feature:TSG-20221:Support Dos Protector in firewall helm chart.
This commit is contained in:
fumingwei
@@ -180,3 +180,16 @@ SYNC_MODE=1
|
||||
[STAT_POLICY_ENFORCER]
|
||||
POLICY_CYCLE_INTERVAL_S=1
|
||||
POLICY_CYCLE_NUM_SUBMIT=4
|
||||
|
||||
{{ if eq .Values.dos_protector.enable .Values.define_enable_val_yes -}}
|
||||
[DOS_PROTECTOR]
|
||||
SWARMKV_CLUSTER_NAME="tsg-dos-protector"
|
||||
SWARMKV_NODE_IP="0.0.0.0"
|
||||
SWARMKV_NODE_PORT=8551
|
||||
SWARMKV_CONSUL_IP="NODE_IP_LOCATION"
|
||||
SWARMKV_CONSUL_PORT=8500
|
||||
SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION"
|
||||
SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION
|
||||
SWARMKV_HEALTH_CHECK_PORT=8552
|
||||
SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION
|
||||
{{- end }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if eq .Values.session_flags.enable .Values.define_enable_val_yes }}
|
||||
{{ if eq .Values.session_flags.enable .Values.define_enable_val_yes -}}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/session_flags.so"
|
||||
init = "session_flags_plugin_init"
|
||||
@@ -25,18 +25,23 @@ path = "./stellar_plugin/sf_classifier.so"
|
||||
init = "sf_classifier_init"
|
||||
exit = "sf_classifier_exit"
|
||||
|
||||
|
||||
{{- if and (eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) }}
|
||||
{{ if and (eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) -}}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/qdpi_detector/qdpi_detector.so"
|
||||
init = "qdpi_detector_init"
|
||||
exit = "qdpi_detector_destroy"
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if and (eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) }}
|
||||
{{ if and (eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) -}}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/context_based_detector.so"
|
||||
init = "context_based_detector_init"
|
||||
exit = "context_based_detector_destroy"
|
||||
{{- end }}
|
||||
|
||||
{{ if eq .Values.dos_protector.enable .Values.define_enable_val_yes -}}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/dos_protector.so"
|
||||
init = "dos_protector_init"
|
||||
exit = "dos_protector_deinit"
|
||||
{{- end }}
|
||||
@@ -22,6 +22,9 @@ spec:
|
||||
vsysId: "{{ .Values.vsys_id }}"
|
||||
serviceFunction: {{ .Release.Name }}
|
||||
component: firewall
|
||||
{{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
|
||||
dynamic-hostports: '8551.8552'
|
||||
{{- end }}
|
||||
annotations:
|
||||
prometheus.io/port: "9010"
|
||||
prometheus.io/scrape: "true"
|
||||
@@ -44,7 +47,10 @@ spec:
|
||||
- "-ec"
|
||||
- |
|
||||
ldconfig
|
||||
{{- if or (eq .Values.external_resources.cm.connectivity "local_cache") (and (eq .Values.external_resources.sd.enable .Values.define_enable_val_yes) (eq .Values.external_resources.sd.connectivity "local_cache")) }}
|
||||
{{- if or
|
||||
(eq .Values.external_resources.cm.connectivity "local_cache")
|
||||
(and (eq .Values.external_resources.sd.enable .Values.define_enable_val_yes) (eq .Values.external_resources.sd.connectivity "local_cache"))
|
||||
(eq .Values.dos_protector.enable .Values.define_enable_val_yes) }}
|
||||
{{- include "public.prepare-access-API" . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.external_resources.cm.connectivity "local_cache" }}
|
||||
@@ -57,6 +63,21 @@ spec:
|
||||
sed -Ei -c "s|SD_POLICY_LOCAL_CACHE_IP_LOCATION|${SD_POLICY_LOCAL_CACHE_IP?}|g" /opt/tsg/sapp/tsgconf/maat.conf
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
|
||||
until nslookup ${HOSTNAME}-8551.default.svc; do echo waiting for kubernetes service; sleep 2; done
|
||||
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8551 -o /tmp/service.txt
|
||||
export CLUSTER_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
|
||||
until nslookup ${HOSTNAME}-8552.default.svc; do echo waiting for kubernetes service; sleep 2; done
|
||||
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8552 -o /tmp/service.txt
|
||||
export HEALTH_CHECK_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
|
||||
echo "export CLUSTER_ANNOUNCE_PORT=${CLUSTER_ANNOUNCE_PORT}" > /etc/profile.d/announceinfo.sh
|
||||
echo "export HEALTH_CHECK_ANNOUNCE_PORT=${HEALTH_CHECK_ANNOUNCE_PORT}" >> /etc/profile.d/announceinfo.sh
|
||||
chmod 0755 /etc/profile.d/announceinfo.sh
|
||||
|
||||
sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/sapp/tsgconf/main.conf
|
||||
sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
|
||||
sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
|
||||
{{- end }}
|
||||
{{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }}
|
||||
echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
|
||||
cat /opt/tsg/scripts/prestart.sh
|
||||
@@ -73,6 +94,10 @@ spec:
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9273
|
||||
{{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
|
||||
- containerPort: 8551
|
||||
- containerPort: 8552
|
||||
{{- end }}
|
||||
env:
|
||||
- name: DEPLOYMENT_NAME
|
||||
value: {{ .Release.Name }}-firewall
|
||||
|
||||
@@ -234,3 +234,6 @@ debug:
|
||||
|
||||
session_flags:
|
||||
enable: yes
|
||||
|
||||
dos_protector:
|
||||
enable: no
|
||||
Reference in New Issue
Block a user