From 0d54c2fe45e5971236bbef131a367ac350e33f9d Mon Sep 17 00:00:00 2001 From: fumingwei Date: Tue, 26 Sep 2023 10:40:12 +0800 Subject: [PATCH] =?UTF-8?q?feature:TSG-17228:=E6=96=B0=E5=A2=9Esd=E5=8A=9F?= =?UTF-8?q?=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../traffic-engine/files/helm/conf/maat.conf | 19 ++++++ .../traffic-engine/files/helm/conf/main.conf | 5 ++ .../files/helm/templates/_config.tpl | 60 ++++++++++++++++++- .../helm/templates/deployment-firewall.yaml | 3 + .../traffic-engine/files/helm/values.yaml | 15 +++++ 5 files changed, 99 insertions(+), 3 deletions(-) diff --git a/ansible/roles/traffic-engine/files/helm/conf/maat.conf b/ansible/roles/traffic-engine/files/helm/conf/maat.conf index f92ec55b..7dc610a2 100644 --- a/ansible/roles/traffic-engine/files/helm/conf/maat.conf +++ b/ansible/roles/traffic-engine/files/helm/conf/maat.conf @@ -55,6 +55,25 @@ INC_CFG_DIR=tsgrule/inc/index/ FULL_CFG_DIR=tsgrule/full/index/ EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json LOG_PATH="log/stat_policy_enforcer.maat" +[DYNAMIC_MAPPING_MAAT] +MAAT_MODE=redis +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=tsgconf/tsg_dynamic_mapping_tableinfo.json +STAT_FILE=log/dynamic.mapping.maat.status +EFFECT_INTERVAL_MS={{ .Values.external_resources.sd.policy_effect_interval_ms }} +GARBAGE_COLLECT_MS={{ .Values.external_resources.sd.policy_garbage_collection_interval_ms }} +RULE_UPDATE_CHECK_INTERVAL_MS={{ .Values.external_resources.sd.policy_update_check_interval_ms }} +REDIS_IP={{- include "traffic-engine.global.sd.server-ip" . }} +REDIS_PORT_NUM=1 +REDIS_PORT={{- include "traffic-engine.global.sd.server-port" . }} +REDIS_INDEX={{ .Values.external_resources.sd.db_index }} +JSON_CFG_FILE=tsgconf/tsg_dynamic_mapping_maat.json +INC_CFG_DIR=tsgrule/inc/index/ +FULL_CFG_DIR=tsgrule/full/index/ +EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json +LOG_LEVEL=0 +LOG_PATH="log/dynamic.mapping.maat" [CAPTURE] MAAT_MODE=2 diff --git a/ansible/roles/traffic-engine/files/helm/conf/main.conf b/ansible/roles/traffic-engine/files/helm/conf/main.conf index b844ff6d..51cf5989 100644 --- a/ansible/roles/traffic-engine/files/helm/conf/main.conf +++ b/ansible/roles/traffic-engine/files/helm/conf/main.conf @@ -6,6 +6,11 @@ IP_ADDR_TABLE="TSG_SECURITY_ADDR" LOCATION_TABLE_TYPE=19 LOG_LEVEL=30 LOG_PATH="log/master.scan" +{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} +DYNAMIC_MAPPING_MAAT_SWITCH=1 +{{- else }} +DYNAMIC_MAPPING_MAAT_SWITCH=0 +{{- end }} [TSG_LOG] MODE=kafka diff --git a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl index 4ef08fe2..e74bb6fd 100644 --- a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl +++ b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl @@ -574,8 +574,8 @@ enable_breakpad_upload=0 export CACERT=${SERVICEACCOUNT}/ca.crt curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/tsg-os-system/services/${CM_CACHE_SERVICE_NAME} -o /tmp/cm-cache.txt export CM_POLICY_LOCAL_CACHE_IP=$(cat /tmp/cm-cache.txt | jq -r '.spec.clusterIP') - echo "export CM_POLICY_LOCAL_CACHE_IP=${CM_POLICY_LOCAL_CACHE_IP}" > /etc/profile.d/announceinfo.sh - chmod 0755 /etc/profile.d/announceinfo.sh + echo "export CM_POLICY_LOCAL_CACHE_IP=${CM_POLICY_LOCAL_CACHE_IP}" > /etc/profile.d/cm-local-cache.sh + chmod 0755 /etc/profile.d/cm-local-cache.sh {{- end }} {{- end -}} @@ -634,4 +634,58 @@ enable_breakpad_upload=0 export device_id=`ipmitool fru list |grep 'Product Serial' | awk '{ print $4}'` if [ -z "$device_id" ]; then export device_id="unknown"; fi echo "export device_id=${device_id}" > /etc/profile.d/device_id.sh -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "traffic-engine.global.sd.server-ip" -}} +{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} +{{- if eq .Values.external_resources.sd.connectivity "direct" }} +{{- print .Values.external_resources.sd.direct.address }} +{{- else }} +{{- print "SD_POLICY_LOCAL_CACHE_IP_LOCATION" }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "traffic-engine.global.sd.server-port" -}} +{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} +{{- if eq .Values.external_resources.sd.connectivity "direct" }} +{{- print .Values.external_resources.sd.direct.port }} +{{- else }} +{{- print "6379" }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "traffic-engine.global.sd.read-server-ip" -}} +{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} +{{- if eq .Values.external_resources.sd.connectivity "local_cache" }} + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/tsg-os-system/services/${SD_CACHE_SERVICE_NAME} -o /tmp/sd-cache.txt + export SD_POLICY_LOCAL_CACHE_IP=$(cat /tmp/sd-cache.txt | jq -r '.spec.clusterIP') + echo "export SD_POLICY_LOCAL_CACHE_IP=${SD_POLICY_LOCAL_CACHE_IP}" > /etc/profile.d/sd-local-cache.sh + chmod 0755 /etc/profile.d/sd-local-cache.sh +{{- end }} +{{- end }} +{{- end -}} + + +{{- define "traffic-engine.global.sd.env-service-name" -}} +{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} +{{- if eq .Values.external_resources.sd.connectivity "local_cache" }} + - name: SD_CACHE_SERVICE_NAME + value: {{ .Values.external_resources.sd.local_cache.cache_name }}-redis-master +{{- end }} +{{- end }} +{{- end -}} + + +{{- define "traffic-engine.firewall.sd.set-redis-ip" -}} +{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} +{{- if eq .Values.external_resources.sd.connectivity "local_cache" }} + sed -Ei "s|SD_POLICY_LOCAL_CACHE_IP_LOCATION|${SD_POLICY_LOCAL_CACHE_IP?}|g" /opt/tsg/sapp/tsgconf/maat.conf +{{- end }} +{{- end }} +{{- end -}} diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml index bab9ef87..4a3a566c 100644 --- a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml +++ b/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml @@ -47,6 +47,8 @@ spec: {{ template "traffic-engine.firewall.copy-config-to-dest" . }} {{ template "traffic-engine.global.cm.read-server-ip" . }} {{ template "traffic-engine.firewall.set-redis-ip" . }} + {{ template "traffic-engine.global.sd.read-server-ip" . }} + {{ template "traffic-engine.firewall.sd.set-redis-ip" . }} {{ template "traffic-engine.firewall.prestart" . }} {{ template "traffic-engine.firewall.start" . }} ports: @@ -65,6 +67,7 @@ spec: fieldRef: fieldPath: status.hostIP {{ template "traffic-engine.global.cm.env-service-name" . }} + {{ template "traffic-engine.global.sd.env-service-name" . }} securityContext: privileged: true {{- if eq .Values.debug.firewall.enable_liveness_probe .Values.define_enable_val_yes }} diff --git a/ansible/roles/traffic-engine/files/helm/values.yaml b/ansible/roles/traffic-engine/files/helm/values.yaml index 31ff689f..97943f37 100644 --- a/ansible/roles/traffic-engine/files/helm/values.yaml +++ b/ansible/roles/traffic-engine/files/helm/values.yaml @@ -9,6 +9,21 @@ external_resources: local_cache: cache_name: tsg_traffic_cm_local_cache_1 port_num: 1 + sd: + ## @param external_resources.cm.connection value in [direct, local_cache], default: local_cache + ## + enable: yes + connectivity: local_cache + db_index: 0 + policy_effect_interval_ms: 100 + policy_garbage_collection_interval_ms: 30000 + policy_update_check_interval_ms: 100 + direct: + address: 10.X.X.X + port: 7002 + local_cache: + cache_name: tsg_traffic_sd_local_cache_1 + olap: kafka_brokers: