Add helm chart for cFW CNF

specific to networking backended by host netdevice

Change-Id: I26201b9d3e1c2434ba126fc497afffbaf58057a8
Issue-ID: MULTICLOUD-999
Signed-off-by: Bin Yang <bin.yang@windriver.com>

5 files changed, 192 insertions, 0 deletions

diff --git a/starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl b/starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl
new file mode 100644
index 00000000..7593e779
--- /dev/null
+++ b/starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "firewall.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "firewall.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "firewall.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/starlingx/demo/firewall-host-netdevice/templates/configmap.yaml b/starlingx/demo/firewall-host-netdevice/templates/configmap.yaml
new file mode 100644
index 00000000..731fabb0
--- /dev/null
+++ b/starlingx/demo/firewall-host-netdevice/templates/configmap.yaml
@@ -0,0 +1,27 @@
+{{/*
+# Copyright © 2017 Amdocs, Bell Canada
+# Modifications Copyright © 2018 AT&T
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Chart.Name }}-scripts-configmap
+  labels:
+    release: {{ .Release.Name }}
+    app: {{ include "firewall.name" . }}
+    chart: {{ .Chart.Name }}
+data:
+{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }}
\ No newline at end of file
diff --git a/starlingx/demo/firewall-host-netdevice/templates/deployment.yaml b/starlingx/demo/firewall-host-netdevice/templates/deployment.yaml
new file mode 100644
index 00000000..be0af964
--- /dev/null
+++ b/starlingx/demo/firewall-host-netdevice/templates/deployment.yaml
@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "firewall.fullname" . }}
+  labels:
+    release: {{ .Release.Name }}
+    app: {{ include "firewall.name" . }}
+    chart: {{ .Chart.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "firewall.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "firewall.name" . }}
+        release: {{ .Release.Name }}
+      annotations:
+        k8s.v1.cni.cncf.io/networks: '[
+          { "name": "host-device-{{ .Values.global.unprotectedNetPortVfw }}",
+            "interface": "veth12" },
+          { "name": "host-device-{{ .Values.global.protectedNetPortVfw }}",
+            "interface": "veth21" }
+          ]'
+    spec:
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        tty: true
+        stdin: true
+        env:
+        - name: unprotectedNetCidr
+          value: "{{.Values.global.unprotectedNetCidr}}"
+        - name: unprotectedNetGw
+          value: "{{.Values.global.unprotectedNetGw}}"
+        - name: protectedNetCidr
+          value: "{{.Values.global.protectedNetCidr}}"
+        - name: protectedNetGw
+          value: "{{.Values.global.protectedNetGw}}"
+        - name: protectedNetGwIp
+          value: "{{.Values.global.protectedNetGwIp}}"
+        - name: dcaeCollectorIp
+          value: "{{.Values.global.dcaeCollectorIp}}"
+        - name: dcaeCollectorPort
+          value: "{{.Values.global.dcaeCollectorPort}}"
+        command: ["/bin/bash", "/opt/vfw_start.sh"]
+        securityContext:
+            privileged: true
+            capabilities:
+                add:
+                - CAP_SYS_ADMIN
+        volumeMounts:
+          - mountPath: /hugepages
+            name: hugepage
+          - name: lib-modules
+            mountPath: /lib/modules
+          - name: src
+            mountPath: /usr/src
+          - name: scripts
+            mountPath: /opt
+        resources:
+          requests:
+            cpu: {{ .Values.resources.cpu }}
+            memory: {{ .Values.resources.memory }}
+            hugepages-2Mi: {{ .Values.resources.hugepage }}
+          limits:
+            cpu: {{ .Values.resources.cpu }}
+            memory: {{ .Values.resources.memory }}
+            hugepages-2Mi: {{ .Values.resources.hugepage }}
+      volumes:
+        - name: hugepage
+          emptyDir:
+            medium: HugePages
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: src
+          hostPath:
+            path: /usr/src
+        - name: scripts
+          configMap:
+            name: {{ .Chart.Name }}-scripts-configmap
+      imagePullSecrets:
+      - name: admin-registry-secret
diff --git a/starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml b/starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml
new file mode 100644
index 00000000..590d3f69
--- /dev/null
+++ b/starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml
@@ -0,0 +1,23 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: host-device-{{ .Values.global.protectedNetPortVfw }}
+spec:
+  config: '{
+      "cniVersion": "0.3.0",
+      "type": "host-device",
+      "device": "{{ .Values.global.protectedNetPortVfw }}"
+    }'
+
+---
+  
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: host-device-{{ .Values.global.protectedNetPortVsn }}
+spec:
+  config: '{
+      "cniVersion": "0.3.0",
+      "type": "host-device",
+      "device": "{{ .Values.global.protectedNetPortVsn }}"
+    }'
diff --git a/starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml b/starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml
new file mode 100644
index 00000000..79b47579
--- /dev/null
+++ b/starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml
@@ -0,0 +1,23 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: host-device-{{ .Values.global.unprotectedNetPortVfw }}
+spec:
+  config: '{
+      "cniVersion": "0.3.0",
+      "type": "host-device",
+      "device": "{{ .Values.global.unprotectedNetPortVfw }}"
+    }'
+
+---
+  
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: host-device-{{ .Values.global.unprotectedNetPortVpg }}
+spec:
+  config: '{
+      "cniVersion": "0.3.0",
+      "type": "host-device",
+      "device": "{{ .Values.global.unprotectedNetPortVpg }}"
+    }'