From 4e3adf2715da3902790163a4954e87555fcfc28e Mon Sep 17 00:00:00 2001 From: Yao Le Date: Mon, 29 Jun 2020 22:05:35 +0800 Subject: Create helm chart for ICN/SDEWAN controllers Create helm chart for sdewan-controller in KUD Issue-ID: MULTICLOUD-1104 Signed-off-by: Yao Le Change-Id: Ic5d8daecdecba52c05d3ed38fa91ebd555ce5533 --- .../helm/sdewan_controllers/.helmignore | 23 + .../helm/sdewan_controllers/Chart.yaml | 21 + .../helm/sdewan_controllers/templates/_helpers.tpl | 63 ++ .../sdewan_controllers/templates/certificate.yaml | 29 + .../helm/sdewan_controllers/templates/crd.yaml | 1017 ++++++++++++++++++++ .../sdewan_controllers/templates/deployment.yaml | 74 ++ .../helm/sdewan_controllers/templates/issuer.yaml | 24 + .../sdewan_controllers/templates/namespace.yaml | 21 + .../helm/sdewan_controllers/templates/role.yaml | 342 +++++++ .../helm/sdewan_controllers/templates/service.yaml | 42 + .../helm/sdewan_controllers/templates/webhook.yaml | 80 ++ .../helm/sdewan_controllers/values.yaml | 19 + 12 files changed, 1755 insertions(+) create mode 100644 kud/deployment_infra/helm/sdewan_controllers/.helmignore create mode 100644 kud/deployment_infra/helm/sdewan_controllers/Chart.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/_helpers.tpl create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/certificate.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/crd.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/deployment.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/issuer.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/namespace.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/role.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/service.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/templates/webhook.yaml create mode 100644 kud/deployment_infra/helm/sdewan_controllers/values.yaml (limited to 'kud/deployment_infra/helm') diff --git a/kud/deployment_infra/helm/sdewan_controllers/.helmignore b/kud/deployment_infra/helm/sdewan_controllers/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kud/deployment_infra/helm/sdewan_controllers/Chart.yaml b/kud/deployment_infra/helm/sdewan_controllers/Chart.yaml new file mode 100644 index 00000000..3331b561 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/Chart.yaml @@ -0,0 +1,21 @@ +#/* +# * Copyright 2019 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +apiVersion: v1 +name: controllers +description: A Helm chart for Kubernetes +version: 0.1.0 +appVersion: "1.0" diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/_helpers.tpl b/kud/deployment_infra/helm/sdewan_controllers/templates/_helpers.tpl new file mode 100644 index 00000000..da45c398 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "controllers.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "controllers.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "controllers.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "controllers.labels" -}} +helm.sh/chart: {{ include "controllers.chart" . }} +{{ include "controllers.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "controllers.selectorLabels" -}} +app.kubernetes.io/name: {{ include "controllers.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "controllers.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "controllers.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/certificate.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/certificate.yaml new file mode 100644 index 00000000..6b03cc1f --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/certificate.yaml @@ -0,0 +1,29 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: sdewan-serving-cert + namespace: {{ .Values.namespace }} +spec: + dnsNames: + - sdewan-webhook-service.sdewan-system.svc + - sdewan-webhook-service.sdewan-system.svc.cluster.local + issuerRef: + kind: Issuer + name: sdewan-selfsigned-issuer + secretName: webhook-server-cert diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/crd.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/crd.yaml new file mode 100644 index 00000000..94851e43 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/crd.yaml @@ -0,0 +1,1017 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewalldnats.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallDNAT + listKind: FirewallDNATList + plural: firewalldnats + singular: firewalldnat + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallDNAT is the Schema for the firewalldnats API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallDNATSpec defines the desired state of FirewallDNAT + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + family: + type: string + mark: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + proto: + type: string + src: + type: string + src_dip: + type: string + src_dport: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallforwardings.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallForwarding + listKind: FirewallForwardingList + plural: firewallforwardings + singular: firewallforwarding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallForwarding is the Schema for the firewallforwardings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallForwardingSpec defines the desired state of FirewallForwarding + properties: + dest: + type: string + family: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + src: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallrules.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallRule + listKind: FirewallRuleList + plural: firewallrules + singular: firewallrule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallRule is the Schema for the firewallrules API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallRuleSpec defines the desired state of FirewallRule + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + extra: + type: string + family: + type: string + icmp_type: + items: + type: string + type: array + mark: + type: string + name: + description: Foo is an example field of FirewallRule. Edit FirewallRule_types.go + to remove/update + type: string + proto: + type: string + set_mark: + type: string + set_xmark: + type: string + src: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallsnats.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallSNAT + listKind: FirewallSNATList + plural: firewallsnats + singular: firewallsnat + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallSNAT is the Schema for the firewallsnats API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallSNATSpec defines the desired state of FirewallSNAT + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + family: + type: string + mark: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + proto: + type: string + src: + type: string + src_dip: + type: string + src_dport: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallzones.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallZone + listKind: FirewallZoneList + plural: firewallzones + singular: firewallzone + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallZone is the Schema for the firewallzones API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallZoneSpec defines the desired state of FirewallZone + properties: + etra_dest: + type: string + extra_src: + type: string + family: + type: string + forward: + type: string + input: + type: string + masq: + type: string + masq_allow_invalid: + type: string + masq_dest: + items: + type: string + type: array + masq_src: + items: + type: string + type: array + mtu_fix: + type: string + name: + description: Foo is an example field of FirewallZone. Edit FirewallZone_types.go + to remove/update + type: string + network: + items: + type: string + type: array + output: + type: string + subnet: + items: + type: string + type: array + required: + - network + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: ipsechosts.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: IpsecHost + listKind: IpsecHostList + plural: ipsechosts + singular: ipsechost + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: IpsecHost is the Schema for the ipsechosts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authentication_method: + type: string + connections: + items: + properties: + conn_type: + type: string + crypto_proposal: + items: + type: string + type: array + if_id: + type: string + local_firewall: + type: string + local_sourceip: + type: string + local_updown: + type: string + mark: + type: string + mode: + type: string + name: + type: string + remote_firewall: + type: string + remote_sourceip: + type: string + remote_subnet: + type: string + remote_updown: + type: string + required: + - conn_type + - mode + - name + type: object + type: array + crypto_proposal: + items: + type: string + type: array + force_crypto_proposal: + type: string + local_identifier: + type: string + local_private_cert: + type: string + local_public_cert: + type: string + name: + type: string + pre_shared_key: + type: string + remote: + type: string + remote_identifier: + type: string + shared_ca: + type: string + type: + type: string + required: + - authentication_method + - connections + - crypto_proposal + - remote + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: ipsecproposals.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: IpsecProposal + listKind: IpsecProposalList + plural: ipsecproposals + singular: ipsecproposal + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: IpsecProposal is the Schema for the ipsecproposals API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IpsecProposalSpec defines the desired state of IpsecProposal + properties: + dh_group: + type: string + encryption_algorithm: + type: string + hash_algorithm: + type: string + name: + type: string + required: + - dh_group + - encryption_algorithm + - hash_algorithm + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: ipsecsites.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: IpsecSite + listKind: IpsecSiteList + plural: ipsecsites + singular: ipsecsite + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: IpsecSite is the Schema for the ipsecsites API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IpsecSiteSpec defines the desired state of IpsecSite + properties: + authentication_method: + type: string + connections: + items: + properties: + conn_type: + type: string + crypto_proposal: + items: + type: string + type: array + if_id: + type: string + local_firewall: + type: string + local_subnet: + type: string + local_updown: + type: string + mark: + type: string + mode: + type: string + name: + type: string + remote_firewall: + type: string + remote_sourceip: + type: string + remote_subnet: + type: string + remote_updown: + type: string + required: + - conn_type + - local_subnet + - mode + - name + type: object + type: array + crypto_proposal: + items: + type: string + type: array + force_crypto_proposal: + type: string + local_identifier: + type: string + local_private_cert: + type: string + local_public_cert: + type: string + name: + type: string + pre_shared_key: + type: string + remote: + type: string + remote_identifier: + type: string + shared_ca: + type: string + type: + type: string + required: + - authentication_method + - connections + - crypto_proposal + - remote + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: mwan3policies.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: Mwan3Policy + listKind: Mwan3PolicyList + plural: mwan3policies + singular: mwan3policy + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Mwan3Policy is the Schema for the mwan3policies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + members: + items: + description: Mwan3PolicySpec defines the desired state of Mwan3Policy + properties: + metric: + type: integer + network: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of + cluster Important: Run "make" to regenerate code after modifying + this file' + type: string + weight: + type: integer + required: + - metric + - network + - weight + type: object + type: array + required: + - members + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: mwan3rules.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: Mwan3Rule + listKind: Mwan3RuleList + plural: mwan3rules + singular: mwan3rule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Mwan3Rule is the Schema for the mwan3rules API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + dest_ip: + type: string + dest_port: + type: string + family: + type: string + policy: + type: string + proto: + type: string + src_ip: + type: string + src_port: + type: string + sticky: + type: string + timeout: + type: string + required: + - dest_ip + - dest_port + - family + - policy + - proto + - src_ip + - src_port + - sticky + - timeout + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/deployment.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/deployment.yaml new file mode 100644 index 00000000..038b7c37 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/deployment.yaml @@ -0,0 +1,74 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: {{ .Values.spec.label }} + name: {{ .Values.spec.name }} + namespace: {{ .Values.namespace }} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: {{ .Values.spec.label }} + template: + metadata: + labels: + control-plane: {{ .Values.spec.label }} + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: {{ .Values.spec.proxy.image }} + name: {{ .Values.spec.proxy.name }} + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + - --enable-leader-election + command: + - /manager + image: {{ .Values.spec.sdewan.image }} + name: {{ .Values.spec.sdewan.name }} + nodeSelector: + node-role.kubernetes.io/master: "" + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/issuer.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/issuer.yaml new file mode 100644 index 00000000..00e4e695 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/issuer.yaml @@ -0,0 +1,24 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: sdewan-selfsigned-issuer + namespace: {{ .Values.namespace }} +spec: + selfSigned: {} + diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/namespace.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/namespace.yaml new file mode 100644 index 00000000..133c5c6f --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/namespace.yaml @@ -0,0 +1,21 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: sdewan-system diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/role.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/role.yaml new file mode 100644 index 00000000..79e7b102 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/role.yaml @@ -0,0 +1,342 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sdewan-leader-election-role + namespace: {{ .Values.namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + sdewan-bucket-type-permission: '{ "*": ["*"]}' + creationTimestamp: null + name: sdewan-manager-role +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - list + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewalldnats + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewalldnats/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallforwardings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallforwardings/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallrules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallrules/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallsnats + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallsnats/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallzones/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - ipsechosts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - ipsechosts/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - ipsecproposals + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - ipsecproposals/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - ipsecsites + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - ipsecsites/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - mwan3policies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - mwan3policies/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - mwan3rules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - mwan3rules/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sdewan-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sdewan-leader-election-rolebinding + namespace: {{ .Values.namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sdewan-leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sdewan-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sdewan-manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Values.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sdewan-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sdewan-proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Values.namespace }} diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/service.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/service.yaml new file mode 100644 index 00000000..3ed17b9f --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/service.yaml @@ -0,0 +1,42 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: {{ .Values.spec.label }} + name: sdewan-controller-manager-metrics-service + namespace: {{ .Values.namespace }} +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: {{ .Values.spec.label }} +--- +apiVersion: v1 +kind: Service +metadata: + name: sdewan-webhook-service + namespace: {{ .Values.namespace }} +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: {{ .Values.spec.label }} diff --git a/kud/deployment_infra/helm/sdewan_controllers/templates/webhook.yaml b/kud/deployment_infra/helm/sdewan_controllers/templates/webhook.yaml new file mode 100644 index 00000000..c7d16598 --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/templates/webhook.yaml @@ -0,0 +1,80 @@ +#/* Copyright 2020 Intel Corporation, Inc +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# */ + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: sdewan-system/sdewan-serving-cert + creationTimestamp: null + name: sdewan-validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: sdewan-webhook-service + namespace: {{ .Values.namespace }} + path: /validate-sdewan-bucket-permission + failurePolicy: Fail + name: validate-sdewan-bucket.akraino.org + rules: + - apiGroups: + - batch.sdewan.akraino.org + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - mwan3policies + - mwan3rules + - firewallzones + - firewallforwardings + - firewallrules + - firewallsnats + - firewalldnats + - ipsecproposals + - ipsechosts + - ipsecsites +- clientConfig: + caBundle: Cg== + service: + name: sdewan-webhook-service + namespace: {{ .Values.namespace }} + path: /validate-label + failurePolicy: Fail + name: validate-label.akraino.org + rules: + - apiGroups: + - apps + - batch.sdewan.akraino.org + apiVersions: + - v1 + - v1alpha1 + operations: + - UPDATE + resources: + - deployments + - mwan3policies + - mwan3rules + - firewallzones + - firewallforwardings + - firewallrules + - firewallsnats + - firewalldnats + - ipsecproposals + - ipsechosts diff --git a/kud/deployment_infra/helm/sdewan_controllers/values.yaml b/kud/deployment_infra/helm/sdewan_controllers/values.yaml new file mode 100644 index 00000000..8472735e --- /dev/null +++ b/kud/deployment_infra/helm/sdewan_controllers/values.yaml @@ -0,0 +1,19 @@ +# Default values for controllers. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +namespace: "sdewan-system" + +spec: + name: "sdewan-controller-manager" + label: "controller-manager" + replicas: 1 + proxy: + image: "gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1" + name: "kube-rbac-proxy" + sdewan: + image: "integratedcloudnative/sdewan-controller:dev" + name: "manager" + + + -- cgit