Add cnf for firewall with network of sriov

sriov driver can be either netdevice or vfio start scripts support netdevice only yet Change-Id: Ifa1e9acc558387d38245bd99669225fbf5fb8d05 Issue-ID: MULTICLOUD-999 Signed-off-by: Bin Yang <bin.yang@windriver.com>
author: Bin Yang <bin.yang@windriver.com> 2020-02-23 20:18:41 +0800
committer: Bin Yang <bin.yang@windriver.com> 2020-02-23 23:52:21 +0800
commit: 6547e45fd9f60437811ef35b9d101cdaef494542 (patch)
tree: 593f7a67769e9b5806a7bd7174c8858783d61d70 /starlingx/demo/firewall-sriov/templates/deployment.yaml
parent: 0a13e91612de5fa590bdecb7b17ef79e7f220131 (diff)
1 files changed, 101 insertions, 0 deletions
diff --git a/starlingx/demo/firewall-sriov/templates/deployment.yaml b/starlingx/demo/firewall-sriov/templates/deployment.yaml
new file mode 100644
index 00000000..90677163
--- /dev/null
+++ b/starlingx/demo/firewall-sriov/templates/deployment.yaml
@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "firewall.fullname" . }}
+  labels:
+    release: {{ .Release.Name }}
+    app: {{ include "firewall.name" . }}
+    chart: {{ .Chart.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "firewall.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "firewall.name" . }}
+        release: {{ .Release.Name }}
+      annotations:
+        k8s.v1.cni.cncf.io/networks: '[
+          { "name": "sriov-device-{{ .Values.global.unprotectedNetName }}",
+            "interface": "veth12" },
+          { "name": "sriov-device-{{ .Values.global.protectedNetName }}",
+            "interface": "veth21" }
+          ]'
+    spec:
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        tty: true
+        stdin: true
+        env:
+        - name: unprotectedNetCidr
+          value: "{{.Values.global.unprotectedNetCidr}}"
+        - name: unprotectedNetGwIp
+          value: "{{.Values.global.unprotectedNetGwIp}}"
+        - name: protectedNetCidr
+          value: "{{.Values.global.protectedNetCidr}}"
+        - name: protectedNetGwIp
+          value: "{{.Values.global.protectedNetGwIp}}"
+        - name: dcaeCollectorIp
+          value: "{{.Values.global.dcaeCollectorIp}}"
+        - name: dcaeCollectorPort
+          value: "{{.Values.global.dcaeCollectorPort}}"
+        - name: unprotectedNetProviderDriver
+          value: "{{.Values.global.unprotectedNetProviderDriver}}"
+        - name: protectedNetProviderDriver
+          value: "{{.Values.global.protectedNetProviderDriver}}"
+        command: ["/bin/bash", "/opt/vfw_start.sh"]
+        securityContext:
+            privileged: true
+            capabilities:
+                add:
+                - CAP_SYS_ADMIN
+        volumeMounts:
+          - mountPath: /hugepages
+            name: hugepage
+          - name: lib-modules
+            mountPath: /lib/modules
+          - name: src
+            mountPath: /usr/src
+          - name: scripts
+            mountPath: /opt
+        resources:
+          requests:
+            cpu: {{ .Values.resources.cpu }}
+            memory: {{ .Values.resources.memory }}
+            hugepages-2Mi: {{ .Values.resources.hugepage }}
+            {{- if eq .Values.global.protectedNetProviderName .Values.global.unprotectedNetProviderName }}
+            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '2'
+            {{- else }}
+            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1'
+            intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1'
+            {{ end }}
+          limits:
+            cpu: {{ .Values.resources.cpu }}
+            memory: {{ .Values.resources.memory }}
+            hugepages-2Mi: {{ .Values.resources.hugepage }}
+            {{- if eq .Values.global.protectedNetProviderName .Values.global.unprotectedNetProviderName }}
+            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '2'
+            {{- else }}
+            intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1'
+            intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1'
+            {{ end }}
+      volumes:
+        - name: hugepage
+          emptyDir:
+            medium: HugePages
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: src
+          hostPath:
+            path: /usr/src
+        - name: scripts
+          configMap:
+            name: {{ .Chart.Name }}-scripts-configmap
+      imagePullSecrets:
+      - name: admin-registry-secret
author	Bin Yang <bin.yang@windriver.com>	2020-02-23 20:18:41 +0800
committer	Bin Yang <bin.yang@windriver.com>	2020-02-23 23:52:21 +0800
commit	6547e45fd9f60437811ef35b9d101cdaef494542 (patch)
tree	593f7a67769e9b5806a7bd7174c8858783d61d70 /starlingx/demo/firewall-sriov/templates/deployment.yaml
parent	0a13e91612de5fa590bdecb7b17ef79e7f220131 (diff)