNsenseShellCommandScore
13 opnsense-config modules with high-level Rust APIs
E2E tests for DNSMasq CRUD, HAProxy service lifecycle, interface settings
Brocade branch with VLAN CRUD, interface speed config, port-channel management

Remaining

UpdateHostScore (new)

A Score that updates a host's configuration in the DHCP server and prepares it for PXE boot. Core responsibilities:

Update MAC address in DHCP: When hardware is replaced or NICs are swapped, update the DHCP static mapping with the new MAC address(es). This is the most critical function — without it, PXE boot targets the wrong hardware.
Configure PXE boot options: Set next-server, boot filename (BIOS/UEFI/iPXE) for the specific host.
Host network setup for LAGG LACP 802.3ad: Configure the host's network interfaces for link aggregation. This replaces the current HostNetworkConfigurationScore approach which only handles bond creation on the host side — the new approach must also create the corresponding LAGG interface on OPNsense and configure the Brocade switch port-channel with LACP.

The existing DhcpHostBindingScore handles bulk MAC-to-IP registration but lacks the ability to update an existing mapping (the remove_static_mapping and list_static_mappings methods on OPNSenseFirewall are still todo!()).

Merge Brocade branch

The feat/brocade-client-add-vlans branch has breaking API changes:

configure_interfaces now takes Vec<InterfaceConfig> instead of Vec<(String, PortOperatingMode)>
InterfaceType changed from Ethernet(String) to specific variants (TenGigabitEthernet, FortyGigabitEthernet)
harmony/src/infra/brocade.rs needs adaptation to the new API

HostNetworkConfigurationScore rework

The current implementation (harmony/src/modules/okd/host_network.rs) has documented limitations:

Not idempotent (running twice may duplicate bond configs)
No rollback logic
Doesn't wait for switch config propagation
All tests are #[ignore] due to requiring interactive TTY (inquire prompts)
Doesn't create LAGG on OPNsense — only bonds on the host and port-channels on the switch

For LAGG LACP 802.3ad the flow needs to be:

Create LAGG interface on OPNsense (LaggScore already exists)
Create port-channel on Brocade switch (BrocadeSwitchConfigurationScore)
Configure bond on host via NMState (existing NetworkManager)
All three must be coordinated and idempotent

Fill remaining OPNsense `todo!()` stubs

OPNSenseFirewall::remove_static_mapping — needed by UpdateHostScore
OPNSenseFirewall::list_static_mappings — needed for idempotent updates
OPNSenseFirewall::Firewall trait (add_rule, remove_rule, list_rules) — stub only
OPNSenseFirewall::dns::register_dhcp_leases — stub only

3.3 KiB Raw Permalink Blame History