From 826cc23bbb299c1336eeb5f0cdf818acf11092bc Mon Sep 17 00:00:00 2001
From: fumingwei <fumingwei@geedgenetworks.com>
Date: Mon, 1 Apr 2024 10:55:44 +0800
Subject: [PATCH] feature:TSG-20221:Support Dos Protector in firewall helm
 chart.

---
 .../traffic-engine/files/helm/conf/main.conf  | 13 +++++++++
 .../traffic-engine/files/helm/conf/spec.toml  | 15 +++++++----
 .../helm/templates/deployment-firewall.yaml   | 27 ++++++++++++++++++-
 .../traffic-engine/files/helm/values.yaml     |  3 +++
 4 files changed, 52 insertions(+), 6 deletions(-)

diff --git a/ansible/roles/traffic-engine/files/helm/conf/main.conf b/ansible/roles/traffic-engine/files/helm/conf/main.conf
index 4e29bbc4..e78b0c43 100644
--- a/ansible/roles/traffic-engine/files/helm/conf/main.conf
+++ b/ansible/roles/traffic-engine/files/helm/conf/main.conf
@@ -180,3 +180,16 @@ SYNC_MODE=1
 [STAT_POLICY_ENFORCER]
 POLICY_CYCLE_INTERVAL_S=1
 POLICY_CYCLE_NUM_SUBMIT=4
+
+{{ if eq .Values.dos_protector.enable .Values.define_enable_val_yes -}}
+[DOS_PROTECTOR]
+SWARMKV_CLUSTER_NAME="tsg-dos-protector"
+SWARMKV_NODE_IP="0.0.0.0"
+SWARMKV_NODE_PORT=8551
+SWARMKV_CONSUL_IP="NODE_IP_LOCATION"
+SWARMKV_CONSUL_PORT=8500
+SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION"
+SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION
+SWARMKV_HEALTH_CHECK_PORT=8552
+SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION
+{{- end }}
diff --git a/ansible/roles/traffic-engine/files/helm/conf/spec.toml b/ansible/roles/traffic-engine/files/helm/conf/spec.toml
index acfcd963..137a061d 100644
--- a/ansible/roles/traffic-engine/files/helm/conf/spec.toml
+++ b/ansible/roles/traffic-engine/files/helm/conf/spec.toml
@@ -1,4 +1,4 @@
-{{- if eq .Values.session_flags.enable .Values.define_enable_val_yes }}
+{{ if eq .Values.session_flags.enable .Values.define_enable_val_yes -}}
 [[plugin]]
 path = "./stellar_plugin/session_flags.so"
 init = "session_flags_plugin_init"
@@ -25,18 +25,23 @@ path = "./stellar_plugin/sf_classifier.so"
 init = "sf_classifier_init"
 exit = "sf_classifier_exit"
 
-
-{{- if and (eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) }}
+{{ if and (eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) -}}
 [[plugin]]
 path = "./stellar_plugin/qdpi_detector/qdpi_detector.so"
 init = "qdpi_detector_init"
 exit = "qdpi_detector_destroy"
 {{- end }}
 
-
-{{- if and (eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) }}
+{{ if and (eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) -}}
 [[plugin]]
 path = "./stellar_plugin/context_based_detector.so"
 init = "context_based_detector_init"
 exit = "context_based_detector_destroy"
+{{- end }}
+
+{{ if eq .Values.dos_protector.enable .Values.define_enable_val_yes -}}
+[[plugin]]
+path = "./stellar_plugin/dos_protector.so"
+init = "dos_protector_init"
+exit = "dos_protector_deinit"
 {{- end }}
\ No newline at end of file
diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml
index 21ca95dd..498725bb 100644
--- a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml
+++ b/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml
@@ -22,6 +22,9 @@ spec:
         vsysId: "{{ .Values.vsys_id }}"
         serviceFunction: {{ .Release.Name }}
         component: firewall
+        {{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
+        dynamic-hostports: '8551.8552'
+        {{- end }}
       annotations:
         prometheus.io/port: "9010"
         prometheus.io/scrape: "true"
@@ -44,7 +47,10 @@ spec:
           - "-ec"
           - |
             ldconfig
-            {{- if or (eq .Values.external_resources.cm.connectivity "local_cache") (and (eq .Values.external_resources.sd.enable .Values.define_enable_val_yes) (eq .Values.external_resources.sd.connectivity "local_cache")) }}
+            {{- if or 
+              (eq .Values.external_resources.cm.connectivity "local_cache") 
+              (and (eq .Values.external_resources.sd.enable .Values.define_enable_val_yes) (eq .Values.external_resources.sd.connectivity "local_cache"))
+              (eq .Values.dos_protector.enable .Values.define_enable_val_yes) }}
             {{- include "public.prepare-access-API" . | nindent 12 }}
             {{- end }}
             {{- if eq .Values.external_resources.cm.connectivity "local_cache" }}
@@ -57,6 +63,21 @@ spec:
             sed -Ei -c "s|SD_POLICY_LOCAL_CACHE_IP_LOCATION|${SD_POLICY_LOCAL_CACHE_IP?}|g" /opt/tsg/sapp/tsgconf/maat.conf
             {{- end }}
             {{- end }}
+            {{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
+            until nslookup ${HOSTNAME}-8551.default.svc; do echo waiting for kubernetes service; sleep 2; done
+            curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8551 -o /tmp/service.txt
+            export CLUSTER_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
+            until nslookup ${HOSTNAME}-8552.default.svc; do echo waiting for kubernetes service; sleep 2; done
+            curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8552 -o /tmp/service.txt
+            export HEALTH_CHECK_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] |  .nodePort')
+            echo "export CLUSTER_ANNOUNCE_PORT=${CLUSTER_ANNOUNCE_PORT}" > /etc/profile.d/announceinfo.sh
+            echo "export HEALTH_CHECK_ANNOUNCE_PORT=${HEALTH_CHECK_ANNOUNCE_PORT}" >> /etc/profile.d/announceinfo.sh
+            chmod 0755 /etc/profile.d/announceinfo.sh
+
+            sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/sapp/tsgconf/main.conf
+            sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
+            sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
+            {{- end }}
             {{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }}
             echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
             cat /opt/tsg/scripts/prestart.sh
@@ -73,6 +94,10 @@ spec:
             {{- end }}
         ports:
           - containerPort: 9273
+          {{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
+          - containerPort: 8551
+          - containerPort: 8552
+          {{- end }}
         env:
         - name: DEPLOYMENT_NAME
           value: {{ .Release.Name }}-firewall
diff --git a/ansible/roles/traffic-engine/files/helm/values.yaml b/ansible/roles/traffic-engine/files/helm/values.yaml
index 7425981a..dc50123b 100644
--- a/ansible/roles/traffic-engine/files/helm/values.yaml
+++ b/ansible/roles/traffic-engine/files/helm/values.yaml
@@ -234,3 +234,6 @@ debug:
 
 session_flags:
   enable: yes
+
+dos_protector:
+  enable: no
\ No newline at end of file