From dc3c69f37fabf9808a15328e38ff1ea10c92ca45 Mon Sep 17 00:00:00 2001 From: medusa Date: Sat, 2 Aug 2025 14:16:29 -0500 Subject: [PATCH] Update tech_docs/networking/iac_github_project.md --- tech_docs/networking/iac_github_project.md | 109 +++++++++++++++++++++ 1 file changed, 109 insertions(+) diff --git a/tech_docs/networking/iac_github_project.md b/tech_docs/networking/iac_github_project.md index 89c0e48..cc64b62 100644 --- a/tech_docs/networking/iac_github_project.md +++ b/tech_docs/networking/iac_github_project.md @@ -1,3 +1,112 @@ +──────────────────────────────────────────── +OPINIONATED, PRACTICAL GUIDE +“How to Ship the Right Config to Every ASR-1002 DMVPN Hub—Forever” +──────────────────────────────────────────── + +0. One-Sentence Rule +Policy (templates) never changes per box; Data (YAML) is the **only** thing that changes. + +1. Folder Layout (Lock This Down) +``` +config_components/ +├── core_settings/ +│ ├── 00_licensing.j2 +│ ├── 10_system_settings.j2 +│ └── 20_aaa.j2 +├── network_services/ +│ ├── 30_vlans.j2 +│ └── 40_routing.j2 +├── interfaces/ +│ ├── 50_port_profiles/ +│ │ ├── access_port.j2 +│ │ └── trunk_port.j2 +│ └── 60_interface_assignments.j2 +├── policies/ +│ ├── 70_qos.j2 +│ └── 80_access_lists.j2 +└── data/ ← NEW. One YAML file per box. + ├── site-01.yml + └── site-02.yml +``` + +2. Build the **Golden Templates** Once +• Each `.j2` file must compile without external context (`jinja2 template.j2 empty.yml`). +• Every literal becomes a variable: `{{ hostname }}`, `{{ ospf.rid }}`, etc. +• **No defaults in templates**—defaults live in YAML so you can override. + +3. One YAML Schema to Rule Them All +Use a single JSON Schema (`schema.yml`) enforced by CI (`yamllint`, `jsonschema`). +Example minimal record: + +```yaml +hostname: "SITE01-ASR01" +system: + license_level: "network-advantage" + domain_name: "example.net" + name_servers: ["1.1.1.1", "8.8.8.8"] + tz_name: "EST" + tz_offset: -5 +aaa: + tacacs_group: "GTAC" + tacacs_servers: + - { host: "10.1.1.1", key: "SECRET1" } + - { host: "10.1.1.2", key: "SECRET2" } +interfaces: + Loopback0: { ip: "10.255.255.1/32" } + Tunnel1: + ip: "10.200.1.1/25" + tunnel_source: "Loopback0" +routing: + ospf: + - pid: 1, rid: "10.255.255.1" + bgp: + as: 65400, rid: "10.255.255.1" +``` + +4. Render Pipeline (3 Commands) +``` +python -m venv venv && source venv/bin/activate +pip install jinja2-cli yamllint jsonschema +yamllint data/site-01.yml +jsonschema -i data/site-01.yml schema.yml +jinja2 templates/compile.j2 data/site-01.yml > site-01.cfg +``` +Add `compile.j2` at the root (just concatenates all component templates in order). + +5. CI/CD Guardrails +• **Pre-commit hooks**: lint YAML, render dry-run, diff against Git. +• **Master branch = templates only**; **Pull requests = new YAML files**. +• **Pipeline** auto-pushes rendered configs to Nornir/Napalm for diff/commit. + +6. Mandatory Defaults File +Create `data/defaults.yml` with sane global values. +Each site YAML does a deep-merge (`{{ defaults | combine(site, recursive=True) }}`). +This prevents “forgotten variables” and keeps templates small. + +7. Secrets Handling +• Never hard-code. +• Use `ansible-vault`, Hashicorp Vault, or GitHub Actions Secrets; inject at render time via environment variables: `{{ lookup('env', 'TACACS_KEY') }}`. + +8. Naming Conventions +• YAML keys = snake_case (`tacacs_servers`). +• Interface keys = canonical name (`GigabitEthernet0/0/0`). +• Profile names = short, descriptive (`access_port`, `trunk_port`). +• Template order = `00_*`, `10_*`, … so concatenation is deterministic. + +9. Upgrade Path +Future platform (NCS-5k, IOS-XR, etc.)? +Copy `config_components` → `config_components_ncs/`, tweak templates. +Data YAML remains **unchanged**; only add new keys if new features required. + +10. Single Source of Truth +One YAML → renders → diff → commit. +If it’s not in YAML, it does **not** exist. +End of story. + +Follow the checklist above and you will never again hand-craft a DMVPN hub config. + +--- + Below is the **sanitized, pseudocode-style** view of every functional knob an ASR-1002 DMVPN head-end needs—**no literals, no opinionated values**. Each bullet is a **config option** you can turn on/off or fill-in later. Think of it as a checklist you hand to an engineer who will decide the actual values.