feature:TSG-17228:新增sd功能

2023-09-26 10:40:12 +08:00
parent 3b3d202cc6
commit 0d54c2fe45
5 changed files with 99 additions and 3 deletions
--- a/ansible/roles/traffic-engine/files/helm/conf/maat.conf
+++ b/ansible/roles/traffic-engine/files/helm/conf/maat.conf
@@ -55,6 +55,25 @@ INC_CFG_DIR=tsgrule/inc/index/
 FULL_CFG_DIR=tsgrule/full/index/
 EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
 LOG_PATH="log/stat_policy_enforcer.maat"
+[DYNAMIC_MAPPING_MAAT]
+MAAT_MODE=redis
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/tsg_dynamic_mapping_tableinfo.json
+STAT_FILE=log/dynamic.mapping.maat.status
+EFFECT_INTERVAL_MS={{ .Values.external_resources.sd.policy_effect_interval_ms }}
+GARBAGE_COLLECT_MS={{ .Values.external_resources.sd.policy_garbage_collection_interval_ms }}
+RULE_UPDATE_CHECK_INTERVAL_MS={{ .Values.external_resources.sd.policy_update_check_interval_ms }}
+REDIS_IP={{- include "traffic-engine.global.sd.server-ip" . }}
+REDIS_PORT_NUM=1
+REDIS_PORT={{- include "traffic-engine.global.sd.server-port" . }}
+REDIS_INDEX={{ .Values.external_resources.sd.db_index }}
+JSON_CFG_FILE=tsgconf/tsg_dynamic_mapping_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+LOG_LEVEL=0
+LOG_PATH="log/dynamic.mapping.maat"

 [CAPTURE]
 MAAT_MODE=2
--- a/ansible/roles/traffic-engine/files/helm/conf/main.conf
+++ b/ansible/roles/traffic-engine/files/helm/conf/main.conf
@@ -6,6 +6,11 @@ IP_ADDR_TABLE="TSG_SECURITY_ADDR"
 LOCATION_TABLE_TYPE=19
 LOG_LEVEL=30
 LOG_PATH="log/master.scan"
+{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
+DYNAMIC_MAPPING_MAAT_SWITCH=1
+{{- else }}
+DYNAMIC_MAPPING_MAAT_SWITCH=0
+{{- end }}

 [TSG_LOG]
 MODE=kafka
--- a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl
+++ b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl
@@ -574,8 +574,8 @@ enable_breakpad_upload=0
            export CACERT=${SERVICEACCOUNT}/ca.crt
            curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/tsg-os-system/services/${CM_CACHE_SERVICE_NAME} -o /tmp/cm-cache.txt
            export CM_POLICY_LOCAL_CACHE_IP=$(cat /tmp/cm-cache.txt  | jq -r '.spec.clusterIP')
-            echo "export CM_POLICY_LOCAL_CACHE_IP=${CM_POLICY_LOCAL_CACHE_IP}" > /etc/profile.d/announceinfo.sh
-            chmod 0755 /etc/profile.d/announceinfo.sh
+            echo "export CM_POLICY_LOCAL_CACHE_IP=${CM_POLICY_LOCAL_CACHE_IP}" > /etc/profile.d/cm-local-cache.sh
+            chmod 0755 /etc/profile.d/cm-local-cache.sh
 {{- end }}
 {{- end -}}

@@ -634,4 +634,58 @@ enable_breakpad_upload=0
            export device_id=`ipmitool fru list |grep 'Product Serial' | awk '{ print $4}'`
            if [ -z "$device_id" ]; then export device_id="unknown"; fi
            echo "export device_id=${device_id}" > /etc/profile.d/device_id.sh
-{{- end -}}
+{{- end -}}
+
+{{- define "traffic-engine.global.sd.server-ip" -}}
+{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
+{{- if eq .Values.external_resources.sd.connectivity "direct" }}
+{{- print .Values.external_resources.sd.direct.address }}
+{{- else }}
+{{- print "SD_POLICY_LOCAL_CACHE_IP_LOCATION" }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{- define "traffic-engine.global.sd.server-port" -}}
+{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
+{{- if eq .Values.external_resources.sd.connectivity "direct" }}
+{{- print .Values.external_resources.sd.direct.port }}
+{{- else }}
+{{- print "6379" }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{- define "traffic-engine.global.sd.read-server-ip" -}}
+{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
+{{- if eq .Values.external_resources.sd.connectivity "local_cache" }}
+            export APISERVER=https://kubernetes.default.svc
+            export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+            export TOKEN=$(cat ${SERVICEACCOUNT}/token)
+            export CACERT=${SERVICEACCOUNT}/ca.crt
+            curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/tsg-os-system/services/${SD_CACHE_SERVICE_NAME} -o /tmp/sd-cache.txt
+            export SD_POLICY_LOCAL_CACHE_IP=$(cat /tmp/sd-cache.txt  | jq -r '.spec.clusterIP')
+            echo "export SD_POLICY_LOCAL_CACHE_IP=${SD_POLICY_LOCAL_CACHE_IP}" > /etc/profile.d/sd-local-cache.sh
+            chmod 0755 /etc/profile.d/sd-local-cache.sh
+{{- end }}
+{{- end }}
+{{- end -}}
+
+
+{{- define "traffic-engine.global.sd.env-service-name" -}}
+{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
+{{- if eq .Values.external_resources.sd.connectivity "local_cache" }}
+        - name: SD_CACHE_SERVICE_NAME
+          value: {{ .Values.external_resources.sd.local_cache.cache_name }}-redis-master
+{{- end }}
+{{- end }}
+{{- end -}}
+
+
+{{- define "traffic-engine.firewall.sd.set-redis-ip" -}}
+{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
+{{- if eq .Values.external_resources.sd.connectivity "local_cache" }}
+            sed -Ei "s|SD_POLICY_LOCAL_CACHE_IP_LOCATION|${SD_POLICY_LOCAL_CACHE_IP?}|g" /opt/tsg/sapp/tsgconf/maat.conf
+{{- end }}
+{{- end }}
+{{- end -}}
--- a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml
+++ b/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml
@@ -47,6 +47,8 @@ spec:
            {{ template "traffic-engine.firewall.copy-config-to-dest" . }}
            {{ template "traffic-engine.global.cm.read-server-ip" . }}
            {{ template "traffic-engine.firewall.set-redis-ip" . }}
+            {{ template "traffic-engine.global.sd.read-server-ip" . }}
+            {{ template "traffic-engine.firewall.sd.set-redis-ip" . }}
            {{ template "traffic-engine.firewall.prestart" . }}
            {{ template "traffic-engine.firewall.start" . }}
        ports:
@@ -65,6 +67,7 @@ spec:
            fieldRef:
              fieldPath: status.hostIP
        {{ template "traffic-engine.global.cm.env-service-name" . }}
+        {{ template "traffic-engine.global.sd.env-service-name" . }}
        securityContext:
          privileged: true
 {{- if eq .Values.debug.firewall.enable_liveness_probe .Values.define_enable_val_yes }}
--- a/ansible/roles/traffic-engine/files/helm/values.yaml
+++ b/ansible/roles/traffic-engine/files/helm/values.yaml
@@ -9,6 +9,21 @@ external_resources:
    local_cache:
      cache_name: tsg_traffic_cm_local_cache_1
    port_num: 1
+  sd:
+    ## @param external_resources.cm.connection value in [direct, local_cache], default: local_cache
+    ##
+    enable: yes
+    connectivity: local_cache
+    db_index: 0
+    policy_effect_interval_ms: 100
+    policy_garbage_collection_interval_ms: 30000
+    policy_update_check_interval_ms: 100
+    direct:
+      address: 10.X.X.X
+      port: 7002
+    local_cache:
+      cache_name: tsg_traffic_sd_local_cache_1
+

  olap:
    kafka_brokers: