gfwleak/tsg-tsg-os-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature:TSG-13307:在os中部署consul

Browse Source
This commit is contained in:
fumingwei
2023-01-31 15:01:46 +08:00
parent ea6825199b
commit 4954768a8a
32 changed files with 460 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/HAL_deploy.yml
View File

@@ -28,6 +28,7 @@
- {role: wannat_wangw, tags: wannat_wangw}
- {role: wannat_common, tags: wannat_common}
- {role: wire_graft, tags: wire_graft}
- {role: consul, tags: consul}
- {role: hasp, tags: hasp}
- hosts: 7400-MCN123-P01R01
@@ -81,6 +82,7 @@
- {role: wire_graft, tags: wire_graft}
- {role: nz-talon, tags: nz-talon}
- {role: tsg-os-provision-condition, tags: tsg-os-provision-condition}
- {role: consul, tags: consul}
- {role: hasp, tags: hasp}
- hosts: TSG-X-NXR620G40-R01-P1403
@@ -104,6 +106,7 @@
- {role: system-init-TSG-X-P1403, tags: system-init-TSG-X-P1403}
- {role: system-init, tags: system-init}
- {role: tsg-os-provision-condition, tags: tsg-os-provision-condition}
- {role: consul, tags: consul}
- {role: hasp, tags: hasp}
- {role: OFED, tags: OFED}
@@ -138,6 +141,7 @@
- {role: wannat_common, tags: wannat_common}
- {role: wire_graft, tags: wire_graft}
- {role: tsg-os-provision-condition, tags: tsg-os-provision-condition}
- {role: consul, tags: consul}
- {role: hasp, tags: hasp}
- {role: OFED, tags: OFED}
@@ -158,6 +162,7 @@
- {role: tsg-diagnose, tags: tsg-diagnose}
- {role: system-init-TSG-X-P1403, tags: system-init-TSG-X-P1403}
- {role: system-init, tags: system-init}
- {role: consul, tags: consul}
- {role: hasp, tags: hasp}
- {role: OFED, tags: OFED}

BIN
ansible/roles/consul/files/consul-1.0.2.tgz Normal file
View File

Binary file not shown.

BIN
ansible/roles/consul/files/consul-1.14.3-1.x86_64.rpm Normal file
View File

Binary file not shown.

34
ansible/roles/consul/files/consul-crd.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: consul
namespace: kube-system
spec:
chart: https://%{KUBERNETES_API}%/static/charts/consul-1.0.2.tgz
targetNamespace: consul
valuesContent: |-
server:
extraConfig: |
{
"encrypt": "XN0I7fHIY1+yLWm2PjegZ7U93nI/tmzNvtmBtZLuIfo=",
"verify_incoming": false,
"verify_outgoing": false,
"verify_server_hostname": false,
"acl": {
"enabled": true,
"default_policy": "allow",
"enable_token_persistence": true
},
"performance": {
"raft_multiplier": 1
},
"disable_update_check": true
}
bootstrapExpect: 3
ui:
service:
type: NodePort
nodePort:
http: 30085
global:
name: consul

23
ansible/roles/consul/files/consul.service Normal file
View File

@@ -0,0 +1,23 @@
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
[Service]
EnvironmentFile=-/etc/consul.d/consul.env
User=consul
Group=consul
ExecStartPre=/opt/tsg/consul/bin/set_advertise.sh
ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
RequiredBy=sapp.service

4
ansible/roles/consul/files/ns-consul.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: consul

7
ansible/roles/consul/files/server.hcl Normal file
View File

@@ -0,0 +1,7 @@
bind_addr = "127.0.0.1"
client_addr = "0.0.0.0"
server = true
bootstrap_expect = 1
ui_config {
enabled = true
}

82
ansible/roles/consul/tasks/main.yml Normal file
View File

@@ -0,0 +1,82 @@
- name: "consul rpm install:copy file to device"
copy:
src: '{{ role_path }}/files/'
dest: /tmp/ansible_deploy/
when: runtime_env != 'TSG-X-P0906'
- name: "consul rpm install:install consul"
yum:
name:
- "/tmp/ansible_deploy/consul-1.14.3-1.x86_64.rpm"
state: present
disable_gpg_check: yes
when: runtime_env != 'TSG-X-P0906'
- name: "mkdir -p /etc/consul.d/"
file:
path: /etc/consul.d/
state: directory
when: runtime_env != 'TSG-X-P0906'
- name: "mkdir -p /opt/tsg/consul/bin"
file:
path: /opt/tsg/consul/bin
state: directory
when: runtime_env != 'TSG-X-P0906'
- name: "copy consul config file to dest"
template:
src: "{{ role_path }}/templates/consul.hcl.j2"
dest: /opt/tsg/tsg-os-provision/templates/consul.hcl.j2
when: runtime_env != 'TSG-X-P0906'
- name: "copy consul config file to dest"
copy:
src: '{{ role_path }}/files/consul.service'
dest: /usr/lib/systemd/system/consul.service
when: runtime_env != 'TSG-X-P0906'
- name: "copy consul config file to dest"
template:
src: "{{ role_path }}/templates/set_advertise.sh.j2"
dest: /opt/tsg/consul/bin/set_advertise.sh
mode: 0755
when: runtime_env != 'TSG-X-P0906'
#- name: "copy consul config file to dest"
# copy:
# src: '{{ role_path }}/files/server.hcl'
# dest: /etc/consul.d/server.hcl
# when: runtime_env != 'TSG-X-P0906'
- name: "start consul"
systemd:
name: consul.service
enabled: yes
when: runtime_env != 'TSG-X-P0906'
- name: "get consul chart images to dest"
get_url:
url: https://repo.geedge.net/filerepo/install/release/tsg-container-images/consul.tar
dest: /var/lib/rancher/k3s/agent/images/consul.tar
url_username: "{{ lookup('env', 'PULP_REPO_USERNAME') }}"
url_password: "{{ lookup('env', 'PULP_REPO_PASSWORD') }}"
when: runtime_env == 'TSG-X-P0906'
#- name: "copy consul crd file to dest"
# copy:
# src: "{{ role_path }}/files/consul-crd.yaml"
# dest: /var/lib/rancher/k3s/server/manifests/
# when: runtime_env == 'TSG-X-P0906'
- name: "copy consul chart to dest"
copy:
src: "{{ role_path }}/files/consul-1.0.2.tgz"
dest: /var/lib/rancher/k3s/server/static/charts/
when: runtime_env == 'TSG-X-P0906'
- name: "copy ns-consul to dest"
copy:
src: "{{ role_path }}/files/ns-consul.yaml"
dest: /var/lib/rancher/k3s/server/manifests/
when: runtime_env == 'TSG-X-P0906'

41
ansible/roles/consul/templates/consul.hcl.j2 Normal file
View File

@@ -0,0 +1,41 @@
data_dir = "/tmp/consul"
verify_incoming = false
verify_outgoing = false
verify_server_hostname = false
acl {
enabled = true
default_policy = "allow"
enable_token_persistence = true
}
performance {
raft_multiplier = 1
}
ui_config {
enabled = true
}
disable_update_check = true
bind_addr = "0.0.0.0"
client_addr = "0.0.0.0"
advertise_addr="127.0.0.1"
{% raw %}{% if consul_agent.mode == 'server' %}server = true
bootstrap_expect = {{ consul_agent.bootstrapExpect }}
{% endif %}
{% if consul_agent.mode == 'client' %}server = false
{% endif %}
{% if consul_agent.node_name %}node_name = "{{ consul_agent.node_name }}"
{% endif %}
datacenter = "{{ consul_agent.datacenter }}"
encrypt = "{{ consul_agent.encrypt }}"
{% set join_list = [] %}
{% for join_info in consul_agent.join %}
{% set join_merge = "\"" ~ join_info.address ~ ":" ~ join_info.port ~ "\"" %}
{{join_list.append(join_merge)}}{% endfor %}
retry_join= [{{ join_list | join(",") }}]
{% endraw %}

4
ansible/roles/consul/templates/set_advertise.sh.j2 Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh -ex
HOST_IP=$(ip a show {{ control_and_policy.nic_name }} | grep inet | grep -v inet6 | awk '{print $2}' | awk -F '/' '{print $1}')
echo "Log and policy nic ipv4 address:$HOST_IP"
sed -i "s/^advertise_addr.*$/advertise_addr=\"$HOST_IP\"/g" /etc/consul.d/consul.hcl

6
ansible/roles/container-tools-install/tasks/main.yml
View File

@@ -93,4 +93,10 @@
state: present
releasever: 8.6
- name: "install libnsl"
yum:
name: jq
conf_file: "{{ rpm_repo_config_path }}"
state: present

31
ansible/roles/k3s-install/files/10-bridge.conf
View File

@@ -1,14 +1,23 @@
{
"cniVersion": "0.3.1",
"name": "cnibr",
"type": "bridge",
"bridge": "cnibr0",
"isDefaultGateway": true,
"forceAddress": false,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"subnet": "10.42.0.0/16"
"cniVersion": "0.3.1",
"name": "cnibr",
"plugins": [
{
"type": "bridge",
"bridge": "cnibr0",
"isDefaultGateway": true,
"forceAddress": false,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"subnet": "10.42.0.0/16"
}
},
{
"type": "portmap",
"capabilities": {"portMappings": true},
"snat": true
}
]
}

15
ansible/roles/sapp/files/start.sh
View File

@@ -29,6 +29,21 @@ start(){
/opt/tsg/sapp/sapp
}
getServiceNodeport(){
export APISERVER=https://kubernetes.default.svc
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
export CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${SERVICENAME} -o /tmp/service.txt
export CLUSTERANNOUNCEPORT=$(cat /tmp/service.txt | jq '.spec.ports[] | select(.name=="cluster-announce-port") | .nodePort')
export HEALTHCHECKANNOUNCEPORT=$(cat /tmp/service.txt | jq '.spec.ports[] | select(.name=="healthcheck-announce-port") | .nodePort')
echo "export CLUSTERANNOUNCEPORT=${CLUSTERANNOUNCEPORT}" > /etc/profile.d/announceinfo.sh
echo "export HEALTHCHECKANNOUNCEPORT=${HEALTHCHECKANNOUNCEPORT}" >> /etc/profile.d/announceinfo.sh
chmod 0755 /etc/profile.d/announceinfo.sh
}
copyConfigmap2Dest
getServiceNodeport
prestart
start

31
ansible/roles/traffic-engine/files/helm/templates/service.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: traffic-engine-announce-vsys-{{ .Values.vsys_id }}
name: traffic-engine-announce-vsys-{{ .Values.vsys_id }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: cluster-announce-port
{{- if .Values.service.type }}{{ if (and (eq .Values.service.type "NodePort") .Values.service.nodePort.clusterAnnounce) }}
nodePort: {{ .Values.service.nodePort.clusterAnnounce }}
{{- end }}{{ end }}
port: {{ .Values.service.port.clusterAnnounce }}
targetPort: cluster
- name: healthcheck-announce-port
{{- if .Values.service.type }}{{ if (and (eq .Values.service.type "NodePort") .Values.service.nodePort.healthcheckAnnounce) }}
nodePort: {{ .Values.service.nodePort.healthcheckAnnounce }}
{{- end }}{{ end }}
port: {{ .Values.service.port.healthcheckAnnounce }}
targetPort: healthcheck
selector:
app: traffic-engine-vsys-{{ .Values.vsys_id }}
{{- if .Values.service.type }}
type: {{ .Values.service.type }}
{{- end }}

10
ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml
View File

@@ -9,13 +9,13 @@ spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: traffic-engine
app: traffic-engine-vsys-{{ .Values.vsys_id }}
strategy:
type: Recreate
template:
metadata:
labels:
app: traffic-engine
app: traffic-engine-vsys-{{ .Values.vsys_id }}
vsysId: vsys-{{ .Values.vsys_id }}
serviceFunction: {{ .Values.nic_raw_name }}
annotations:
@@ -40,6 +40,10 @@ spec:
command: ["/opt/tsg/scripts/start.sh"]
ports:
- containerPort: 9273
- name: cluster
containerPort: 8551
- name: healthcheck
containerPort: 8552
env:
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
@@ -49,6 +53,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: SERVICENAME
value: traffic-engine-announce-vsys-{{ .Values.vsys_id }}
securityContext:
privileged: true
livenessProbe:

12
ansible/roles/traffic-engine/files/helm/values.yaml
View File

@@ -201,6 +201,12 @@ deployment:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9004"
service:
type: "NodePort"
port:
clusterAnnounce: 8551
healthcheckAnnounce: 8552
nodePort:
clusterAnnounce: null
healthcheckAnnounce: null

24
ansible/roles/traffic-engine/files/service-read-role.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: default
name: service-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: service-reader-pod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: service-reader
subjects:
- kind: ServiceAccount
name: default
namespace: default

7
ansible/roles/traffic-engine/tasks/main.yml
View File

@@ -65,3 +65,10 @@
- /etc/traffic-engine/hotfix/firewall/scripts/
- /etc/traffic-engine/hotfix/proxy/scripts/
- /etc/traffic-engine/hotfix/certstore/scripts/
- name: "copy clusterrole file to dest"
copy:
src: "{{ role_path }}/files/service-read-role.yaml"
dest: /var/lib/rancher/k3s/server/manifests/
when: runtime_env == 'TSG-X-P0906'

8
ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.7400MCN0P01R01
View File

@@ -81,4 +81,10 @@ olap:
hos_server:
token: "c21f969b5f03d33d43e04f8f136e7682"
vsys_id: 1
vsys_id: 1
consul_agent:
mode: "server"
encrypt: "XN0I7fHIY1+yLWm2PjegZ7U93nI/tmzNvtmBtZLuIfo="
datacenter: "dc1"
node_name: ""

8
ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.9000NPBP01R01
View File

@@ -80,4 +80,10 @@ olap:
hos_server:
token: "c21f969b5f03d33d43e04f8f136e7682"
vsys_id: 1
vsys_id: 1
consul_agent:
mode: "server"
encrypt: "XN0I7fHIY1+yLWm2PjegZ7U93nI/tmzNvtmBtZLuIfo="
datacenter: "dc1"
node_name: ""

6
ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.SERVER
View File

@@ -77,3 +77,9 @@ session_distribution_policy:
hash_key: inner-most-sip-dip
vsys_id: 1
consul_agent:
mode: "server"
encrypt: "XN0I7fHIY1+yLWm2PjegZ7U93nI/tmzNvtmBtZLuIfo="
datacenter: "dc1"
node_name: ""

6
ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P0804
View File

@@ -90,3 +90,9 @@ olap:
token: "c21f969b5f03d33d43e04f8f136e7682"
vsys_id: 1
consul_agent:
mode: "server"
encrypt: "XN0I7fHIY1+yLWm2PjegZ7U93nI/tmzNvtmBtZLuIfo="
datacenter: "dc1"
node_name: ""

6
ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P1403
View File

@@ -89,3 +89,9 @@ olap:
token: "c21f969b5f03d33d43e04f8f136e7682"
vsys_id: 1
consul_agent:
mode: "server"
encrypt: "XN0I7fHIY1+yLWm2PjegZ7U93nI/tmzNvtmBtZLuIfo="
datacenter: "dc1"
node_name: ""

12
ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.7400MCN0P01R01
View File

@@ -103,3 +103,15 @@ coredump:
sentry_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
vsys_id: 1
consul_agent:
mode: client/server
#encrypt: ""
bootstrapExpect: 1
#node_name: ""
#datacenter: "dc1"
join:
- address: 111.111.111.111
port: 8301
- address: 222.222.222.222
port: 8301

12
ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.9000NPBP01R01
View File

@@ -67,3 +67,15 @@ coredump:
sentry_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
vsys_id: 1
consul_agent:
mode: client/server
#encrypt: ""
bootstrapExpect: 1
#node_name: ""
#datacenter: "dc1"
join:
- address: 111.111.111.111
port: 8301
- address: 222.222.222.222
port: 8301

12
ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.SERVER
View File

@@ -73,3 +73,15 @@ coredump:
sentry_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
vsys_id: 1
consul_agent:
mode: client/server
#encrypt: ""
bootstrapExpect: 1
#node_name: ""
#datacenter: "dc1"
join:
- address: 111.111.111.111
port: 8301
- address: 222.222.222.222
port: 8301

12
ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.TSGXNXR620G40R01P0804
View File

@@ -82,3 +82,15 @@ coredump:
sentry_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
vsys_id: 1
consul_agent:
mode: client/server
#encrypt: ""
bootstrapExpect: 1
#node_name: ""
#datacenter: "dc1"
join:
- address: 111.111.111.111
port: 8301
- address: 222.222.222.222
port: 8301

12
ansible/roles/tsg-os-provision/files/config_sample/provision.yml.sample.TSGXNXR620G40R01P1403
View File

@@ -73,3 +73,15 @@ coredump:
sentry_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
vsys_id: 1
consul_agent:
mode: client/server
#encrypt: ""
bootstrapExpect: 1
#node_name: ""
#datacenter: "dc1"
join:
- address: 111.111.111.111
port: 8301
- address: 222.222.222.222
port: 8301

12
ansible/roles/tsg-os-provision/files/tasks/provision.yml.7400MCN0P01R01
View File

@@ -183,6 +183,12 @@
dest: /opt/tsg/sapp/etc/wire_graft/wire_graft.conf
tags: wire_graft
- name: "tsg-os-provision: template consul"
template:
src: "../templates/consul.hcl.j2"
dest: /etc/consul.d/consul.hcl
tags: consul
- name: "mkdir /opt/tsg/etc/"
file:
path: /opt/tsg/etc
@@ -251,6 +257,12 @@
- feature.enable_policy_local_cache == 1
- enable_config_apply == '1'
- name: "tsg-os-provision: restart consul"
systemd:
name: consul
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart mrenv"
systemd:
name: mrenv

12
ansible/roles/tsg-os-provision/files/tasks/provision.yml.9000NPBP01R01
View File

@@ -133,6 +133,12 @@
dest: /opt/tsg/tfe/conf/pangu/pangu_pxy.conf
tags: tfe
- name: "tsg-os-provision: template consul"
template:
src: "../templates/consul.hcl.j2"
dest: /etc/consul.d/consul.hcl
tags: consul
- name: "mkdir /opt/tsg/etc/"
file:
path: /opt/tsg/etc
@@ -222,6 +228,12 @@
path: /data/tsg-os-provision/.provision_succeeded
state: touch
- name: "tsg-os-provision: restart consul"
systemd:
name: consul
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: start mrenv"
systemd:
name: mrenv

12
ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0804
View File

@@ -207,6 +207,12 @@
dest: /opt/tsg/tfe/conf/pangu/pangu_pxy.conf
tags: tfe
- name: "tsg-os-provision: template consul"
template:
src: "../templates/consul.hcl.j2"
dest: /etc/consul.d/consul.hcl
tags: consul
- name: "mkdir /opt/tsg/etc/"
file:
path: /opt/tsg/etc
@@ -292,6 +298,12 @@
path: /data/tsg-os-provision/.provision_succeeded
state: touch
- name: "tsg-os-provision: restart consul"
systemd:
name: consul
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart mrenv"
systemd:
name: mrenv

12
ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P1403
View File

@@ -96,6 +96,12 @@
dest: /etc/telegraf/telegraf_statistic.conf
tags: telegraf_statistic
- name: "tsg-os-provision: template consul"
template:
src: "../templates/consul.hcl.j2"
dest: /etc/consul.d/consul.hcl
tags: consul
- name: "mkdir /opt/tsg/etc/"
file:
path: /opt/tsg/etc
@@ -143,6 +149,12 @@
path: /data/tsg-os-provision/.provision_succeeded
state: touch
- name: "tsg-os-provision: restart consul"
systemd:
name: consul
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart mrenv"
systemd:
name: mrenv