From 6942719b390a62695d6dd3efa09eadf6ec48aa7a Mon Sep 17 00:00:00 2001 From: Victor Morales Date: Mon, 15 Oct 2018 10:25:02 -0700 Subject: Hybrid Functional test for vFirewall This change provides the bash instructions for running an hybrid scenario (Virtual Machine and Containers) of the ONAP vFirewall use case. Change-Id: I2bb7843118c31895d0b5fe1987cced2be29672cb Signed-off-by: Victor Morales Issue-ID: MULTICLOUD-301 --- vagrant/tests/_common.sh | 301 ++++++++++++++++++++++++++++++++++++-- vagrant/tests/_functions.sh | 1 + vagrant/tests/integration_vFW.sh | 3 +- vagrant/tests/integration_vcFW.sh | 46 ++++++ 4 files changed, 334 insertions(+), 17 deletions(-) create mode 100755 vagrant/tests/integration_vcFW.sh diff --git a/vagrant/tests/_common.sh b/vagrant/tests/_common.sh index 5635907c..21aad4d2 100755 --- a/vagrant/tests/_common.sh +++ b/vagrant/tests/_common.sh @@ -152,9 +152,6 @@ spec: imagePullPolicy: IfNotPresent tty: true stdin: true - resources: - limits: - memory: 160Mi DEPLOYMENT cat << DEPLOYMENT > $sink_deployment_name.yaml @@ -185,17 +182,14 @@ spec: imagePullPolicy: IfNotPresent tty: true stdin: true - resources: - limits: - memory: 160Mi DEPLOYMENT - popd } -# popule_CSAR_vms_vFW() - This function creates the content of CSAR file -# required for vFirewal using only virtual machines -function popule_CSAR_vms_vFW { +# popule_CSAR_vms_containers_vFW() - This function creates the content of CSAR file +# required for vFirewal using an hybrid combination between virtual machines and +# cotainers +function popule_CSAR_vms_containers_vFW { local csar_id=$1 ssh_key=$(cat $HOME/.ssh/id_rsa.pub) @@ -226,8 +220,10 @@ metadata: labels: app: vFirewall spec: + type: NodePort ports: - port: 667 + nodePort: 30667 selector: app: vFirewall SERVICE @@ -331,6 +327,8 @@ spec: labels: app: vFirewall annotations: + VirtletLibvirtCPUSetting: | + mode: host-model VirtletCloudInitUserData: | ssh_pwauth: True users: @@ -350,6 +348,7 @@ spec: - wget -O - https://raw.githubusercontent.com/electrocucaracha/vFW-demo/master/$packetgen_deployment_name | sudo -E bash VirtletSSHKeys: | $ssh_key + VirtletRootVolumeSize: 5Gi kubernetes.v1.cni.cncf.io/networks: '[ { "name": "unprotected-private-net-cidr", "interfaceRequest": "eth1" }, { "name": "onap-private-net-cidr", "interfaceRequest": "eth2" } @@ -371,11 +370,273 @@ spec: imagePullPolicy: IfNotPresent tty: true stdin: true + ports: + - containerPort: 8183 resources: limits: - memory: 256Mi + memory: 4Gi +DEPLOYMENT + + cat << DEPLOYMENT > $firewall_deployment_name.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: $firewall_deployment_name + labels: + app: vFirewall +spec: + replicas: 1 + selector: + matchLabels: + app: vFirewall + template: + metadata: + labels: + app: vFirewall + annotations: + VirtletLibvirtCPUSetting: | + mode: host-model + VirtletCloudInitUserData: | + ssh_pwauth: True + users: + - name: admin + gecos: User + primary-group: admin + groups: users + sudo: ALL=(ALL) NOPASSWD:ALL + lock_passwd: false + # the password is "admin" + passwd: "\$6\$rounds=4096\$QA5OCKHTE41\$jRACivoPMJcOjLRgxl3t.AMfU7LhCFwOWv2z66CQX.TSxBy50JoYtycJXSPr2JceG.8Tq/82QN9QYt3euYEZW/" + ssh_authorized_keys: + $ssh_key + $proxy + runcmd: + $cloud_init_proxy + - wget -O - https://raw.githubusercontent.com/electrocucaracha/vFW-demo/master/$firewall_deployment_name | sudo -E bash + VirtletSSHKeys: | + $ssh_key + VirtletRootVolumeSize: 5Gi + kubernetes.v1.cni.cncf.io/networks: '[ + { "name": "unprotected-private-net-cidr", "interfaceRequest": "eth1" }, + { "name": "protected-private-net-cidr", "interfaceRequest": "eth2" }, + { "name": "onap-private-net-cidr", "interfaceRequest": "eth3" } + ]' + kubernetes.io/target-runtime: virtlet.cloud + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: extraRuntime + operator: In + values: + - virtlet + containers: + - name: $firewall_deployment_name + image: $image_name + imagePullPolicy: IfNotPresent + tty: true + stdin: true + resources: + limits: + memory: 4Gi +DEPLOYMENT + + cat << DEPLOYMENT > $sink_deployment_name.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: $sink_deployment_name + labels: + app: vFirewall +spec: + replicas: 1 + selector: + matchLabels: + app: vFirewall + template: + metadata: + labels: + app: vFirewall + annotations: + kubernetes.v1.cni.cncf.io/networks: '[ + { "name": "protected-private-net-cidr", "interfaceRequest": "eth1" }, + { "name": "onap-private-net-cidr", "interfaceRequest": "eth2" } + ]' + spec: + containers: + - name: $sink_deployment_name + image: electrocucaracha/sink + imagePullPolicy: IfNotPresent + tty: true + stdin: true + securityContext: + privileged: true + - name: darkstat + image: electrocucaracha/darkstat + imagePullPolicy: IfNotPresent + tty: true + stdin: true + ports: + - containerPort: 667 +DEPLOYMENT + popd +} + +# popule_CSAR_vms_vFW() - This function creates the content of CSAR file +# required for vFirewal using only virtual machines +function popule_CSAR_vms_vFW { + local csar_id=$1 + ssh_key=$(cat $HOME/.ssh/id_rsa.pub) + + _checks_args $csar_id + pushd ${CSAR_DIR}/${csar_id} + + cat << META > metadata.yaml +resources: + network: + - unprotected-private-net-cidr-network.yaml + - protected-private-net-cidr-network.yaml + - onap-private-net-cidr-network.yaml + deployment: + - $packetgen_deployment_name.yaml + - $firewall_deployment_name.yaml + - $sink_deployment_name.yaml +META + + cat << NET > unprotected-private-net-cidr-network.yaml +apiVersion: "kubernetes.cni.cncf.io/v1" +kind: Network +metadata: + name: unprotected-private-net-cidr +spec: + config: '{ + "name": "unprotected", + "type": "bridge", + "ipam": { + "type": "host-local", + "subnet": "192.168.10.0/24" + } +}' +NET + + cat << NET > protected-private-net-cidr-network.yaml +apiVersion: "kubernetes.cni.cncf.io/v1" +kind: Network +metadata: + name: protected-private-net-cidr +spec: + config: '{ + "name": "protected", + "type": "bridge", + "ipam": { + "type": "host-local", + "subnet": "192.168.20.0/24" + } +}' +NET + + cat << NET > onap-private-net-cidr-network.yaml +apiVersion: "kubernetes.cni.cncf.io/v1" +kind: Network +metadata: + name: onap-private-net-cidr +spec: + config: '{ + "name": "onap", + "type": "bridge", + "ipam": { + "type": "host-local", + "subnet": "10.10.0.0/16" + } +}' +NET + + proxy="apt:" + cloud_init_proxy="" + if [[ -n "${http_proxy+x}" ]]; then + proxy+=" + http_proxy: $http_proxy" + cloud_init_proxy+=" + - export http_proxy=$http_proxy" + fi + if [[ -n "${https_proxy+x}" ]]; then + proxy+=" + https_proxy: $https_proxy" + cloud_init_proxy+=" + - export https_proxy=$https_proxy" + fi + if [[ -n "${no_proxy+x}" ]]; then + cloud_init_proxy+=" + - export no_proxy=$no_proxy" + fi + + cat << DEPLOYMENT > $packetgen_deployment_name.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: $packetgen_deployment_name + labels: + app: vFirewall +spec: + replicas: 1 + selector: + matchLabels: + app: vFirewall + template: + metadata: + labels: + app: vFirewall + annotations: + VirtletLibvirtCPUSetting: | + mode: host-model + VirtletCloudInitUserData: | + ssh_pwauth: True + users: + - name: admin + gecos: User + primary-group: admin + groups: users + sudo: ALL=(ALL) NOPASSWD:ALL + lock_passwd: false + # the password is "admin" + passwd: "\$6\$rounds=4096\$QA5OCKHTE41\$jRACivoPMJcOjLRgxl3t.AMfU7LhCFwOWv2z66CQX.TSxBy50JoYtycJXSPr2JceG.8Tq/82QN9QYt3euYEZW/" + ssh_authorized_keys: + $ssh_key + $proxy + runcmd: + $cloud_init_proxy + - wget -O - https://raw.githubusercontent.com/electrocucaracha/vFW-demo/master/$packetgen_deployment_name | sudo -E bash + VirtletSSHKeys: | + $ssh_key + VirtletRootVolumeSize: 5Gi + kubernetes.v1.cni.cncf.io/networks: '[ + { "name": "unprotected-private-net-cidr", "interfaceRequest": "eth1" }, + { "name": "onap-private-net-cidr", "interfaceRequest": "eth2" } + ]' + kubernetes.io/target-runtime: virtlet.cloud + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: extraRuntime + operator: In + values: + - virtlet + containers: + - name: $packetgen_deployment_name + image: $image_name + imagePullPolicy: IfNotPresent + tty: true + stdin: true ports: - containerPort: 8183 + resources: + limits: + memory: 4Gi DEPLOYMENT cat << DEPLOYMENT > $firewall_deployment_name.yaml @@ -395,6 +656,8 @@ spec: labels: app: vFirewall annotations: + VirtletLibvirtCPUSetting: | + mode: host-model VirtletCloudInitUserData: | ssh_pwauth: True users: @@ -412,6 +675,9 @@ spec: runcmd: $cloud_init_proxy - wget -O - https://raw.githubusercontent.com/electrocucaracha/vFW-demo/master/$firewall_deployment_name | sudo -E bash + VirtletSSHKeys: | + $ssh_key + VirtletRootVolumeSize: 5Gi kubernetes.v1.cni.cncf.io/networks: '[ { "name": "unprotected-private-net-cidr", "interfaceRequest": "eth1" }, { "name": "protected-private-net-cidr", "interfaceRequest": "eth2" }, @@ -436,7 +702,7 @@ spec: stdin: true resources: limits: - memory: 160Mi + memory: 4Gi DEPLOYMENT cat << DEPLOYMENT > $sink_deployment_name.yaml @@ -456,6 +722,8 @@ spec: labels: app: vFirewall annotations: + VirtletLibvirtCPUSetting: | + mode: host-model VirtletCloudInitUserData: | ssh_pwauth: True users: @@ -475,6 +743,7 @@ spec: - wget -O - https://raw.githubusercontent.com/electrocucaracha/vFW-demo/master/$sink_deployment_name | sudo -E bash VirtletSSHKeys: | $ssh_key + VirtletRootVolumeSize: 5Gi kubernetes.v1.cni.cncf.io/networks: '[ { "name": "protected-private-net-cidr", "interfaceRequest": "eth1" }, { "name": "onap-private-net-cidr", "interfaceRequest": "eth2" } @@ -496,11 +765,11 @@ spec: imagePullPolicy: IfNotPresent tty: true stdin: true - resources: - limits: - memory: 160Mi ports: - containerPort: 667 + resources: + limits: + memory: 4Gi DEPLOYMENT popd } @@ -600,6 +869,8 @@ spec: labels: app: virtlet annotations: + VirtletLibvirtCPUSetting: | + mode: host-passthrough # This tells CRI Proxy that this pod belongs to Virtlet runtime kubernetes.io/target-runtime: virtlet.cloud VirtletCloudInitUserData: | diff --git a/vagrant/tests/_functions.sh b/vagrant/tests/_functions.sh index 50473476..515bc6ec 100755 --- a/vagrant/tests/_functions.sh +++ b/vagrant/tests/_functions.sh @@ -29,6 +29,7 @@ function _checks_args { function destroy_deployment { local deployment_name=$1 + echo "$(date +%H:%M:%S) - $deployment_name : Destroying deployment" kubectl delete deployment $deployment_name --ignore-not-found=true --now while kubectl get deployment $deployment_name &>/dev/null; do echo "$(date +%H:%M:%S) - $deployment_name : Destroying deployment" diff --git a/vagrant/tests/integration_vFW.sh b/vagrant/tests/integration_vFW.sh index df27065a..237593f2 100755 --- a/vagrant/tests/integration_vFW.sh +++ b/vagrant/tests/integration_vFW.sh @@ -24,11 +24,10 @@ fi popule_CSAR_vms_vFW $csar_id pushd ${CSAR_DIR}/${csar_id} -for resource in unprotected-private-net-cidr-network protected-private-net-cidr-network onap-private-net-cidr-network sink-service sink-ingress; do +for resource in unprotected-private-net-cidr-network protected-private-net-cidr-network onap-private-net-cidr-network; do kubectl apply -f $resource.yaml done setup $packetgen_deployment_name $firewall_deployment_name $sink_deployment_name -#kubectl port-forward deployment/$sink_deployment_name 667:667 # Test for deployment_name in $packetgen_deployment_name $firewall_deployment_name $sink_deployment_name; do diff --git a/vagrant/tests/integration_vcFW.sh b/vagrant/tests/integration_vcFW.sh new file mode 100755 index 00000000..82159b90 --- /dev/null +++ b/vagrant/tests/integration_vcFW.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2018 +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +set -o errexit +set -o nounset +set -o pipefail + +source _common.sh +source _functions.sh + +csar_id=aa443e7e-c8ba-11e8-8877-525400b164ff + +# Setup +if [[ ! -f $HOME/.ssh/id_rsa.pub ]]; then + echo -e "\n\n\n" | ssh-keygen -t rsa -N "" +fi +popule_CSAR_vms_containers_vFW $csar_id + +pushd ${CSAR_DIR}/${csar_id} +for resource in unprotected-private-net-cidr-network protected-private-net-cidr-network onap-private-net-cidr-network sink-service sink-ingress; do + kubectl apply -f $resource.yaml +done +setup $packetgen_deployment_name $firewall_deployment_name $sink_deployment_name +#kubectl port-forward deployment/$sink_deployment_name 667:667 + +# Test +for deployment_name in $packetgen_deployment_name $firewall_deployment_name; do + pod_name=$(kubectl get pods | grep $deployment_name | awk '{print $1}') + vm=$(kubectl plugin virt virsh list | grep ".*$deployment_name" | awk '{print $2}') + echo "Pod name: $pod_name Virsh domain: $vm" + echo "ssh -i ~/.ssh/id_rsa.pub admin@$(kubectl get pods $pod_name -o jsonpath="{.status.podIP}")" + echo "kubectl attach -it $pod_name" + echo "=== Virtlet details ====" + echo "$(kubectl plugin virt virsh dumpxml $vm | grep VIRTLET_)\n" +done +popd + +# Teardown +#teardown $packetgen_deployment_name $firewall_deployment_name $sink_deployment_name -- cgit 1.2.3-korg