From 0a13e91612de5fa590bdecb7b17ef79e7f220131 Mon Sep 17 00:00:00 2001 From: Bin Yang Date: Sat, 22 Feb 2020 13:20:45 +0800 Subject: Add helm chart for cFW CNF specific to networking backended by host netdevice Change-Id: I26201b9d3e1c2434ba126fc497afffbaf58057a8 Issue-ID: MULTICLOUD-999 Signed-off-by: Bin Yang --- starlingx/demo/firewall-host-netdevice/.helmignore | 22 +++++ starlingx/demo/firewall-host-netdevice/Chart.yaml | 5 ++ .../charts/pktgen-host-netdevice/.helmignore | 22 +++++ .../charts/pktgen-host-netdevice/Chart.yaml | 5 ++ .../resources/scripts/init/vpg_start.sh | 100 +++++++++++++++++++++ .../pktgen-host-netdevice/templates/_helpers.tpl | 32 +++++++ .../pktgen-host-netdevice/templates/configmap.yaml | 27 ++++++ .../templates/deployment.yaml | 85 ++++++++++++++++++ .../pktgen-host-netdevice/templates/service.yaml | 16 ++++ .../charts/pktgen-host-netdevice/values.yaml | 26 ++++++ .../charts/sink-host-netdevice/.helmignore | 22 +++++ .../charts/sink-host-netdevice/Chart.yaml | 5 ++ .../resources/scripts/init/vsn_start.sh | 21 +++++ .../sink-host-netdevice/templates/_helpers.tpl | 32 +++++++ .../sink-host-netdevice/templates/configmap.yaml | 10 +++ .../sink-host-netdevice/templates/deployment.yaml | 68 ++++++++++++++ .../sink-host-netdevice/templates/service.yaml | 16 ++++ .../charts/sink-host-netdevice/values.yaml | 30 +++++++ .../resources/scripts/init/vfw_start.sh | 64 +++++++++++++ .../firewall-host-netdevice/templates/_helpers.tpl | 32 +++++++ .../templates/configmap.yaml | 27 ++++++ .../templates/deployment.yaml | 87 ++++++++++++++++++ .../templates/protected-private-net.yaml | 23 +++++ .../templates/unprotected-private-net.yaml | 23 +++++ starlingx/demo/firewall-host-netdevice/values.yaml | 76 ++++++++++++++++ 25 files changed, 876 insertions(+) create mode 100644 starlingx/demo/firewall-host-netdevice/.helmignore create mode 100644 starlingx/demo/firewall-host-netdevice/Chart.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/.helmignore create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/Chart.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/resources/scripts/init/vpg_start.sh create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/_helpers.tpl create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/configmap.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/deployment.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/service.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/values.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/.helmignore create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/Chart.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/resources/scripts/init/vsn_start.sh create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/_helpers.tpl create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/configmap.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/deployment.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/service.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/values.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/resources/scripts/init/vfw_start.sh create mode 100644 starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl create mode 100644 starlingx/demo/firewall-host-netdevice/templates/configmap.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/templates/deployment.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml create mode 100644 starlingx/demo/firewall-host-netdevice/values.yaml (limited to 'starlingx') diff --git a/starlingx/demo/firewall-host-netdevice/.helmignore b/starlingx/demo/firewall-host-netdevice/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starlingx/demo/firewall-host-netdevice/Chart.yaml b/starlingx/demo/firewall-host-netdevice/Chart.yaml new file mode 100644 index 00000000..ac61cce4 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart to deploy Firewall app for vFirewall, networking backend is passthrough host-device +name: firewall-host-netdevice +version: 0.1.0 diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/.helmignore b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/Chart.yaml b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/Chart.yaml new file mode 100644 index 00000000..ebc53b5c --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart to deploy packet generator for vFirewall +name: pktgen-host-netdevice +version: 0.1.0 diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/resources/scripts/init/vpg_start.sh b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/resources/scripts/init/vpg_start.sh new file mode 100644 index 00000000..936e9d53 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/resources/scripts/init/vpg_start.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +apt-get update +apt-get install -y sudo curl net-tools iproute2 wget + +curl -s https://packagecloud.io/install/repositories/fdio/release/script.deb.sh | sudo bash + +export VPP_VER=19.01.2-release +apt-get install -y vpp=$VPP_VER vpp-lib=$VPP_VER + +apt-get install -y vpp-plugins=$VPP_VER + +if [ -e /run/vpp/cli-vpp1.sock ]; then + rm /run/vpp/cli-vpp1.sock +fi + +# root@vpktgen:/# taskset -p --cpu-list 1 +# pid 1's current affinity list: 1,2,29 + +corelist=`taskset -p -c 1 |cut -d : -f 2 | sed 's/^ *//' | sed 's/ *$//'` +#extract master core +mastercoreidx=`echo $corelist | cut -d , -f 1` +#extract worker cores +workercorelist=`echo $corelist | sed -E 's/^[0-9]*,//'` + +echo 'start... vpp' +vpp unix {cli-listen /run/vpp/cli-vpp1.sock} api-segment { prefix vpp1 } \ + cpu { main-core $mastercoreidx corelist-workers $workercorelist } + +echo 'wait vpp be up ...' +while [ ! -e /run/vpp/cli-vpp1.sock ]; do + sleep 1; +done + +echo 'configure vpp ...' + + +vppctl -s /run/vpp/cli-vpp1.sock show ver +vppctl -s /run/vpp/cli-vpp1.sock show threads + +vppctl -s /run/vpp/cli-vpp1.sock create host-interface name veth11 + +vppctl -s /run/vpp/cli-vpp1.sock set int state host-veth11 up + +vppctl -s /run/vpp/cli-vpp1.sock show int +vppctl -s /run/vpp/cli-vpp1.sock show hardware + +vppctl -s /run/vpp/cli-vpp1.sock set int ip address host-veth11 10.10.1.2/24 + +vppctl -s /run/vpp/cli-vpp1.sock show int addr + +vppctl -s /run/vpp/cli-vpp1.sock ip route add 10.10.2.0/24 via 10.10.1.1 + +vppctl -s /run/vpp/cli-vpp1.sock show ip fib + +#vppctl -s /run/vpp/cli-vpp1.sock trace add af-packet-input 10 + +echo "provision streams" +### pktgen config +vppctl -s /run/vpp/cli-vpp1.sock loop create +vppctl -s /run/vpp/cli-vpp1.sock set int ip address loop0 11.22.33.1/24 +vppctl -s /run/vpp/cli-vpp1.sock set int state loop0 up + +cd /opt + +mkdir /home/root +cat < /home/root/stream_fw_udp1_loop0 +packet-generator new { + name fw_udp1 + rate 10 + node ip4-input + size 64-64 + no-recycle + interface loop0 + data { + UDP: 10.10.1.2 -> 10.10.2.2 + UDP: 15320 -> 8080 + length 128 checksum 0 incrementing 1 + } + } +EOF + +vppctl -s /run/vpp/cli-vpp1.sock exec /home/root/stream_fw_udp1_loop0 + +#vppctl -s /run/vpp/cli-vpp1.sock show packet-generator + +#vppctl -s /run/vpp/cli-vpp1.sock trace add pg-input 10 + +vppctl -s /run/vpp/cli-vpp1.sock packet-generator enable + +vppctl -s /run/vpp/cli-vpp1.sock show packet-generator + +vppctl -s /run/vpp/cli-vpp1.sock show int + +#vppctl -s /run/vpp/cli-vpp1.sock packet-generator disable + +#vppctl -s /run/vpp/cli-vpp1.sock packet-generator delete fw_udp1 + +echo "done" +sleep infinity \ No newline at end of file diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/_helpers.tpl b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/_helpers.tpl new file mode 100644 index 00000000..322b7c68 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "packetgen.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "packetgen.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "packetgen.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/configmap.yaml b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/configmap.yaml new file mode 100644 index 00000000..731fabb0 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-scripts-configmap + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +data: +{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/deployment.yaml b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/deployment.yaml new file mode 100644 index 00000000..4e48937e --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "packetgen.fullname" . }} + labels: + release: {{ .Release.Name }} + app: {{ include "packetgen.name" . }} + chart: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "packetgen.name" .}} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "packetgen.name" .}} + release: {{ .Release.Name }} + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { "name": "host-device-{{ .Values.global.unprotectedNetPortVpg }}", + "interface": "veth11" } + ]' + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + tty: true + stdin: true + env: + - name: unprotectedNetCidr + value: "{{.Values.global.unprotectedNetCidr}}" + - name: unprotectedNetGw + value: "{{.Values.global.unprotectedNetGw}}" + - name: protectedNetCidr + value: "{{.Values.global.protectedNetCidr}}" + - name: protectedNetGw + value: "{{.Values.global.protectedNetGw}}" + - name: protectedNetGwIp + value: "{{.Values.global.protectedNetGwIp}}" + - name: dcaeCollectorIp + value: "{{.Values.global.dcaeCollectorIp}}" + - name: dcaeCollectorPort + value: "{{.Values.global.dcaeCollectorPort}}" + command: ["/bin/bash", "/opt/vpg_start.sh"] + securityContext: + privileged: true + capabilities: + add: + - CAP_SYS_ADMIN + volumeMounts: + - mountPath: /hugepages + name: hugepage + - name: lib-modules + mountPath: /lib/modules + - name: src + mountPath: /usr/src + - name: scripts + mountPath: /opt + resources: + requests: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + limits: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + volumes: + - name: hugepage + emptyDir: + medium: HugePages + - name: lib-modules + hostPath: + path: /lib/modules + - name: src + hostPath: + path: /usr/src + - name: scripts + configMap: + name: {{ .Chart.Name }}-scripts-configmap + imagePullSecrets: + - name: admin-registry-secret diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/service.yaml b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/service.yaml new file mode 100644 index 00000000..7b8fd9db --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: packetgen-service + labels: + app: {{ include "packetgen.name" . }} + release: {{ .Release.Name }} + chart: {{ .Chart.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.ports.port }} + nodePort: {{ .Values.service.ports.nodePort }} + selector: + app: {{ include "packetgen.name" . }} + release: {{ .Release.Name }} diff --git a/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/values.yaml b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/values.yaml new file mode 100644 index 00000000..a6ce488e --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/pktgen-host-netdevice/values.yaml @@ -0,0 +1,26 @@ +# Default values for packetgen. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +### must be 1 in this case, since host-device are allocatd statically +replicaCount: 1 + +image: + repository: ubuntu + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: +#serivce port value for packetgen service + type: NodePort + ports: + port: 2831 + nodePort: 30831 + +resources: + cpu: 3 + memory: 4Gi + hugepage: 256Mi diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/.helmignore b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/Chart.yaml b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/Chart.yaml new file mode 100644 index 00000000..85990cd7 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart to deploy sink for vFirewall +name: sink-host-netdevice +version: 0.1.0 diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/resources/scripts/init/vsn_start.sh b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/resources/scripts/init/vsn_start.sh new file mode 100644 index 00000000..63acfff1 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/resources/scripts/init/vsn_start.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +apt-get update +apt-get install -y sudo curl net-tools iproute2 inetutils-ping wget darkstat unzip + +echo "provision interfaces" + +ifconfig veth22 10.10.2.2/24 + +echo "add route entries" +ip route add 10.10.1.0/24 via 10.10.2.1 + +echo "update darkstat configuration" +sed -i "s/START_DARKSTAT=.*/START_DARKSTAT=yes/g;s/INTERFACE=.*/INTERFACE=\"-i veth22\"/g" /etc/darkstat/init.cfg + +echo "start darkstat" + +darkstat -i veth22 + +echo "done" +sleep infinity \ No newline at end of file diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/_helpers.tpl b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/_helpers.tpl new file mode 100644 index 00000000..7d82d08d --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sink.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sink.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sink.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/configmap.yaml b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/configmap.yaml new file mode 100644 index 00000000..1d4b755d --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-scripts-configmap + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +data: +{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/deployment.yaml b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/deployment.yaml new file mode 100644 index 00000000..fe3d03fe --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sink.fullname" . }} + labels: + release: {{ .Release.Name }} + app: {{ include "sink.name" . }} + chart: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { "name": "host-device-{{ .Values.global.protectedNetPortVsn }}", + "interface": "veth22" } + ]' + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + tty: true + stdin: true + env: + - name: unprotectedNetCidr + value: "{{.Values.global.unprotectedNetCidr}}" + - name: unprotectedNetGw + value: "{{.Values.global.unprotectedNetGw}}" + - name: protectedNetCidr + value: "{{.Values.global.protectedNetCidr}}" + - name: protectedNetGw + value: "{{.Values.global.protectedNetGw}}" + - name: protectedNetGwIp + value: "{{.Values.global.protectedNetGwIp}}" + - name: dcaeCollectorIp + value: "{{.Values.global.dcaeCollectorIp}}" + - name: dcaeCollectorPort + value: "{{.Values.global.dcaeCollectorPort}}" + command: ["/bin/bash", "/opt/vsn_start.sh"] + securityContext: + privileged: true + capabilities: + add: + - CAP_SYS_ADMIN + volumeMounts: + - name: scripts + mountPath: /opt + resources: + requests: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + limits: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + volumes: + - name: scripts + configMap: + name: {{ .Chart.Name }}-scripts-configmap + imagePullSecrets: + - name: admin-registry-secret diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/service.yaml b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/service.yaml new file mode 100644 index 00000000..99da7de7 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: sink-service + labels: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} + chart: {{ .Chart.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.ports.port }} + nodePort: {{ .Values.service.ports.nodePort }} + selector: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} diff --git a/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/values.yaml b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/values.yaml new file mode 100644 index 00000000..3e379cc4 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/charts/sink-host-netdevice/values.yaml @@ -0,0 +1,30 @@ +# Default values for sink. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: ubuntu + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +resources: + cpu: 1 + memory: 4Gi + +service: +#serivce port value for sink service + type: NodePort + ports: + port: 667 + nodePort: 30667 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/starlingx/demo/firewall-host-netdevice/resources/scripts/init/vfw_start.sh b/starlingx/demo/firewall-host-netdevice/resources/scripts/init/vfw_start.sh new file mode 100644 index 00000000..fd44793e --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/resources/scripts/init/vfw_start.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +apt-get update +apt-get install -y sudo curl net-tools iproute2 +curl -s https://packagecloud.io/install/repositories/fdio/release/script.deb.sh | sudo bash +export VPP_VER=19.01.2-release +apt-get install -y vpp=$VPP_VER vpp-lib=$VPP_VER +apt-get install -y vpp-plugins=$VPP_VER + +if [ -e /run/vpp/cli-vpp2.sock ]; then + rm /run/vpp/cli-vpp2.sock +fi + +# extract core list +# root@vpktgen:/# taskset -p --cpu-list 1 +# pid 1's current affinity list: 1,2,29 + +corelist=`taskset -p -c 1 |cut -d : -f 2 | sed 's/^ *//' | sed 's/ *$//'` +#extract master core +mastercoreidx=`echo $corelist | cut -d , -f 1` +#extract worker cores +workercorelist=`echo $corelist | sed -E 's/^[0-9]*,//'` + +echo 'start... vpp' +vpp unix {cli-listen /run/vpp/cli-vpp2.sock} api-segment { prefix vpp2 } \ + cpu { main-core $mastercoreidx corelist-workers $workercorelist } + +echo 'wait vpp be up ...' +while [ ! -e /run/vpp/cli-vpp2.sock ]; do + sleep 1; +done + +echo 'configure vpp ...' + +vppctl -s /run/vpp/cli-vpp2.sock show ver +vppctl -s /run/vpp/cli-vpp2.sock show threads + +vppctl -s /run/vpp/cli-vpp2.sock create host-interface name veth12 + +vppctl -s /run/vpp/cli-vpp2.sock set int state host-veth12 up + +vppctl -s /run/vpp/cli-vpp2.sock set int ip address host-veth12 10.10.1.1/24 + +vppctl -s /run/vpp/cli-vpp2.sock create host-interface name veth21 + +vppctl -s /run/vpp/cli-vpp2.sock set int state host-veth21 up + +vppctl -s /run/vpp/cli-vpp2.sock set int ip address host-veth21 10.10.2.1/24 + +vppctl -s /run/vpp/cli-vpp2.sock show hardware +vppctl -s /run/vpp/cli-vpp2.sock show int +vppctl -s /run/vpp/cli-vpp2.sock show int addr + +vppctl -s /run/vpp/cli-vpp2.sock show ip fib + +#vppctl -s /run/vpp/cli-vpp2.sock trace add af-packet-input 10 + +#vppctl -s /run/vpp/cli-vpp2.sock ping 10.10.1.2 + +#vppctl -s /run/vpp/cli-vpp2.sock show trace +#vppctl -s /run/vpp/cli-vpp2.sock show ip arp + +echo "done" +sleep infinity diff --git a/starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl b/starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl new file mode 100644 index 00000000..7593e779 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "firewall.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "firewall.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "firewall.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/starlingx/demo/firewall-host-netdevice/templates/configmap.yaml b/starlingx/demo/firewall-host-netdevice/templates/configmap.yaml new file mode 100644 index 00000000..731fabb0 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-scripts-configmap + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +data: +{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/starlingx/demo/firewall-host-netdevice/templates/deployment.yaml b/starlingx/demo/firewall-host-netdevice/templates/deployment.yaml new file mode 100644 index 00000000..be0af964 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/templates/deployment.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "firewall.fullname" . }} + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "firewall.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "firewall.name" . }} + release: {{ .Release.Name }} + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { "name": "host-device-{{ .Values.global.unprotectedNetPortVfw }}", + "interface": "veth12" }, + { "name": "host-device-{{ .Values.global.protectedNetPortVfw }}", + "interface": "veth21" } + ]' + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + tty: true + stdin: true + env: + - name: unprotectedNetCidr + value: "{{.Values.global.unprotectedNetCidr}}" + - name: unprotectedNetGw + value: "{{.Values.global.unprotectedNetGw}}" + - name: protectedNetCidr + value: "{{.Values.global.protectedNetCidr}}" + - name: protectedNetGw + value: "{{.Values.global.protectedNetGw}}" + - name: protectedNetGwIp + value: "{{.Values.global.protectedNetGwIp}}" + - name: dcaeCollectorIp + value: "{{.Values.global.dcaeCollectorIp}}" + - name: dcaeCollectorPort + value: "{{.Values.global.dcaeCollectorPort}}" + command: ["/bin/bash", "/opt/vfw_start.sh"] + securityContext: + privileged: true + capabilities: + add: + - CAP_SYS_ADMIN + volumeMounts: + - mountPath: /hugepages + name: hugepage + - name: lib-modules + mountPath: /lib/modules + - name: src + mountPath: /usr/src + - name: scripts + mountPath: /opt + resources: + requests: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + limits: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + volumes: + - name: hugepage + emptyDir: + medium: HugePages + - name: lib-modules + hostPath: + path: /lib/modules + - name: src + hostPath: + path: /usr/src + - name: scripts + configMap: + name: {{ .Chart.Name }}-scripts-configmap + imagePullSecrets: + - name: admin-registry-secret diff --git a/starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml b/starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml new file mode 100644 index 00000000..590d3f69 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/templates/protected-private-net.yaml @@ -0,0 +1,23 @@ +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: host-device-{{ .Values.global.protectedNetPortVfw }} +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "host-device", + "device": "{{ .Values.global.protectedNetPortVfw }}" + }' + +--- + +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: host-device-{{ .Values.global.protectedNetPortVsn }} +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "host-device", + "device": "{{ .Values.global.protectedNetPortVsn }}" + }' diff --git a/starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml b/starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml new file mode 100644 index 00000000..79b47579 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/templates/unprotected-private-net.yaml @@ -0,0 +1,23 @@ +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: host-device-{{ .Values.global.unprotectedNetPortVfw }} +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "host-device", + "device": "{{ .Values.global.unprotectedNetPortVfw }}" + }' + +--- + +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: host-device-{{ .Values.global.unprotectedNetPortVpg }} +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "host-device", + "device": "{{ .Values.global.unprotectedNetPortVpg }}" + }' diff --git a/starlingx/demo/firewall-host-netdevice/values.yaml b/starlingx/demo/firewall-host-netdevice/values.yaml new file mode 100644 index 00000000..199551c1 --- /dev/null +++ b/starlingx/demo/firewall-host-netdevice/values.yaml @@ -0,0 +1,76 @@ +# Default values for firewall. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# must be 1 in this helm chart, since the host-netdevice are fixed +replicaCount: 1 + +image: + repository: ubuntu + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +resources: + cpu: 3 + memory: 4Gi + hugepage: 256Mi + +#global vars for parent and subcharts. +global: + + nodeAffinity: + key: nodeName + values: worker-0 + op: In + + #Networks + #unprotectedNetworkName: unprotected-private-net + #protectedPrivateNetCidr: 192.168.10.0/24 + #protectedPrivateNetGw: 192.168.10.1/24 + + unprotectedNetPortVpg: veth11 + unprotectedNetPortVfw: veth12 + unprotectedNetCidr: 10.10.1.0/24 + unprotectedNetGw: 10.10.1.1/24 + + #onapPrivateNetworkName: onap-private-net + #onapPrivateNetCidr: 10.10.0.0/16 + #onapPrivateNetGw: 10.10.0.1/16 + + #protectedNetworkName: protected-private-net + #protectedNetCidr: 192.168.20.0/24 + #protectedNetGwIp: 192.168.20.100 + #protectedNetGw: 192.168.20.100/24 + protectedNetPortVfw: veth21 + protectedNetPortVsn: veth22 + protectedNetCidr: 10.10.2.0/24 + protectedNetGwIp: 10.10.2.1 + protectedNetGw: 10.10.2.1/24 + + #vFirewall container + #vfwPrivateIp0: 192.168.10.3 + #vfwPrivateIp1: 192.168.20.2 + #vfwPrivateIp2: 10.10.100.3 + vfwPrivateIp0: 10.10.1.1 + vfwPrivateIp1: 10.10.2.1 + + #Packetgen container + #vpgPrivateIp0: 192.168.10.2 + #vpgPrivateIp1: 10.0.100.2 + vpgPrivateIp0: 10.10.1.2 + + #Sink container + #vsnPrivateIp0: 192.168.20.3 + #vsnPrivateIp1: 10.10.100.4 + vsnPrivateIp0: 10.10.2.2 + + ######### + #demoArtifactsVersion: 1.5.0 + #dcaeCollectorIp: 10.0.4.1 + #dcaeCollectorPort: 8081 + dcaeCollectorIp: 10.12.7.4 + dcaeCollectorPort: 30235 + -- cgit 1.2.3-korg