gfwleak/tsg-tsg-os-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feture: Delete ansible role traffic-engine helm directory.

Browse Source
This commit is contained in:
fumingwei
2024-10-28 15:46:11 +08:00
parent 65d947d0a2
commit c1d1756911
41 changed files with 0 additions and 3698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
ansible/roles/traffic-engine/files/helm/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
ansible/roles/traffic-engine/files/helm/Chart.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v2
name: traffic-engine
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

0
ansible/roles/traffic-engine/files/helm/charts/.gitkeep
View File

55
ansible/roles/traffic-engine/files/helm/conf/cert_store.ini
View File

@@ -1,55 +0,0 @@
[SYSTEM]
#1:print on screen, 0:don't
DEBUG_SWITCH = 1
RUN_LOG_PATH = "conf/zlog.conf"
[breakpad]
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
breakpad_minidump_dir="/run/certstore/crashreport"
breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload"
[CONFIG]
#Number of running threads
thread-nu = 4
#1 rsync, 0 sync
mode=1
#Local default root certificate is valid for 30 days by default
expire_after = 30
#Local default root certificate path
local_debug = 1
ca_path = ./cert/tsg-ca-v3-trust-ca.pem
untrusted_ca_path = ./cert/tsg-ca-v3-untrust-ca.pem
[MAAT]
#Configure the load mode,
#1: using local json
#2: using Redis reads
maat_json_switch=2
#When the loading mode is sent to the network, set the scanning configuration modification interval (s).
effective_interval=1
#Specify the location of the configuration library table file
table_info=./conf/table_info.conf
#Json file path when json schema is used
pxy_obj_keyring=./conf/pxy_obj_keyring.json
[LIBEVENT]
#Local monitor port number, default is 9991
port = 9991
[CERTSTORE_REDIS]
#The Redis server IP address and port number where the certificate is stored locally
ip = 127.0.0.1
port = 6379
[MAAT_REDIS]
#Maat monitors the Redsi server IP address and port number
ip = {{- include "traffic-engine.global.cm.server-ip" . }}
port = {{- include "traffic-engine.global.cm.server-port" . }}
dbindex = {{ .Values.vsys_id }}
[stat]
statsd_server=127.0.0.1
statsd_port=8100
statsd_set_prometheus_port=9002
statsd_set_prometheus_url_path=/metrics

11
ansible/roles/traffic-engine/files/helm/conf/certstore_log.conf
View File

@@ -1,11 +0,0 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
rotate lock file = /tmp/certstore_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
*.fatal "./logs/error.log.%d(%F)", 500M ~ "./logs/error.log.%d(%F).#2s";
*.fatal "./logs/certstore.log.%d(%F)", 500M ~ "./logs/certstore.log.%d(%F).#2s";

55
ansible/roles/traffic-engine/files/helm/conf/conflist.inf
View File

@@ -1,55 +0,0 @@
[platform]
./plug/stellar_on_sapp/start_loader.inf
[protocol]
{{- if eq .Values.decoders.SOCKS .Values.define_enable_val_yes }}
./plug/protocol/deal_socks/deal_socks.inf
{{- end }}
{{- if eq .Values.decoders.SIP .Values.define_enable_val_yes }}
./plug/protocol/sip/sip.inf
{{- end }}
{{- if eq .Values.decoders.RTP .Values.define_enable_val_yes }}
./plug/protocol/rtp/rtp.inf
{{- end }}
{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }}
./plug/protocol/ssl/ssl.inf
{{- end }}
{{- if eq .Values.decoders.HTTP .Values.define_enable_val_yes }}
./plug/protocol/http/http.inf
{{- end }}
{{- if eq .Values.decoders.DNS .Values.define_enable_val_yes }}
./plug/protocol/dns/dns.inf
{{- end }}
{{- if eq .Values.decoders.MAIL .Values.define_enable_val_yes }}
./plug/protocol/mail/mail.inf
{{- end }}
{{- if eq .Values.decoders.FTP .Values.define_enable_val_yes }}
./plug/protocol/ftp/ftp.inf
{{- end }}
{{- if eq .Values.decoders.QUIC .Values.define_enable_val_yes }}
./plug/protocol/quic/quic.inf
{{- end }}
./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
{{- if eq .Values.decoders.SSH .Values.define_enable_val_yes }}
./plug/protocol/ssh/ssh.inf
{{- end }}
{{- if eq .Values.decoders.STRATUM .Values.define_enable_val_yes }}
./plug/protocol/stratum/stratum.inf
{{- end }}
{{- if eq .Values.decoders.RDP .Values.define_enable_val_yes }}
./plug/protocol/rdp/rdp.inf
{{- end }}
{{- if eq .Values.decoders.DTLS .Values.define_enable_val_yes }}
./plug/protocol/dtls/dtls.inf
{{- end }}
[business]
{{- if eq .Values.firewall.enable .Values.define_enable_val_yes }}
./plug/business/firewall/firewall.inf
{{- end }}
./plug/stellar_on_sapp/defer_loader.inf
./plug/business/http_healthcheck/http_healthcheck.inf
{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }}
./plug/protocol/ssl/ssl_defer.inf
{{- end }}

77
ansible/roles/traffic-engine/files/helm/conf/firewall.inf
View File

@@ -1,77 +0,0 @@
[PLUGINFO]
PLUGNAME=FIREWEALL
SO_PATH=./plug/business/firewall/firewall.so
INIT_FUNC=firewall_init
DESTROY_FUNC=firewall_destory
{{- if eq .Values.decoders.HTTP .Values.define_enable_val_yes }}
[HTTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_http_plug_entry
{{- end }}
{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }}
[SSL]
FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
FUNC_NAME=firewall_ssl_plug_entry
{{- end }}
{{- if eq .Values.decoders.DNS .Values.define_enable_val_yes }}
[DNS]
FUNC_FLAG=ALL
FUNC_NAME=firewall_dns_plug_entry
{{- end }}
{{- if eq .Values.decoders.MAIL .Values.define_enable_val_yes }}
[MAIL]
FUNC_FLAG=ALL
FUNC_NAME=firewall_mail_plug_entry
{{- end }}
{{- if eq .Values.decoders.RTP .Values.define_enable_val_yes }}
[RTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_rtp_plug_entry
{{- end }}
{{- if eq .Values.decoders.SIP .Values.define_enable_val_yes }}
[SIP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_sip_plug_entry
{{- end }}
{{- if eq .Values.decoders.FTP .Values.define_enable_val_yes }}
[FTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_ftp_plug_entry
{{- end }}
{{- if eq .Values.decoders.QUIC .Values.define_enable_val_yes }}
[QUIC]
FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA
FUNC_NAME=firewall_quic_plug_entry
{{- end }}
{{- if eq .Values.decoders.DTLS .Values.define_enable_val_yes }}
[DTLS]
FUNC_FLAG=ALL
FUNC_NAME=firewall_dtls_plug_entry
{{- end }}
{{- if eq .Values.decoders.STRATUM .Values.define_enable_val_yes }}
[STRATUM]
FUNC_FLAG=ALL
FUNC_NAME=firewall_stratum_plug_entry
{{- end }}
{{- if eq .Values.decoders.RDP .Values.define_enable_val_yes }}
[RDP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_rdp_plug_entry
{{- end }}
{{- if eq .Values.decoders.SSH .Values.define_enable_val_yes }}
[SSH]
FUNC_FLAG=ALL
FUNC_NAME=firewall_ssh_plug_entry
{{- end }}

61
ansible/roles/traffic-engine/files/helm/conf/firewall_l7_protocol.conf
View File

@@ -1,61 +0,0 @@
#TYPE1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
#TYPE FIELD VALUE
#STRING UNCATEGORIZED 8000
#STRING UNCATEGORIZED 8001
#STRING UNKNOWN_OTHER 8002
STRING DNS 32
STRING FTP 45
STRING FTPS 751
STRING HTTP 67
STRING HTTPS 68
STRING ICMP 70
STRING IKE 8003
STRING MAIL 8004
STRING IMAP 75
STRING IMAPS 76
STRING IPSEC 85
STRING XMPP 94
STRING L2TP 98
STRING NTP 137
STRING POP3 147
STRING POP3S 148
STRING PPTP 153
STRING QUIC 2521
STRING SIP 182
STRING SMB 185
STRING SMTP 186
STRING SMTPS 187
STRING SPDY 1469
STRING SSH 198
STRING SSL 199
STRING SOCKS 8005
STRING TELNET 209
STRING DHCP 29
STRING RADIUS 158
STRING OPENVPN 336
STRING STUN 201
STRING TEREDO 555
STRING DTLS 1291
STRING DoH 8006
STRING ISAKMP 92
STRING MDNS 3835
STRING NETBIOS 129
STRING NETFLOW 130
STRING RDP 159
STRING RTCP 174
STRING RTP 175
STRING SLP 8007
STRING SNMP 190
STRING SSDP 197
STRING TFTP 211
STRING BJNP 2481
STRING LDAP 100
STRING RTMP 337
STRING RTSP 176
STRING ESNI 8008
STRING Stratum 8169
STRING QQ 156
STRING WeChat 1296
STRING WIREGUARD 3700
STRING MMS 115
STRING RSYNC 173

378
ansible/roles/traffic-engine/files/helm/conf/firewall_logger_transmitter_schema.json
View File

@@ -1,378 +0,0 @@
{
{{- if eq .Values.firewall.logs.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"channel_list": [
{{- if eq .Values.external_resources.olap.udp_collectors.enable .Values.define_enable_val_yes }}
{
"channel": "udpsock",
"collector": "{{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.udp_collectors.addresses ",") }}"
},
{{- end }}
{
"channel": "kafka",
"broker_list": "{{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }}",
"sasl_username": "{{ .Values.external_resources.olap.kafka_brokers.sasl_username }}",
"sasl_password": "{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}",
"compression": "snappy",
"refresh_interval_ms": "600000",
"send_queue_max_msg": "1000000",
"required_acks": "1"
}
],
"format_list": [
"json",
"ipfix",
"mpack"
],
"ringbuff": {
"size": {{ .Values.firewall.logs.ringbuf.size }},
"num": 2
},
"transmitter_list": [
{{- if eq .Values.external_resources.olap.udp_collectors.enable .Values.define_enable_val_yes }}
{
"switch": "on",
"async": "off",
"name": "IPFIX-TEMPLATE",
"topic": "IPFIX-TEMPLATE",
"mode": [
{
"channel": "udpsock",
"format": [
"ipfix"
]
}
]
},
{{- end }}
{
{{- if eq .Values.session_record.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "SESSION-RECORD",
"topic": "SESSION-RECORD",
"client_id": "SESSION-RECORD",
"mode": [
{{- if eq .Values.external_resources.olap.udp_collectors.enable .Values.define_enable_val_yes }}
{
"channel": "udpsock",
"format": [
"ipfix"
]
},
{{- end }}
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_http }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "HTTP-TRANSACTION-RECORD",
"topic": "TRANSACTION-RECORD",
"client_id": "TRANSACTION-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_mail }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "MAIL-TRANSACTION-RECORD",
"topic": "TRANSACTION-RECORD",
"client_id": "TRANSACTION-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_dns }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "DNS-TRANSACTION-RECORD",
"topic": "TRANSACTION-RECORD",
"client_id": "TRANSACTION-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_sip }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "SIP-VOIP-RECORD",
"topic": "VOIP-RECORD",
"client_id": "VOIP-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_rtp }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "RTP-VOIP-RECORD",
"topic": "VOIP-RECORD",
"client_id": "VOIP-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "POLICY-PACKET-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-POLICY-CAPTURE-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-POLICY-CAPTURE-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "HTTP-REQ-BODY-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "HTTP-RES-BODY-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "MAIL-EML-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-EML-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-EML-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "RTP-PACKET-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-RTP-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-RTP-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{{- if eq .Values.define_enable_val_yes .Values.packet_capture.enable }}
"switch": "on",
{{- else }}
"switch": "off",
{{- end }}
"async": "on",
"name": "TROUBLESHOOTING-FILE-STREAM-RECORD",
"topic": "TROUBLESHOOTING-FILE-STREAM-RECORD",
"client_id": "TROUBLESHOOTING-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "DOS-SKETCH-RECORD",
"topic": "DOS-SKETCH-RECORD",
"client_id": "DOS-SKETCH-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "POLICY-RULE-METRIC",
"topic": "POLICY-RULE-METRIC",
"client_id": "POLICY-RULE-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "NETWORK-TRAFFIC-METRIC",
"topic": "NETWORK-TRAFFIC-METRIC",
"client_id": "NETWORK-TRAFFIC-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "TRAFFIC-TOP-METRIC",
"topic": "TRAFFIC-TOP-METRIC",
"client_id": "TRAFFIC-TOP-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "STATISTICS-RULE-METRIC",
"topic": "STATISTICS-RULE-METRIC",
"client_id": "STATISTICS-RULE-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "OBJECT-STATISTICS-METRIC",
"topic": "OBJECT-STATISTICS-METRIC",
"client_id": "OBJECT-STATISTICS-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
}
]
}

5
ansible/roles/traffic-engine/files/helm/conf/gdev.conf
View File

@@ -1,5 +0,0 @@
[Module]
pcapdevice={{ .Values.nic_raw_name }}
sendto_gdev_card={{ .Values.nic_raw_name }}
sendto_gdev_ip={{ .Values.etherfabric_settings.keepalive.ip }}
gdev_status_switch=1

37
ansible/roles/traffic-engine/files/helm/conf/http_main.conf
View File

@@ -1,37 +0,0 @@
[FUNCTION]
switch_no_biz=1
#0 means close stat
stat_cycle=0
#stat output screen 0: screen 1: file
stat_screen_print=0
stat_file=./log/http/http_stat.log
#ungzip
{{- if eq .Values.decoders.HTTP_GZIP .Values.define_enable_val_yes }}
ungzip_switch=1
{{- else }}
ungzip_switch=0
{{- end }}
#support proxy
proxy_switch=1
#single-way traffic need http session num, 0 means no this function
singleway_maxseq=2
#0: field callback mode(default) 1:batch callback mode
callback_mode=0
#batch field maxnum when http_all or http_other
batch_field_maxnum=32
#check HEAD when s2c one-way
s2c_head_check_switch=1
[LOG]
#FATAL:wrong info
#INFO: lostlen; special proc ;proxy info
#DEBUG: pending and close info; all url;
log_level=30
log_path=./log/http/runtime

41
ansible/roles/traffic-engine/files/helm/conf/maat.conf
View File

@@ -1,41 +0,0 @@
[CM_STATIC_MAAT]
###file, json, redis
MAAT_MODE=redis
STAT_SWITCH=1
PERF_SWITCH=0
HIT_GROUP_SWITCH=1
TABLE_INFO=tsgconf/firewall_cm_maat_tableinfo.json
STAT_FILE=metrics/firewall_cm_maat_stat.json
EFFECT_INTERVAL_MS=1000
GARBAGE_COLLECT_MS=60000
RULE_UPDATE_CHECK_INTERVAL_MS=1000
REDIS_IP={{- include "traffic-engine.global.cm.server-ip" . }}
REDIS_PORT={{- include "traffic-engine.global.cm.server-port" . }}
REDIS_INDEX={{ .Values.vsys_id }}
JSON_CFG_FILE=tsgconf/firewall_cm_maat_rule.json
INC_CFG_DIR=tsgrule/inc/index/
FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
LOG_PATH="log/firewall.cm.maat"
[SD_DYNAMIC_MAAT]
MAAT_MODE=redis
STAT_SWITCH=1
PERF_SWITCH=1
TABLE_INFO=tsgconf/firewall_sd_maat_tableinfo.json
STAT_FILE=metrics/firewall_sd_maat_stat.json
EFFECT_INTERVAL_MS={{ .Values.external_resources.sd.policy_effect_interval_ms }}
GARBAGE_COLLECT_MS={{ .Values.external_resources.sd.policy_garbage_collection_interval_ms }}
RULE_UPDATE_CHECK_INTERVAL_MS={{ .Values.external_resources.sd.policy_update_check_interval_ms }}
REDIS_IP={{- include "traffic-engine.global.sd.server-ip" . }}
REDIS_PORT_NUM=1
REDIS_PORT={{- include "traffic-engine.global.sd.server-port" . }}
REDIS_INDEX={{ .Values.external_resources.sd.db_index }}
JSON_CFG_FILE=tsgconf/firewall_sd_maat_rule.json
INC_CFG_DIR=tsgrule/inc/index/
FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
LOG_PATH="log/firewall.sd.maat"
[MAAT]
ACCEPT_TAGS={"tags":[{{- include "traffic-engine.device-tag-list" . }}]}

24
ansible/roles/traffic-engine/files/helm/conf/mail.conf
View File

@@ -1,24 +0,0 @@
[MODULE]
LOG_PATH=./log/mail
LOG_LEVEL=20
#USER_DEFINE_REGION=X-mailer,Message-ID
#IMAP BODY/BODYSTRUCTURE information
HTABLE_SIZE=65536
HTABLE_EXPIRE_TIME=1800
#whether to decode BASE64/QP, 0:OFF, 1:ON(default)
{{- if eq .Values.decoders.MAIL_BASE64 .Values.define_enable_val_yes }}
TRANS_DECODE_SWITCH=1
{{- else }}
TRANS_DECODE_SWITCH=0
{{- end }}
#0: callback biz per packet; 1: callback biz per line(default)
CALLBACK_BIZ_LINE=1
STAT_FIELD_CYCLE=10
STAT_FIELD_TRIG=0
STAT_FIELD_APPNAME=MAIL_PRO
STAT_FIELD_DST_IP=10.10.10.68
STAT_FIELD_DST_PORT=8125

145
ansible/roles/traffic-engine/files/helm/conf/main.conf
View File

@@ -1,145 +0,0 @@
[MAAT]
PROFILE="./tsgconf/maat.conf"
{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
DYNAMIC_MAPPING_MAAT_SWITCH=1
{{- else }}
DYNAMIC_MAPPING_MAAT_SWITCH=0
{{- end }}
DEVICE_TAG_FILE=/opt/tsg/etc/tsg_device_tag.json
ACCEPT_TAGS={"tags":[{{- include "traffic-engine.device-tag-list" . }}]}
[TSG_LOG]
IPFIX_SCHEMA_PROFILE=./tsgconf/firewall_logger_ipfix_schema.json
LOGGER_SCHEMA_PROFILE=./tsgconf/firewall_logger_transmitter_schema.json
TRAFFIC_VSYSTEM_ID={{ .Values.vsys_id }}
{{- if eq .Values.firewall.logs.contains_app_id.enable .Values.define_enable_val_yes }}
SEND_APP_ID_SWITCH=1
{{- else }}
SEND_APP_ID_SWITCH=0
{{- end }}
{{- if eq .Values.firewall.logs.contains_dns_resource_record.enable .Values.define_enable_val_yes }}
SEND_DNS_RR_SWITCH=1
{{- else }}
SEND_DNS_RR_SWITCH=0
{{- end }}
[SYSTEM]
DATACENTER_ID={{ .Values.session_id_generator.snowflake_worker_id_base }}
LOG_LEVEL=30
LOG_PATH="firewall.log"
DEVICE_SEQ_IN_DATA_CENTER={{ .Values.session_id_generator.snowflake_worker_id_offset }}
SERVICE_CHAINING_SID={{ .Values.sid.sce }}
SHAPING_SID={{ .Values.sid.shaping }}
PROXY_SID={{ .Values.sid.proxy }}
{{- if eq .Values.decoders.SSL_JA3 .Values.define_enable_val_yes }}
GENERATE_JA3_FINGERPRINT=1
{{- else }}
GENERATE_JA3_FINGERPRINT=0
{{- end }}
MAX_SCAN_TCP_PKT_COUNT=8
MAX_SCAN_UDP_PKT_COUNT=8
PERIODIC_SCAN_INTERVAL_MS=120000
OSFP_DB_JSON_PATH=tsgconf/firewall_osfp_db.json
L7_PROTOCOL_FILE=./tsgconf/firewall_l7_protocol.conf
{{ if and (eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) }}
APPSKETCH_SWITCH=1
{{- else }}
APPSKETCH_SWITCH=0
{{- end }}
[FIREWALL]
# hijack, replace
PACKET_RESPONSE_MODE=replace
HTTP_PAGE200=./tsgconf/HTTP200.html
HTTP_PAGE204=./tsgconf/HTTP204.html
HTTP_PAGE403=./tsgconf/HTTP403.html
HTTP_PAGE404=./tsgconf/HTTP404.html
[FIREWALL_LOCAL_STAT]
STAT_NAME="firewall"
STAT_INTERVAL_TIME_S=5
STAT_OUTPATH="metrics/firewall_local_file_stat.json"
[APP_SKETCH_FEEDBACK]
QOS=0
PUBLISH_TOPIC="APP_SIGNATURE_ID"
#CLIENT_ID=
#BROKER_IP=
#BROKER_PORT=
[qdpi_detector]
debug_swtich=30
intput_max_packet=20
qmdpi_engine_config=injection_mode=stream;nb_workers={{- include "traffic-engine.sapp.workerthread" . }};nb_flows=8000;basic_dpi_enable=1;classification_cache_enable=0;fm_flow_table_alloc_mode=0
[TRAFFIC_MIRROR]
{{- if eq .Values.traffic_mirror.enable_raw_traffic .Values.define_enable_val_yes }}
TRAFFIC_MIRROR_ENABLE=1
{{- else }}
TRAFFIC_MIRROR_ENABLE=0
{{- end }}
{{- if .Values.nic_mirror_name.firewall }}
NIC_NAME="{{ .Values.nic_mirror_name.firewall }}"
{{- end }}
APP_NAME="firewall-mirror-{{ .Values.app_symbol_index }}"
DEFAULT_VLAN_ID=0
[PROTO_IDENTIFY]
MAX_IDENTIFY_PACKETS=10
[SESSION_FLAGS]
#RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[ "frequency", "block_frequency", "cumulative_sums", "runs", "longest_run", "rank", "non_overlapping_template_matching", "overlapping_template_matching", "universal", "random_excursions", "random_excursions_variant", "poker_detect", "runs_distribution", "self_correlation", "binary_derivative" ]}
FET_ENABLED=1
RANDOM_LOOKING_UDP_IGNORE_PKTS=-1
RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[]}
TUNNELING_PCRE_LIST={"tunneling_pcre_list":["(B|C)(d){3,5}(a|b|c|d)(A|B)b(A|B|C|D)", "(B|C)(d){3,5}(a|b|c|d)Aa(A|B|C|D)", "(B|C)(d){2}(b|c)(A|B)b(A|B|C|D)", "(B|C)(d){2}(b|c)Aa(A|B|C|D)"]}
[SF_CLASSIFIER]
SYNC_MODE=1
{{ if eq .Values.stat_policy_enforcer.enable .Values.define_enable_val_yes -}}
[STAT_POLICY_ENFORCER]
CYCLE_INTERVAL_S=1
SESSION_UPDATE_MS=250
{{- end }}
{{ if eq .Values.traffic_sketch.enable .Values.define_enable_val_yes -}}
[TRAFFIC_SKETCH]
APP_AND_TRAFFIC_CYCLE_S=1
APP_AND_TRAFFIC_CYCLE_UPDATE_MS=250
TOPK_CYCLE_S=60
TOPK_UPDATE_MS=1000
DOS_CYCLE_S=60
DOS_UPDATE_MS=1000
SWITCH_TRAFFIC_SKETCH=1
{{- end }}
{{ if eq .Values.policy_sketch.enable .Values.define_enable_val_yes -}}
[POLICY_SKETCH]
OBJECT_CYCLE_S=1
OBJECT_UPDATE_MS=250
RULE_HITS_CYCLE_S=1
RULE_HITS_UPDATE_MS=250
{{- end }}
[DOS_PROTECTOR]
{{ if eq .Values.dos_protector.enable .Values.define_enable_val_yes -}}
DOS_PROTECTOR_ENABLE=1
OUTPUT_INTERVAL_MS=60000
METRICS_OUTPUT_INTERVAL_MS=60000
SWARMKV_CLUSTER_NAME="dos_protection_vsys{{ .Values.vsys_id }}"
SWARMKV_NODE_IP="0.0.0.0"
SWARMKV_NODE_PORT=8551
SWARMKV_CONSUL_IP="NODE_IP_LOCATION"
SWARMKV_CONSUL_PORT=8500
SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION"
SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION
SWARMKV_HEALTH_CHECK_PORT=8552
SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION
{{- else }}
DOS_PROTECTOR_ENABLE=0
{{- end }}

22
ansible/roles/traffic-engine/files/helm/conf/necessary_plug_list.conf
View File

@@ -1,22 +0,0 @@
#以下插件如果加载,初始化失败, sapp平台会退出;
#插件的路径来自配置文件 ./plug/conflist.inf, 不需要加段落标识[platform],[protocol],[business]等.
#If the following plugins fail to initialize, the sapp platform will exit.
#The name of the plugin comes from the configuration ./plug/conflist.inf, section identification is not required.
./plug/protocol/sip/sip.inf
./plug/protocol/rtp/rtp.inf
./plug/protocol/ssl/ssl.inf
./plug/protocol/ssh/ssh.inf
./plug/protocol/http/http.inf
./plug/protocol/dns/dns.inf
./plug/protocol/mail/mail.inf
./plug/protocol/ftp/ftp.inf
./plug/protocol/quic/quic.inf
./plug/protocol/rdp/rdp.inf
./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
./plug/business/kni/kni.inf
./plug/business/conn_telemetry/conn_telemetry.inf
./plug/business/http_healthcheck/http_healthcheck.inf
./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf 1
./plug/business/firewall/firewall.inf
./plug/stellar_on_sapp/start_loader.inf
./plug/stellar_on_sapp/defer_loader.inf

274
ansible/roles/traffic-engine/files/helm/conf/sapp.toml
View File

@@ -1,274 +0,0 @@
###################################################################################################
# NOTE:
# The format of this file is toml (https://github.com/cktan/tomlc99)
# to make vim editor display colorful and human readable,
# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini
###################################################################################################
[SYSTEM]
instance_name = "firewall-{{ .Values.app_symbol_index }}"
[CPU]
### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
worker_threads={{- include "traffic-engine.sapp.workerthread" . }}
send_only_threads_max=0
bind_mask=[{{- include "traffic-engine.sapp.cpu-affinity" . }}]
[MEM]
dictator_enable=0
[PACKET_IO]
[overlay_tunnel_definition]
### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat,
### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
l2_l3_tunnel_support=1
### note, optional value is [none, vxlan, nf]
overlay_mode="nf"
[packet_io.feature]
destroy_all_plug_enabled = 0
### note, used to represent inbound or outbound direction value,
### because it comes from Third party device, so it needs to be specified manually,
### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
inbound_route_dir=1
### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
BSD_packet_filter=""
### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
pcap_capture_direction="in"
### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain.
### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain.
inject_pkt_mode="default"
inject_pkt_prepend_segment_id={{ .Values.sid.inject_adapter }}
### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
#inject_mode_inline_device_sport=54789
### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
#inject_mode_single_gateway_device="eth1"
### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
#inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
#inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
#dumpfile_sleep_time_before_exit=3
### note, depolyment.mode options: [mirror, inline, transparent]
[packet_io.deployment]
mode="inline"
### note, interface.type options: [pag,pcap,marsio]
[packet_io.internal.interface]
type="marsio"
name="{{ .Values.nic_raw_name }}"
[packet_io.external.interface]
type="pcap"
name="lo"
[packet_io.polling]
### note, polling_priority = call sapp_recv_pkt every call polling_entry times,
polling_priority=100
[packet_io.under_ddos]
### note, to reduce impact of ddos attack,set some stream bypass, all plugins will not process these streams
{{- if eq .Values.overload_protection.enable .Values.define_enable_val_yes }}
stream_bypass_enabled=1
{{- else }}
stream_bypass_enabled=0
{{- end }}
### note, cpu usage value is percent, for example, config value is 85, means 85%, valid range: [1,100]
### sapp change to bypass state immediately when realtime cpu usage > bypass_trigger_cpu_usage
bypass_trigger_cpu_usage={{ .Values.overload_protection.detect_threshold_cpu_usages }}
### note, unit of get_cpu_usage_interval is milliseconds(ms)
get_cpu_usage_interval={{ .Values.overload_protection.detect_interval_in_ms }}
### note, use the average of the last $smooth_avg_window times as current realtime value
smooth_avg_window={{ .Values.overload_protection.detect_smooth_avg_window }}
decrease_ratio="0.95"
increase_ratio="1.005"
### note, unit of bypass_observe_time is second(s)
recovery_observe_time={{ .Values.overload_protection.recovery_detect_cycle_in_sec }}
[PROTOCOL_FEATURE]
ipv6_decapsulation_enabled=1
ipv6_send_packet_enabled=1
tcp_drop_pure_ack_pkt=0
tcp_syn_option_parse_enabled=1
skip_not_ip_layer_over_eth=0
skip_gtp_seq_field_for_inject=1
[DUPLICATE_PKT]
[dup_pkt.traffic.original]
kickout_udp_stream_enabled=0
{{- if eq .Values.session_manager.tcp_duplicated_packet_filter .Values.define_enable_val_yes }}
original_ipv4_tcp_enabled=1
{{- else }}
original_ipv4_tcp_enabled=0
{{- end }}
{{- if eq .Values.session_manager.udp_duplicated_packet_filter .Values.define_enable_val_yes }}
original_ipv4_udp_enabled=1
{{- else }}
original_ipv4_udp_enabled=0
{{- end }}
### note, can't distinguish between duplicate traffic and application retransmit traffic for IPv6 packets,
### so not support IPv6 original duplicate traffic check.
[dup_pkt.traffic.inject]
{{- if eq .Values.session_manager.inject_duplicated_packet_filter .Values.define_enable_val_yes }}
inject_all_enabled=1
{{- else }}
inject_all_enabled=0
{{- end }}
[dup_pkt.parameters]
bloom_capacity=1000000
bloom_error_rate=0.00001
bloom_timeout=10
[STREAM]
### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S"
stream_id_base_time="2021-01-01 00:00:00"
[stream.tcp]
max={{ .Values.session_manager.tcp_session_max }}
timeout={{ .Values.session_manager.tcp_session_timeout_in_sec }}
syn_mandatory=1
reorder_pkt_max={{ .Values.session_manager.tcp_session_unordered_pkt_max }}
analyse_option_enabled=1
tuple4_reuse_time_interval=30
meaningful_statistics_minimum_pkt=3
meaningful_statistics_minimum_byte=5
opening_timeout={{ .Values.session_manager.tcp_session_opening_timeout_in_sec }}
closing_timeout={{ .Values.session_manager.tcp_session_closing_timeout_in_sec }}
[stream.tcp.inject]
link_mss=1460
[stream.tcp.inject.rst]
auto_remedy=0
number=3
signature_enabled=1
signature_seed1=65535
signature_seed2=13
remedy_kill_tcp_by_inline_device=0
[stream.udp]
max={{ .Values.session_manager.udp_session_max }}
timeout={{ .Values.session_manager.udp_session_timeout_in_sec }}
meaningful_statistics_minimum_pkt=3
meaningful_statistics_minimum_byte=5
[PROFILING]
[profiling.log]
sapp_log_category="sapp_log"
sapp_plugin_log_category="sapp_plugin_log"
#for profiling-related API control, e.g printaddr
[profiling.metric]
[profiling.metric.fs2]
enabled=0
prometheus_port=9273
prometheus_url_path="/metrics"
local_file="log/fs2_sysinfo.metrics"
refresh_interval_s=1
[profiling.metric.fs3]
enabled=0
prometheus_port=9273
prometheus_url_path="/metrics"
local_file="log/fs3_sysinfo.metrics"
refresh_interval_s=1
[profiling.metric.fs4]
enabled=1
local_file="./metrics/fs4_sysinfo.json"
refresh_interval_s=1
app_name="sapp4"
[profiling.process_latency]
log_category="sapp_process_latency_log"
histogram_enabled=0
local_file="fs2_process_latency.metrics"
refresh_interval_s=1
### note, threshold unit is microseconds (us), legal_scope [1,99999999], max value is 99
threshold_us=1000
### define in time.h,use CLOCK_MONOTONIC_COARSE as default
### 0 means CLOCK_REALTIME, 1 means CLOCK_MONOTONIC, 2 means CLOCK_PROCESS_CPUTIME_ID, 3 means CLOCK_THREAD_CPUTIME_ID
### 4 means CLOCK_MONOTONIC_RAW, 5 means CLOCK_REALTIME_COARSE, 6 means CLOCK_MONOTONIC_COARSE
clock_gettime_id=6
[profiling.sanity_check]
raw_pkt_broken_enabled=0
symbol_conflict_enabled=0
[TOOLS]
[tools.pkt_dump]
enabled=1
### note, mode options value:[storage, udp_socket]
mode="udp_socket"
BSD_packet_filter=""
[tools.pkt_dump.threads]
### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted.
### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index.
all_threads_enabled=1
### note, dump_thread_id start from 0, max is CPU.worker_threads-1
dump_thread_id=[0,1,2,3,4]
[tools.pkt_dump.udp]
command_port=9345
pkt_dump_ratio=30
[tools.pkt_dump.storage]
### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump"
path="/dev/shm/pkt_dump"
### note, file size unit: MB
file_size_max_per_thread=10000
[BREAKPAD]
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
breakpad_minidump_dir="/run/sapp/crashreport"
breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload"
### note:
### These configurations format is complex and difficult to describe with toml grammar,
### so, create a independent secondary config file to description specific information.
[SECONDARY_CONFIG_LINK]
cfg_file_sapp_log="etc/sapp_log.conf"
cfg_file_plug_list="plug/conflist.inf"
cfg_file_project_list="etc/project_list.conf"
cfg_file_entrylist="etc/entrylist.conf"
cfg_file_send_raw_pkt="etc/send_raw_pkt.conf"
cfg_file_vxlan_sport_map="etc/vxlan_sport_service_map.conf"
cfg_file_inline_device="etc/gdev.conf"
cfg_file_necessary_plug_list="etc/necessary_plug_list.conf"
cfg_file_stream_compare_layer="etc/stream_compare_layer.conf"
cfg_file_vlan_flipping="etc/vlan_flipping_map.conf"
cfg_file_asymmetric_addr_layer="etc/asymmetric_addr_layer.conf"
cfg_file_well_known_port="etc/well_known_port.conf"
[SECONDARY_DATA_LINK]
data_file_sysinfo_log="log/sysinfo.log"
data_file_field_stat_log="log/fs2_sysinfo.log"
data_file_inline_keepalive_log="log/gdev_keeplive_status.log"
[LIBRARY_LINK]
marsio_library_path="/opt/tsg/mrzcpd/lib/libmarsio.so"

18
ansible/roles/traffic-engine/files/helm/conf/sapp_log.conf
View File

@@ -1,18 +0,0 @@
[global]
default format = "%d(%c), %V, %U, %m%n"
rotate lock file = /tmp/sapp_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
STOP=40
[formats]
other = "%d(%c), %V, %F, %U, %m%n"
plugin = "%d(%c), %m%n"
[rules]
sapp_log.fatal "./log/runtimelog.%d(%F)", 500M ~ "./log/runtimelog.%d(%F).#2s"
sapp_plugin_log.fatal >stdout; plugin
sapp_plugin_log.info "./log/plugin.log.%d(%F)", 500M ~ "./log/plugin.log.%d(%F).#2s"; plugin
sapp_process_latency_log.fatal "./log/sapp_process_latency.log.%d(%F)", 500M ~ "./log/sapp_process_latency.log.%d(%F).#2s"
!.fatal "./log/%c.%d(%F)", 500M ~ "./log/%c.%d(%F).#2s"; other

101
ansible/roles/traffic-engine/files/helm/conf/sce.conf
View File

@@ -1,101 +0,0 @@
[system]
nr_worker_threads={{- include "traffic-engine.sce.workerthread" . }}
cpu_affinity_mask={{- include "traffic-engine.sce.cpu-affinity" . }}
firewall_sids={{ .Values.sid.firewall }}
stateless_sids=900
enable_debug=0
enable_send_log=1
ts_update_interval_ms=1
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
# must be /run/sce/crashreportdue to tmpfile limit
breakpad_minidump_dir=/run/sce/crashreport
breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload
[maat]
# 0:json 1:redis
input_mode=1
# LOG_LEVEL_TRACE = 0; LOG_LEVEL_DEBUG = 1; LOG_LEVEL_INFO = 2;
# LOG_LEVEL_WARN = 3; LOG_LEVEL_ERROR = 4; LOG_LEVEL_FATAL = 5;
log_level=5
stat_switch=1
perf_switch=1
scan_detail=0
deferred_load=0
effect_interval_ms=1000
stat_file=log/maat.fs2
table_info=resource/table_info.conf
accept_path=/opt/tsg/etc/tsg_device_tag.json
json_cfg_file=resource/sce.json
foreign_cont_dir=resource/foreign_files
redis_db_idx={{ .Values.vsys_id }}
redis_server={{- include "traffic-engine.global.cm.server-ip" . }}
redis_port_range={{- include "traffic-engine.global.cm.server-port" . }}
max_chaining_size=32
[packet_io]
# bypass_traffic:0 disable
# bypass_traffic:1 bypass all traffic
# bypass_traffic:2 bypass raw traffic
# bypass_traffic:3 bypass decrypted traffic
bypass_traffic=0
rx_burst_max=128
min_timeout_ms=900
app_symbol=sce-{{ .Values.app_symbol_index }}
dev_nf_name={{ .Values.sce_config.steering_nic }}
# dev_endpoint_l2 for vlan
dev_endpoint_l2_name={{ .Values.sce_config.vlan_config.endpoint_nic }}
vlan_encapsulate_replace_orig_vlan_header=0
# dev_endpoint_l3 for vxlan
dev_endpoint_l3_name={{ .Values.sce_config.vxlan_config.endpoint_nic }}
dev_endpoint_l3_ip={{ .Values.sce_config.vxlan_config.endpoint_ip }}
# dev_endpoint_l3_mac=aa:aa:aa:aa:aa:aa
[stat]
output_file=log/sce.fs2
statsd_server=127.0.0.1
statsd_port=8100
# 1 : FS_OUTPUT_STATSD
# 2 : FS_OUTPUT_INFLUX_LINE
statsd_format=2
statsd_cycle=2
prometheus_listen_port=9006
prometheus_listen_url=/metrics
[metrics]
output_fs_interval_ms=500
output_kafka_interval_ms=1000
{{- range .Values.device.tags -}}
{{- range $key,$val := . }}
{{- if eq $key "data_center" }}
data_center={{ $val }}
{{- end }}
{{- if eq $key "device_group" }}
device_group={{ $val }}
{{- end }}
{{- end }}
{{- end }}
device_id=DEVICE_ID_PLACE_HOLDER_MARK
[bfdd]
enable=1
# use default_gw_mac when enable = 0
default_gw_mac=aa:aa:aa:aa:aa:aa
path=/run/frr/bfdd.vty
device={{ .Values.sce_config.vxlan_config.endpoint_nic }}
local_address={{ .Values.sce_config.vxlan_config.endpoint_ip }}
gateway={{ .Values.sce_config.vxlan_config.endpoint_gateway }}
icmp_cycle_time_s=10
[kafka]
enable_debug=0
brokerlist={{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }}
sasl_username={{ .Values.external_resources.olap.kafka_brokers.sasl_username }}
sasl_passwd={{ .Values.external_resources.olap.kafka_brokers.sasl_password }}
topic_name=POLICY-RULE-METRIC

12
ansible/roles/traffic-engine/files/helm/conf/sce_log.conf
View File

@@ -1,12 +0,0 @@
# kill -s SIGHUP "pid"
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
sce.fatal "./log/sce.log.%d(%F)", 500M ~ "./log/sce.log.%d(%F).#2s";

9
ansible/roles/traffic-engine/files/helm/conf/send_raw_pkt.conf
View File

@@ -1,9 +0,0 @@
#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec,
##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio
#target_id
0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ .Values.nic_raw_name }} smith dpdk dpdk pag
1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ .Values.nic_raw_name }} smith dpdk dpdk pag
#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag
#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag

54
ansible/roles/traffic-engine/files/helm/conf/shaping.conf
View File

@@ -1,54 +0,0 @@
[SYSTEM]
WORK_THREAD_NUM={{- include "traffic-engine.shaping.workerthread" . }}
ENABLE_CPU_AFFINITY=1
CPU_AFFINITY_MASK={{- include "traffic-engine.shaping.cpu-affinity" . }}
firewall_sids={{ .Values.sid.firewall }}
[MARSIO]
DEV_INTERFACE="{{ .Values.shaping_config.shaping_nic }}"
RX_BRUST_MAX=64
APP_SYMBOL="shaping-{{ .Values.app_symbol_index }}"
[MAAT]
INPUT_MODE=1
TABLE_INFO="conf/table_info.json"
JSON_FILE="conf/shaping_maat.json"
REDIS_DB_IDX={{ .Values.vsys_id }}
REDIS_IP="{{- include "traffic-engine.global.cm.server-ip" . }}"
REDIS_PORT="{{- include "traffic-engine.global.cm.server-port" . }}"
[SWARMKV]
SWARMKV_CLUSTER_NAME="tsg-shaping-vsys{{ .Values.vsys_id }}"
SWARMKV_NODE_IP="0.0.0.0"
SWARMKV_NODE_PORT=8551
SWARMKV_CONSUL_IP="NODE_IP_LOCATION"
SWARMKV_CONSUL_PORT=8500
SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION"
SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION
SWARMKV_HEALTH_CHECK_PORT=8552
SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION
[METRIC]
{{- range .Values.device.tags -}}
{{- range $key,$val := . }}
{{- if eq $key "data_center" }}
DATA_CENTER={{ $val }}
{{- end }}
{{- if eq $key "device_group" }}
DEVICE_GROUP={{ $val }}
{{- end }}
{{- end }}
{{- end }}
DEVICE_ID="DEVICE_ID_PLACE_HOLDER_MARK"
KAFKA_TOPIC="POLICY-RULE-METRIC"
KAFKA_BROKERS="{{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }}"
KAFKA_USERNAME="{{ .Values.external_resources.olap.kafka_brokers.sasl_username }}"
KAFKA_PASSWORD="{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}"
[CONFIG]
#PROFILE_QUEUE_LEN_PER_PRIORITY_MAX=128
SESSION_QUEUE_LEN_MAX=32
QUEUEING_SESSIONS_PER_PRIORITY_PER_THREAD_MAX=1024
POLLING_NODE_NUM_MAX={"polling_node_num_max":[ 3, 2, 2, 2, 2, 2, 2, 2, 2, 2 ]}

13
ansible/roles/traffic-engine/files/helm/conf/shaping_log.conf
View File

@@ -1,13 +0,0 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
log_shaping.fatal "./log/shaping.log.%d(%F)", 500M ~ "./log/shaping.log.%d(%F).#2s";
#log_shaping.fatal >stdout;
#log_shaping.info "./log/info_shaping.log.%d(%F)";
#log_shaping.debug "./log/debug_shaping.log.%d(%F)";

49
ansible/roles/traffic-engine/files/helm/conf/spec.toml
View File

@@ -1,49 +0,0 @@
{{ if eq .Values.session_flags.enable .Values.define_enable_val_yes -}}
[[plugin]]
path = "./stellar_plugin/session_flags.so"
init = "session_flags_plugin_init"
exit = "session_flags_plugin_exit"
{{- end }}
[[plugin]]
path = "./stellar_plugin/glimpse_detector.so"
init = "APP_GLIMPSE_DETECTOR_LOAD"
exit = "APP_GLIMPSE_DETECTOR_UNLOAD"
[[plugin]]
path = "./plug/business/firewall/firewall.so"
init = "firewall_stellar_plugin_load"
exit = "firewall_stellar_plugin_unload"
[[plugin]]
path = "./stellar_plugin/sf_classifier.so"
init = "sf_classifier_init"
exit = "sf_classifier_exit"
{{ if and (eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) -}}
[[plugin]]
path = "./stellar_plugin/qdpi_detector/qdpi_detector.so"
init = "QDPI_DETECTOR_LOAD"
exit = "QDPI_DETECTOR_UNLOAD"
{{- end }}
{{ if eq .Values.stat_policy_enforcer.enable .Values.define_enable_val_yes -}}
[[plugin]]
path = "./stellar_plugin/stat_policy_enforcer.so"
init = "STATISTICS_INIT"
exit = "STATISTICS_EXIT"
{{- end }}
{{ if eq .Values.traffic_sketch.enable .Values.define_enable_val_yes -}}
[[plugin]]
path = "./stellar_plugin/traffic_sketch.so"
init = "TRAFFIC_SKETCH_INIT"
exit = "TRAFFIC_SKETCH_EXIT"
{{- end }}
{{ if eq .Values.policy_sketch.enable .Values.define_enable_val_yes -}}
[[plugin]]
path = "./stellar_plugin/policy_sketch.so"
init = "POLICY_SKETCH_INIT"
exit = "POLICY_SKETCH_EXIT"
{{- end }}

12
ansible/roles/traffic-engine/files/helm/conf/ssl_main.conf
View File

@@ -1,12 +0,0 @@
[SSL]
MAX_CACHE_LEN=10240
{{- if eq .Values.decoders.SSL_CERT .Values.define_enable_val_yes }}
PARSE_CERTIFICATE_DETAIL=1
{{- else }}
PARSE_CERTIFICATE_DETAIL=0
{{- end }}
{{- if eq .Values.decoders.SSL_DETAIN_FRAG_CHELLO .Values.define_enable_val_yes }}
DETAIN_FRAG_CHELLO_NUM=6
{{- else }}
DETAIN_FRAG_CHELLO_NUM=0
{{- end }}

288
ansible/roles/traffic-engine/files/helm/conf/tfe.conf
View File

@@ -1,288 +0,0 @@
[system]
nr_worker_threads={{- include "traffic-engine.tfe.workerthread" . }}
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
# must be /run/tfe/crashreport due to tmpfile limit
breakpad_minidump_dir=/run/tfe/crashreport
breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload
# ask for at least (1 + nr_worker_threads) masks
# the first mask for acceptor thread
# the others mask for worker thread
enable_cpu_affinity=1
cpu_affinity_mask={{- include "traffic-engine.tfe.cpu-affinity" . }}
# LEAST_CONN = 0; ROUND_ROBIN = 1
load_balance=1
[public]
vsys_id={{ .Values.vsys_id }}
{{- range .Values.device.tags -}}
{{- range $key,$val := . }}
{{- if eq $key "data_center" }}
data_center={{ $val }}
{{- end }}
{{- if eq $key "device_group" }}
device_group={{ $val }}
{{- end }}
{{- end }}
{{- end }}
device_id=DEVICE_ID_PLACE_HOLDER_MARK
# for enable kni v3
[nfq]
queue_id=1
queue_maxlen=655350
queue_rcvbufsiz=983025000
queue_no_enobufs=1
[kni]
# kni v1
#uxdomain=/var/run/.tfe_kni_acceptor_handler
# kni v2
#scm_socket_file=/var/run/.tfe_kmod_scm_socket
# send cmsg
send_switch=0
ip=127.0.0.1
cmsg_port=2475
# watch dog
watchdog_switch=0
watchdog_port=2476
[watchdog_tfe]
# The worker thread updates the timestamp every two seconds
# The watchdog thread checks the timestamp every second
enable=1
timeout_seconds=5
statistics_window=20
timeout_cnt_as_fail=3
timeout_debug=0
[ssl]
ssl_debug=0
# ssl version Not available, configured via TSG website
# ssl_max_version=tls13
# ssl_min_version=ssl3
ssl_compression=1
no_ssl2=1
no_ssl3=0
no_tls10=0
no_tls11=0
no_tls12=0
default_ciphers=ALL:-aNULL
no_cert_verify=0
# session ticket
no_session_ticket=0
stek_group_num=4096
stek_rotation_time=3600
# session cache
no_session_cache=0
session_cache_slots=4194304
session_cache_expire_seconds=1800
# service cache
service_cache_slots=4194304
service_cache_expire_seconds=300
service_cache_fail_as_pinning_cnt=4
service_cache_fail_as_proto_err_cnt=5
service_cache_fail_time_window=30
service_cache_succ_as_app_not_pinning_cnt=0
# cert
check_cert_crl=0
trusted_cert_load_local=1
trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
trusted_cert_dir=resource/tfe/trusted_storage
# master key
log_master_key=0
key_log_file=log/sslkeylog.log
[key_keeper]
#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
#0 on cache 1 off cache
no_cache=0
mode=normal
cert_store_host=127.0.0.1
cert_store_port=9991
ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
hash_slot_size=131072
hash_expire_seconds=300
cert_expire_time=24
# health_check only for "mode=normal" default 1
enable_health_check=1
[tsg_http]
enable_plugin=1
en_sendlog=1
[debug]
# 1 : enforce tcp passthrough
# 0 : Whether to passthrough depends on the tcp_options in cmsg
passthrough_all_tcp=0
[ratelimit]
read_rate=0
read_burst=0
write_rate=0
write_burst=0
[tcp]
# read rcv_buff/snd_buff options from tfe conf
sz_rcv_buffer=-1
sz_snd_buffer=-1
# 1 : use tcp_options in tfe.conf
# 0 : use tcp_options in cmsg
enable_overwrite=0
tcp_nodelay=1
so_keepalive=1
tcp_keepcnt=8
tcp_keepintvl=15
tcp_keepidle=30
tcp_user_timeout=600
tcp_ttl_upstream=75
tcp_ttl_downstream=70
[stat]
statsd_server=127.0.0.1
statsd_port=8900
statsd_cycle=5
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
statsd_format=2
histogram_bins=0.5,0.8,0.9,0.95
statsd_set_prometheus_port=9001
statsd_set_prometheus_url_path=/metrics
[traffic_mirror]
{{- if eq .Values.traffic_mirror.enable_decrypted_traffic .Values.define_enable_val_yes }}
enable=1
{{- else }}
enable=0
{{- end }}
{{- if .Values.nic_mirror_name.proxy }}
device={{ .Values.nic_mirror_name.proxy }}
{{- end }}
app_symbol=proxy-mirror-{{ .Values.app_symbol_index }}
# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
type=1
table_info=resource/pangu/table_info_traffic_mirror.conf
stat_file=log/traffic_mirror.status
default_vlan_id=0
[kafka]
brokerlist={{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }}
sasl_username={{ .Values.external_resources.olap.kafka_brokers.sasl_username }}
sasl_passwd={{ .Values.external_resources.olap.kafka_brokers.sasl_password }}
rule_hits_topic=POLICY-RULE-METRIC
proxy_event_topic=PROXY-EVENT
file_stream_topic=TRAFFIC-HTTP-FILE-STREAM-RECORD
exch_cert_topic=PXY-EXCH-INTERMEDIA-CERT
[maat]
# 0:json 1:redis
maat_input_mode=1
stat_switch=1
perf_switch=1
table_info=resource/pangu/table_info.conf
accept_path=/opt/tsg/etc/tsg_device_tag.json
stat_file=log/pangu_scan.fs2
effect_interval_s=1
deferred_load_on=0
# json mode conf iterm
json_cfg_file=resource/pangu/pangu_http.json
# redis mode conf iterm
maat_redis_server={{- include "traffic-engine.global.cm.server-ip" . }}
maat_redis_port_range={{- include "traffic-engine.global.cm.server-port" . }}
maat_redis_db_index={{ .Values.vsys_id }}
[proxy_hits]
app_name="proxy_rule_hits"
output_fs_interval_ms=500
output_kafka_interval_ms=1000
# for enable kni v4
[packet_io]
dup_packet_filter_enable=1
dup_packet_filter_capacity=1000000
dup_packet_filter_timeout=10
# MESA_load_profile not support double
#dup_packet_filter_error_rate=0.00001
packet_io_debug=0
packet_io_threads={{- include "traffic-engine.pktio.workerthread" . }}
packet_io_cpu_affinity_mask={{- include "traffic-engine.pktio.cpu-affinity" . }}
firewall_sids={{ .Values.sid.firewall }}
proxy_sids={{ .Values.sid.proxy }}
service_chaining_sids={{ .Values.sid.sce }}
# bypass_all_traffic:1 NF2NF and SF2SF
bypass_all_traffic=0
rx_burst_max=128
app_symbol=proxy-{{ .Values.app_symbol_index }}
dev_nf_interface={{ .Values.proxy_config.proxy_nic }}
src_mac_addr = 00:0e:c6:d6:72:c1
# tap config
tap_name=tap0
# 1.tap_allow_mutilthread=1 load bpf rss obj
# 2.tap_allow_mutilthread=0 not load bpf rss obj
tap_allow_mutilthread=1
bpf_obj=/opt/tsg/tfe/resource/bpf/bpf_tun_rss_steering.o
# tap_bpf_debug_log: cat /sys/kernel/debug/tracing/trace_pipe
bpf_debug_log=0
# 2: BPF 使用二元组分流
# 4: BPF 使用四元组分流
bpf_hash_mode={{ .Values.distmode }}
# 配置 tap 网卡的 RPS
tap_rps_enable=1
tap_rps_mask={{ .Values.tfe_rps_mask }}
# iouring config
enable_iouring=1
enable_debuglog=0
ring_size=1024
buff_size=2048
# io_uring_setup() flags
# IORING_SETUP_IOPOLL (1U << 0) /* io_context is polled */
# IORING_SETUP_SQPOLL (1U << 1) /* SQ poll thread */
# IORING_SETUP_SQ_AFF (1U << 2) /* sq_thread_cpu is valid */
# IORING_SETUP_CQSIZE (1U << 3) /* app defines CQ size */
# IORING_SETUP_CLAMP (1U << 4) /* clamp SQ/CQ ring sizes */
# IORING_SETUP_ATTACH_WQ (1U << 5) /* attach to existing wq */
# IORING_SETUP_R_DISABLED (1U << 6) /* start with ring disabled */
# IORING_SETUP_SUBMIT_ALL (1U << 7) /* continue submit on error */
flags=0
sq_thread_idle=0
[traffic_steering]
enable_steering_http=0
enable_steering_ssl=0
# 17: 0x11
so_mask_client=17
# 34: 0x22
so_mask_server=34
device_client=tap_c
device_server=tap_s
http_keepalive_enable=0
http_keepalive_path="/metrics"
http_keepalive_addr=192.168.41.60
http_keepalive_port=9273

24
ansible/roles/traffic-engine/files/helm/conf/tfe_log.conf
View File

@@ -1,24 +0,0 @@
# kill -s SIGHUP "pid"
[global]
default format = "%d(%c), %t, %V, %F, %U, %m%n"
rotate lock file = /tmp/tfe_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
#DISABLE=40
[rules]
*.fatal "./log/error.log.%d(%F)", 500M ~ "./log/error.log.%d(%F).#2s";
tfe.fatal "./log/tfe.log.%d(%F)", 500M ~ "./log/tfe.log.%d(%F).#2s";
http.fatal "./log/http.log.%d(%F)", 500M ~ "./log/http.log.%d(%F).#2s";
http2.fatal "./log/http2.log.%d(%F)", 500M ~ "./log/http2.log.%d(%F).#2s";
doh.fatal "./log/doh_pxy.log.%d(%F)", 500M ~ "./log/doh_pxy.log.%d(%F).#2s";
tsg_http.fatal "./log/tsg_http_pxy.log.%d(%F)", 500M ~ "./log/tsg_http_pxy.log.%d(%F).#2s";
packet_io.fatal "./log/packet_io.log.%d(%F)", 500M ~ "./log/packet_io.log.%d(%F).#2s";

2
ansible/roles/traffic-engine/files/helm/conf/tsg_device_tag.json
View File

@@ -1,2 +0,0 @@
[MAAT]
ACCEPT_TAGS={"tags":[{{- include "traffic-engine.device-tag-list" . }}]}

104
ansible/roles/traffic-engine/files/helm/conf/vlan_flipping_map.conf
View File

@@ -1,104 +0,0 @@
#for inline a device vlan flipping
#数据包来自C路由器端, 即C2I(I2E)方向,
#数据包来自I路由器端, 即I2C(E2I)方向,
#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
#配置文件格式, pattern:
#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转
#C_rout r_vlan_id I_router_vlan_id mac_flipping_enable
1000 1001 0
1002 1003 0
1004 1005 0
1006 1007 0
1008 1009 0
1010 1011 0
1012 1013 0
1014 1015 0
1016 1017 0
1018 1019 0
1020 1021 0
1022 1023 0
1024 1025 0
1026 1027 0
1028 1029 0
1030 1031 0
1032 1033 0
1034 1035 0
1036 1037 0
1038 1039 0
1040 1041 0
1042 1043 0
1044 1045 0
1046 1047 0
1048 1049 0
1050 1051 0
1052 1053 0
1054 1055 0
1056 1057 0
1058 1059 0
1060 1061 0
1062 1063 0
1064 1065 0
1066 1067 0
1068 1069 0
1070 1071 0
1072 1073 0
1074 1075 0
1076 1077 0
1078 1079 0
1080 1081 0
1082 1083 0
1084 1085 0
1086 1087 0
1088 1089 0
1090 1091 0
1092 1093 0
1094 1095 0
1096 1097 0
1098 1099 0
1100 1101 0
1102 1103 0
1104 1105 0
1106 1107 0
1108 1109 0
1110 1111 0
1112 1113 0
1114 1115 0
1116 1117 0
1118 1119 0
1120 1121 0
1122 1123 0
1124 1125 0
1126 1127 0
4000 4001 0
4002 4003 0
4004 4005 0
4006 4007 0
4008 4009 0
4010 4011 0
4012 4013 0
4014 4015 0
4016 4017 0
4018 4019 0
4020 4021 0
4022 4023 0
4024 4025 0
4026 4027 0
4028 4029 0
4030 4031 0
4032 4033 0
4034 4035 0
4036 4037 0
4038 4039 0
4040 4041 0
4042 4043 0
4044 4045 0
4046 4047 0
4048 4049 0
4050 4051 0
4052 4053 0
4054 4055 0
4056 4057 0
4058 4059 0
4060 4061 0
4062 4063 0

246
ansible/roles/traffic-engine/files/helm/templates/_config.tpl
View File

@@ -1,246 +0,0 @@
{{- define "traffic-engine.config.addresses.converter" -}}
{{- $addresses := list -}}
{{- $source := index . 0 -}}
{{- $separator := index . 1 -}}
{{- if $source }}
{{- range $source -}}
{{- $address := ( print .address ":" .port ) -}}
{{- $addresses = append $addresses $address -}}
{{- end -}}
{{- join $separator $addresses }}
{{- end }}
{{- end -}}
{{- define "traffic-engine.tfe.workerthread" -}}
{{- if eq (len .Values.tfe_affinity) 1 }}
{{- 1 }}
{{- else }}
{{- sub (len .Values.tfe_affinity) 1 }}
{{- end }}
{{- end -}}
{{- define "traffic-engine.sce.workerthread" -}}
{{- len .Values.sce_affinity }}
{{- end -}}
{{- define "traffic-engine.shaping.workerthread" -}}
{{- len .Values.shaping_affinity }}
{{- end -}}
{{- define "traffic-engine.inject_adapter.workerthread" -}}
{{- len .Values.inject_adapter_affinity }}
{{- end -}}
{{- define "traffic-engine.pktio.workerthread" -}}
{{- len .Values.pktio_affinity }}
{{- end -}}
{{- define "traffic-engine.tfe.cpu-affinity" -}}
{{- if eq (len .Values.tfe_affinity) 1 }}
{{- print (index .Values.tfe_affinity 0) "," (index .Values.tfe_affinity 0) }}
{{- else }}
{{- join "," .Values.tfe_affinity }}
{{- end }}
{{- end -}}
{{- define "traffic-engine.sce.cpu-affinity" -}}
{{- join "," .Values.sce_affinity }}
{{- end -}}
{{- define "traffic-engine.shaping.cpu-affinity" -}}
{{- join "," .Values.shaping_affinity }}
{{- end -}}
{{- define "traffic-engine.inject_adapter.cpu-affinity" -}}
{{- join "," .Values.inject_adapter_affinity }}
{{- end -}}
{{- define "traffic-engine.pktio.cpu-affinity" -}}
{{- join "," .Values.pktio_affinity }}
{{- end -}}
{{- define "traffic-engine.device-tag-list" -}}
{{- $tags_list := list -}}
{{- if .Values.device.tags }}
{{- range .Values.device.tags -}}
{{- range $key,$val := . }}
{{- $tag_json := ( print "{\"tag\":\"" $key "\",\"value\":\"" $val "\"}") -}}
{{- $tags_list = append $tags_list $tag_json -}}
{{- end }}
{{- end }}
{{- end }}
{{- join "," $tags_list }}
{{- end -}}
{{- define "traffic-engine.sapp.workerthread" -}}
{{ len .Values.sapp_affinity }}
{{- end -}}
{{- define "traffic-engine.sapp.cpu-affinity" -}}
{{ join "," .Values.sapp_affinity }}
{{- end -}}
{{- define "traffic-engine.config.identify-proto-name" -}}
{{- $proto_name := "" -}}
{{- $val_yes := .Values.define_enable_val_yes }}
{{- range $key, $val := .Values.decoders }}
{{- if eq $val $val_yes }}
{{- $proto_name = print $proto_name $key ";" }}
{{- end }}
{{- end }}
{{- $proto_name }}
{{- end -}}
{{- define "traffic-engine.merge-exporter.merge-urls" -}}
{{- if and (eq .Values.proxy.enable .Values.define_enable_val_yes) (ge (len .Values.tfe_affinity) 1) }}
{{- print "value: http://localhost:9273/metrics http://localhost:9001/metrics http://localhost:9002/metrics http://localhost:9006/metrics" }}
{{- else }}
{{- print "value: http://localhost:9273/metrics http://localhost:9002/metrics http://localhost:9006/metrics" }}
{{- end }}
{{- end -}}
{{/*
Set up the environment to enable API access.
The template should be invoked in command line.
*/}}
{{- define "public.prepare-access-API" -}}
export APISERVER=https://kubernetes.default.svc
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
export CACERT=${SERVICEACCOUNT}/ca.crt
{{- end -}}
{{/*
Read the node annotations information and serialize it into a file.
The template should be invoked from the command line.
The template requires "public.prepare-access-API".
*/}}
{{- define "public.serialize-node-annotations" -}}
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/nodes/${NODE_NAME} -o /tmp/node-${NODE_NAME}.json
export DEVICE_SN=$(cat /tmp/node-${NODE_NAME}.json | jq -r '.metadata.annotations."tsg-os/device-sn"')
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/shared-configs/tsg_sn.json
echo "export device_id=${DEVICE_SN}" > /opt/tsg/shared-configs/device_id.sh
{{- end -}}
{{/*
The volumes related to "mrzcpd".
The volumes will be mounted by "traffic-engine.mount.mrzcpd".
*/}}
{{- define "traffic-engine.volume.mrzcpd" -}}
- name: opt-tsg-mrzcpd
hostPath:
path: /opt/tsg/mrzcpd
- name: var-run-mrzcpd
hostPath:
path: /var/run/mrzcpd
- name: var-run-dpdk
hostPath:
path: /var/run/dpdk
- name: profile-mrzcpd
hostPath:
path: /etc/profile.d/mrzcpd.sh
type: File
- name: ldconfig-mrzcpd
hostPath:
path: /etc/ld.so.conf.d/mrzcpd.conf
type: File
{{- end -}}
{{/*
The volumeMounts related to "mrzcpd".
Requires "traffic-engine.volume.mrzcpd"
*/}}
{{- define "traffic-engine.mount.mrzcpd" -}}
- name: opt-tsg-mrzcpd
mountPath: /opt/tsg/mrzcpd
mountPropagation: HostToContainer
readOnly: false
- name: var-run-mrzcpd
mountPath: /var/run/mrzcpd
readOnly: false
- name: var-run-dpdk
mountPath: /var/run/dpdk
readOnly: false
- name: profile-mrzcpd
mountPath: /etc/profile.d/mrzcpd.sh
readOnly: true
- name: ldconfig-mrzcpd
mountPath: /etc/ld.so.conf.d/mrzcpd.conf
readOnly: true
{{- end -}}
{{- define "traffic-engine.global.cm.server-ip" -}}
{{- if eq .Values.external_resources.cm.connectivity "direct" }}
{{- print .Values.external_resources.cm.direct.address }}
{{- else if eq .Values.external_resources.cm.connectivity "builtin" }}
{{- print "tsg-cm.tsg-os-system.svc" }}
{{- else }}
{{- print .Values.external_resources.cm.local_cache.cache_name "-redis-master.tsg-os-system.svc" }}
{{- end }}
{{- end -}}
{{- define "traffic-engine.global.cm.server-port" -}}
{{- if eq .Values.external_resources.cm.connectivity "direct" }}
{{- print .Values.external_resources.cm.direct.port }}
{{- else if eq .Values.external_resources.cm.connectivity "builtin" }}
{{- print "7002" }}
{{- else }}
{{- print "6379" }}
{{- end }}
{{- end -}}
{{- define "traffic-engine.global.sd.server-ip" -}}
{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
{{- if eq .Values.external_resources.sd.connectivity "direct" }}
{{- print .Values.external_resources.sd.direct.address }}
{{- else }}
{{- print .Values.external_resources.sd.local_cache.cache_name "-redis-master.tsg-os-system.svc" }}
{{- end }}
{{- end }}
{{- end -}}
{{- define "traffic-engine.global.sd.server-port" -}}
{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }}
{{- if eq .Values.external_resources.sd.connectivity "direct" }}
{{- print .Values.external_resources.sd.direct.port }}
{{- else }}
{{- print "6379" }}
{{- end }}
{{- end }}
{{- end -}}
{{- define "public.sync-host-timezone.volume" -}}
- name: localtime-volume
hostPath:
path: /etc/localtime
{{- end -}}
{{- define "public.sync-host-timezone.volume-mount" -}}
- name: localtime-volume
mountPath: /etc/localtime
readOnly: true
{{- end -}}
{{- define "public.license-support.dev-shm-volume" -}}
- name: dev-shm-volume
hostPath:
path: /dev/shm
{{- end -}}
{{- define "public.license-support.dev-shm-volume-mount" -}}
- name: dev-shm-volume
mountPath: /dev/shm
{{- end -}}
{{- define "public.license-support.dev-bus-usb-volume" -}}
- name: dev-bus-usb-node
hostPath:
path: /dev/bus/usb
{{- end -}}
{{- define "public.license-support.dev-bus-usb-volume-mount" -}}
- name: dev-bus-usb-node
mountPath: /dev/bus/usb
readOnly: true
{{- end -}}

11
ansible/roles/traffic-engine/files/helm/templates/clusterrole.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
name: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["services", "nodes"]
verbs: ["get", "list", "watch"]

15
ansible/roles/traffic-engine/files/helm/templates/clusterrolebinding.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
name: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}

23
ansible/roles/traffic-engine/files/helm/templates/configmap-firewall.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: firewall-{{ .Release.Name }}
namespace: default
data:
conflist.inf: {{ tpl (.Files.Get "conf/conflist.inf") . | quote }}
gdev.conf: {{ tpl (.Files.Get "conf/gdev.conf") . | quote }}
main.conf: {{ tpl (.Files.Get "conf/main.conf") . | quote }}
maat.conf: {{ tpl (.Files.Get "conf/maat.conf") . | quote }}
sapp.toml: {{ tpl (.Files.Get "conf/sapp.toml") . | quote }}
send_raw_pkt.conf: {{ tpl (.Files.Get "conf/send_raw_pkt.conf") . | quote }}
vlan_flipping_map.conf: {{ tpl (.Files.Get "conf/vlan_flipping_map.conf") . | quote }}
tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }}
firewall.inf: {{ tpl (.Files.Get "conf/firewall.inf") . | quote }}
necessary_plug_list.conf: {{ tpl (.Files.Get "conf/necessary_plug_list.conf") . | quote }}
http_main.conf: {{ tpl (.Files.Get "conf/http_main.conf") . | quote }}
mail.conf: {{ tpl (.Files.Get "conf/mail.conf") . | quote }}
ssl_main.conf: {{ tpl (.Files.Get "conf/ssl_main.conf") . | quote }}
spec.toml: {{ tpl (.Files.Get "conf/spec.toml") . | quote }}
firewall_l7_protocol.conf: {{ tpl (.Files.Get "conf/firewall_l7_protocol.conf") . | quote }}
firewall_logger_transmitter_schema.json: {{ tpl (.Files.Get "conf/firewall_logger_transmitter_schema.json") . | quote }}
sapp_log.conf: {{ tpl (.Files.Get "conf/sapp_log.conf") . | quote }}

13
ansible/roles/traffic-engine/files/helm/templates/configmap-proxy.yaml
View File

@@ -1,13 +0,0 @@
{{- if and (eq .Values.proxy.enable .Values.define_enable_val_yes) (ge (len .Values.tfe_affinity) 1) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: proxy-{{ .Release.Name }}
namespace: default
data:
tfe.conf: {{ tpl (.Files.Get "conf/tfe.conf") . | quote }}
cert_store.ini: {{ tpl (.Files.Get "conf/cert_store.ini") . | quote }}
tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }}
certstore_log.conf: {{ tpl (.Files.Get "conf/certstore_log.conf") . | quote }}
tfe_log.conf: {{ tpl (.Files.Get "conf/tfe_log.conf") . | quote }}
{{- end }}

11
ansible/roles/traffic-engine/files/helm/templates/configmap-sce.yaml
View File

@@ -1,11 +0,0 @@
{{- if eq .Values.service_chaining.enable .Values.define_enable_val_yes }}
apiVersion: v1
kind: ConfigMap
metadata:
name: sce-{{ .Release.Name }}
namespace: default
data:
sce.conf: {{ tpl (.Files.Get "conf/sce.conf") . | quote }}
tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }}
sce_log.conf: {{ tpl (.Files.Get "conf/sce_log.conf") . | quote }}
{{- end }}

11
ansible/roles/traffic-engine/files/helm/templates/configmap-shaping.yaml
View File

@@ -1,11 +0,0 @@
{{- if eq .Values.shaping.enable .Values.define_enable_val_yes }}
apiVersion: v1
kind: ConfigMap
metadata:
name: shaping-{{ .Release.Name }}
namespace: default
data:
shaping.conf: {{ tpl (.Files.Get "conf/shaping.conf") . | quote }}
tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }}
shaping_log.conf: {{ tpl (.Files.Get "conf/shaping_log.conf") . | quote }}
{{- end }}

309
ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml
View File

@@ -1,309 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-firewall
labels:
app: {{ .Release.Name }}
component: firewall
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-firewall
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-firewall
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: firewall
{{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
dynamic-hostports: '8551.8552'
{{- end }}
annotations:
prometheus.io/port: "9010"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: firewall
image: "registry.gdnt-cloud.website/tsg-firewall:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/sapp
command:
- "bash"
- "-ec"
- |
ldconfig
{{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
{{- include "public.prepare-access-API" . | nindent 12 }}
until nslookup ${HOSTNAME}-8551.default.svc; do echo waiting for kubernetes service; sleep 2; done
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8551 -o /tmp/service.txt
export CLUSTER_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
until nslookup ${HOSTNAME}-8552.default.svc; do echo waiting for kubernetes service; sleep 2; done
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8552 -o /tmp/service.txt
export HEALTH_CHECK_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
echo "export CLUSTER_ANNOUNCE_PORT=${CLUSTER_ANNOUNCE_PORT}" > /etc/profile.d/announceinfo.sh
echo "export HEALTH_CHECK_ANNOUNCE_PORT=${HEALTH_CHECK_ANNOUNCE_PORT}" >> /etc/profile.d/announceinfo.sh
chmod 0755 /etc/profile.d/announceinfo.sh
sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/sapp/tsgconf/main.conf
sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
{{- end }}
{{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }}
echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
cat /opt/tsg/scripts/prestart.sh
chmod 0755 /opt/tsg/scripts/prestart.sh
source /opt/tsg/scripts/prestart.sh
echo PRESTART.sh has been exec......
{{- end }}
{{- if eq .Values.debug.firewall.enable_interactive_startup .Values.define_enable_val_yes }}
while true; do sleep 10;done
{{- else }}
exec /opt/tsg/sapp/sapp
{{- end }}
ports:
- containerPort: 51218
{{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }}
- containerPort: 8551
- containerPort: 8552
{{- end }}
env:
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-firewall
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
securityContext:
privileged: true
{{- if eq .Values.debug.firewall.enable_liveness_probe .Values.define_enable_val_yes }}
livenessProbe:
tcpSocket:
port: 51218
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 51218
failureThreshold: 90
periodSeconds: 10
{{- end }}
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "tsg_sn.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/plug/conflist.inf"
subPath: "sapp/conflist.inf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/etc/gdev.conf"
subPath: "sapp/gdev.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/tsgconf/main.conf"
subPath: "sapp/main.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/tsgconf/maat.conf"
subPath: "sapp/maat.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/etc/sapp.toml"
subPath: "sapp/sapp.toml"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/etc/send_raw_pkt.conf"
subPath: "sapp/send_raw_pkt.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_device_tag.json"
subPath: "sapp/tsg_device_tag.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/etc/vlan_flipping_map.conf"
subPath: "sapp/vlan_flipping_map.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/plug/business/firewall/firewall.inf"
subPath: "sapp/firewall.inf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/etc/necessary_plug_list.conf"
subPath: "sapp/necessary_plug_list.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/conf/http/http_main.conf"
subPath: "sapp/http_main.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/conf/mail/mail.conf"
subPath: "sapp/mail.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/conf/ssl/ssl_main.conf"
subPath: "sapp/ssl_main.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/stellar_plugin/spec.toml"
subPath: "sapp/spec.toml"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/tsgconf/firewall_l7_protocol.conf"
subPath: "sapp/firewall_l7_protocol.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/tsgconf/firewall_logger_transmitter_schema.json"
subPath: "sapp/firewall_logger_transmitter_schema.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/sapp/etc/sapp_log.conf"
subPath: "sapp/sapp_log.conf"
- name: firewall-log
mountPath: /opt/tsg/sapp/log
- name: metrics-json-dir
mountPath: "/opt/tsg/sapp/metrics"
{{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: firewall-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if eq .Values.debug.firewall.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
{{- include "public.license-support.dev-bus-usb-volume-mount" . | nindent 8 }}
{{- include "public.license-support.dev-shm-volume-mount" . | nindent 8 }}
- name: fieldstat-exporter
image: "registry.gdnt-cloud.website/tsg-firewall:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
ldconfig
python3 /opt/tsg/framework/bin/fieldstat_exporter.py prometheus -p 9010 -d /opt/tsg/sapp/metrics
ports:
- containerPort: 9010
securityContext:
privileged: true
livenessProbe:
tcpSocket:
port: 9010
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9010
failureThreshold: 5
periodSeconds: 10
volumeMounts:
- name: metrics-json-dir
mountPath: "/opt/tsg/sapp/metrics"
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: firewall-init
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/
{{- include "public.prepare-access-API" . | nindent 12 }}
{{- include "public.serialize-node-annotations" . | nindent 12 }}
securityContext:
privileged: true
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: shared-configs-volume
mountPath: /opt/tsg/shared-configs
- name: firewall-configs-volume
mountPath: /opt/tsg/configs/sapp
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: firewall-configs-volume
configMap:
name: firewall-{{ .Release.Name }}
- name: shared-configs-volume
emptyDir: {}
- name: metrics-json-dir
emptyDir: {}
- name: firewall-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sapp/
{{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: firewall-prestart
hostPath:
{{- if .Values.debug.firewall.prestart_script }}
path: {{ .Values.debug.firewall.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/firewall_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if eq .Values.debug.firewall.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- include "public.license-support.dev-bus-usb-volume" . | nindent 6 }}
{{- include "public.license-support.dev-shm-volume" . | nindent 6 }}

358
ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml
View File

@@ -1,358 +0,0 @@
{{- if and (eq .Values.proxy.enable .Values.define_enable_val_yes) (ge (len .Values.tfe_affinity) 1) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-proxy
labels:
app: {{ .Release.Name }}
component: proxy
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-proxy
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-proxy
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: proxy
annotations:
prometheus.io/port: "9003"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: proxy
image: "registry.gdnt-cloud.website/tsg-proxy:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/tfe
command:
- "bash"
- "-ec"
- |
ldconfig
{{- if eq .Values.debug.proxy.enable_prestart_script .Values.define_enable_val_yes }}
echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
cat /opt/tsg/scripts/prestart.sh
chmod 0755 /opt/tsg/scripts/prestart.sh
source /opt/tsg/scripts/prestart.sh
echo PRESTART.sh has been exec......
{{- end }}
{{- if eq .Values.debug.proxy.enable_interactive_startup .Values.define_enable_val_yes }}
while true; do sleep 10;done
{{- else }}
exec /opt/tsg/tfe/bin/tfe
{{- end }}
ports:
- containerPort: 9001
env:
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-proxy
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
securityContext:
privileged: true
{{- if eq .Values.debug.proxy.enable_liveness_probe .Values.define_enable_val_yes }}
livenessProbe:
tcpSocket:
port: 9001
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9001
failureThreshold: 30
periodSeconds: 10
{{- end }}
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "tsg_sn.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/tfe/conf/tfe/tfe.conf"
subPath: "proxy/tfe.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_device_tag.json"
subPath: "proxy/tsg_device_tag.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/tfe/conf/tfe/zlog.conf"
subPath: "proxy/tfe_log.conf"
- name: proxy-log
mountPath: /opt/tsg/tfe/log
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if eq .Values.debug.proxy.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: proxy-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- if eq .Values.debug.proxy.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
{{- include "public.license-support.dev-bus-usb-volume-mount" . | nindent 8 }}
- name: certstore
image: "registry.gdnt-cloud.website/tsg-certstore:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/certstore
command:
- "bash"
- "-ec"
- |
exec /opt/tsg/certstore/bin/certstore
securityContext:
privileged: true
ports:
- containerPort: 9002
env:
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "tsg_sn.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/certstore/conf/cert_store.ini"
subPath: "proxy/cert_store.ini"
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_device_tag.json"
subPath: "proxy/tsg_device_tag.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/certstore/conf/zlog.conf"
subPath: "proxy/certstore_log.conf"
- name: certstore-log
mountPath: /opt/tsg/certstore/logs
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
- name: cert-redis
image: "registry.gdnt-cloud.website/tsg-certstore:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command: ["/usr/bin/redis-server", "/etc/cert-redis.conf"]
securityContext:
privileged: true
volumeMounts:
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
- name: merged-exporter
image: "quay.io/rebuy/exporter-merger:v0.2.0"
imagePullPolicy: Never
env:
- name: MERGER_URLS
value: http://127.0.0.1:9001/metrics http://127.0.0.1:9002/metrics
- name: MERGER_PORT
value: "9003"
ports:
- containerPort: 9003
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: proxy-init
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ecx"
- |
mount -o remount,rw /sys
# disable rpfilter
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
# fs
sysctl -w fs.file-max=1048576
sysctl -w net.core.somaxconn=131072
# tcp options about TIME_WAIT
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_max_tw_buckets=4096
sysctl -w net.ipv4.tcp_max_syn_backlog=131072
# bbr
sysctl -w net.ipv4.tcp_congestion_control=bbr
# tcp feature
sysctl -w net.ipv4.tcp_ecn=0
sysctl -w net.ipv4.tcp_sack=1
sysctl -w net.ipv4.tcp_timestamps=1
# disable tcp windows scaling for kernel bugs
sysctl -w net.ipv4.tcp_window_scaling=0
ip tuntap add dev tap0 mode tap multi_queue
/usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd
/usr/sbin/ip link set tap0 up
/usr/sbin/ip addr flush dev tap0
/usr/sbin/ip addr add 172.16.241.2/30 dev tap0
/usr/sbin/ip neigh flush dev tap0
/usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent
/usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/ip rule add iif tap0 tab 100
/usr/sbin/ip route add local default dev lo table 100
/usr/sbin/ip rule add fwmark 0x65 lookup 101
/usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101
/usr/sbin/ip addr add fd00::02/64 dev tap0
/usr/sbin/ip -6 route add default via fd00::01
/usr/sbin/ip -6 rule add iif tap0 tab 102
/usr/sbin/ip -6 route add local default dev lo table 102
/usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent
#decrypted traffic steering
/usr/sbin/ip tuntap add dev tap_c mode tap multi_queue
/usr/sbin/ip tuntap add dev tap_s mode tap multi_queue
/usr/sbin/ip link set tap_c address 80:61:5f:0f:97:e5
/usr/sbin/ip link set tap_s address 80:61:5f:0f:97:e6
/usr/sbin/ip link set tap_c up
/usr/sbin/ip link set tap_s up
/usr/sbin/ethtool --offload tap_c rx off tx off
/usr/sbin/ethtool --offload tap_s rx off tx off
/usr/sbin/ip link set tap_c up
/usr/sbin/ip link set tap_s up
/usr/sbin/ip addr flush dev tap_c
/usr/sbin/ip addr flush dev tap_s
/usr/sbin/ip addr add 2.2.2.2/24 dev tap_c
/usr/sbin/ip addr add 3.3.3.3/24 dev tap_s
/usr/sbin/ip -4 neigh flush dev tap_c
/usr/sbin/ip -4 neigh flush dev tap_s
/usr/sbin/ip -4 neigh add 2.2.2.1 lladdr 80:61:5f:0f:97:e6 dev tap_c nud permanent
/usr/sbin/ip -4 neigh add 3.3.3.1 lladdr 80:61:5f:0f:97:e5 dev tap_s nud permanent
/usr/sbin/ip -4 rule add fwmark 0x11 lookup 111
/usr/sbin/ip -4 rule add fwmark 0x22 lookup 222
/usr/sbin/ip -4 route add default dev tap_c via 2.2.2.1 table 111
/usr/sbin/ip -4 route add default dev tap_s via 3.3.3.1 table 222
/usr/sbin/ip -4 rule add iif tap_c tab 100
/usr/sbin/ip -4 rule add iif tap_s tab 100
/usr/sbin/ip addr add fd02::02/64 dev tap_c
/usr/sbin/ip addr add fd03::03/64 dev tap_s
/usr/sbin/ip -6 neigh flush dev tap_c
/usr/sbin/ip -6 neigh flush dev tap_s
/usr/sbin/ip -6 neigh add fd02::01 lladdr 80:61:5f:0f:97:e6 dev tap_c nud permanent
/usr/sbin/ip -6 neigh add fd03::01 lladdr 80:61:5f:0f:97:e5 dev tap_s nud permanent
/usr/sbin/ip -6 rule add fwmark 0x11 lookup 333
/usr/sbin/ip -6 rule add fwmark 0x22 lookup 444
/usr/sbin/ip -6 route add default dev tap_c via fd02::01 table 333
/usr/sbin/ip -6 route add default dev tap_s via fd03::01 table 444
/usr/sbin/ip -6 rule add iif tap_c tab 102
/usr/sbin/ip -6 rule add iif tap_s tab 102
cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/
{{ include "public.prepare-access-API" . | nindent 12 }}
{{- include "public.serialize-node-annotations" . | nindent 12 }}
sed -Ei -c "s|DEVICE_ID_PLACE_HOLDER_MARK|${DEVICE_SN?}|g" /opt/tsg/shared-configs/proxy/tfe.conf
securityContext:
privileged: true
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: shared-configs-volume
mountPath: /opt/tsg/shared-configs
- name: proxy-configs-volume
mountPath: /opt/tsg/configs/proxy
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: proxy-configs-volume
configMap:
name: proxy-{{ .Release.Name }}
- name: shared-configs-volume
emptyDir: {}
- name: proxy-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/tfe/
- name: certstore-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/certstore/
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if eq .Values.debug.proxy.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: proxy-prestart
hostPath:
{{- if .Values.debug.proxy.prestart_script }}
path: {{ .Values.debug.proxy.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/proxy_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- if eq .Values.debug.proxy.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- include "public.license-support.dev-bus-usb-volume" . | nindent 6 }}
{{- end }}

255
ansible/roles/traffic-engine/files/helm/templates/deployment-sce.yaml
View File

@@ -1,255 +0,0 @@
{{- if eq .Values.service_chaining.enable .Values.define_enable_val_yes }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-sce
labels:
app: {{ .Release.Name }}
component: service-chaining
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-service-chaining
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-service-chaining
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: service-chaining
annotations:
prometheus.io/port: "9006"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: sce
image: "registry.gdnt-cloud.website/tsg-sce:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/sce
command:
- "bash"
- "-ec"
- |
ldconfig
{{- if eq .Values.debug.service_chaining.enable_prestart_script .Values.define_enable_val_yes }}
echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
cat /opt/tsg/scripts/prestart.sh
chmod 0755 /opt/tsg/scripts/prestart.sh
source /opt/tsg/scripts/prestart.sh
echo PRESTART.sh has been exec......
{{- end }}
{{- if eq .Values.debug.service_chaining.enable_interactive_startup .Values.define_enable_val_yes }}
while true; do sleep 10;done
{{- else }}
exec /opt/tsg/sce/bin/sce
{{- end }}
ports:
- containerPort: 9006
env:
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-service-chaining
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
securityContext:
privileged: true
{{- if eq .Values.debug.service_chaining.enable_liveness_probe .Values.define_enable_val_yes }}
livenessProbe:
tcpSocket:
port: 9006
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9006
failureThreshold: 30
periodSeconds: 10
{{- end }}
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "tsg_sn.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/sce/conf/sce.conf"
subPath: "sce/sce.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_device_tag.json"
subPath: "sce/tsg_device_tag.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/sce/conf/zlog.conf"
subPath: "sce/sce_log.conf"
- name: sce-log
mountPath: /opt/tsg/sce/log
- name: bfdd-unix-socket
mountPath: /run/frr
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if eq .Values.debug.service_chaining.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: service-chaining-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- if eq .Values.debug.service_chaining.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
- name: bfdd
image: "registry.gdnt-cloud.website/tsg-bfdd:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/bfdd
command:
- "bash"
- "-ec"
- |
exec /opt/tsg/bfdd/bin/bfdd -u root -g root
env:
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
securityContext:
privileged: true
volumeMounts:
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "tsg_sn.json"
- name: bfdd-log
mountPath: /opt/tsg/bfdd/log
- name: bfdd-unix-socket
mountPath: /run/frr
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: service-chaining-init
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ecx"
- |
cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/
{{- include "public.prepare-access-API" . | nindent 12 }}
{{- include "public.serialize-node-annotations" . | nindent 12 }}
sed -Ei -c "s|DEVICE_ID_PLACE_HOLDER_MARK|${DEVICE_SN?}|g" /opt/tsg/shared-configs/sce/sce.conf
{{- if .Values.sce_config.vxlan_config.endpoint_nic }}
ip tuntap add dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} mode tap
ip link set dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} up
ip route add {{ .Values.sce_config.vxlan_config.endpoint_netip }}/{{ .Values.sce_config.vxlan_config.endpoint_mask }} dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} table 10
{{- if .Values.sce_config.vxlan_config.endpoint_gateway }}
ip route add default via {{ .Values.sce_config.vxlan_config.endpoint_gateway }} table 10
{{- end }}
ip a a {{ .Values.sce_config.vxlan_config.endpoint_ip }}/{{ .Values.sce_config.vxlan_config.endpoint_mask }} dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} noprefixroute
ip rule add dport 3784 table 10
iptables -t mangle -A PREROUTING -p udp --dport 3784 -j TTL --ttl-set 255
{{- end }}
securityContext:
privileged: true
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: shared-configs-volume
mountPath: /opt/tsg/shared-configs
- name: sce-configs-volume
mountPath: /opt/tsg/configs/sce
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: sce-configs-volume
configMap:
name: sce-{{ .Release.Name }}
- name: shared-configs-volume
emptyDir: {}
- name: sce-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sce/
- name: bfdd-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/bfdd/
- name: bfdd-unix-socket
emptyDir: {}
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if eq .Values.debug.service_chaining.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: service-chaining-prestart
hostPath:
{{- if .Values.debug.service_chaining.prestart_script }}
path: {{ .Values.debug.service_chaining.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/service_chaining_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- if eq .Values.debug.service_chaining.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- end }}

264
ansible/roles/traffic-engine/files/helm/templates/deployment-shaping.yaml
View File

@@ -1,264 +0,0 @@
{{- if eq .Values.shaping.enable .Values.define_enable_val_yes }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-shaping
labels:
app: {{ .Release.Name }}
component: shaping
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-shaping
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-shaping
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: shaping
dynamic-hostports: '8551.8552'
annotations:
prometheus.io/port: "9007"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: shaping
image: "registry.gdnt-cloud.website/tsg-shaping:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/shaping_engine
command:
- "bash"
- "-ec"
- |
ldconfig
{{- include "public.prepare-access-API" . | nindent 12 }}
until nslookup ${MY_POD_NAME}-8551.default.svc; do echo waiting for kubernetes service; sleep 2; done
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${MY_POD_NAME}-8551 -o /tmp/service.txt
export CLUSTER_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
until nslookup ${MY_POD_NAME}-8552.default.svc; do echo waiting for kubernetes service; sleep 2; done
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${MY_POD_NAME}-8552 -o /tmp/service.txt
export HEALTH_CHECK_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
echo "export CLUSTER_ANNOUNCE_PORT=${CLUSTER_ANNOUNCE_PORT}" > /etc/profile.d/announceinfo.sh
echo "export HEALTH_CHECK_ANNOUNCE_PORT=${HEALTH_CHECK_ANNOUNCE_PORT}" >> /etc/profile.d/announceinfo.sh
chmod 0755 /etc/profile.d/announceinfo.sh
sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/shaping_engine/conf/shaping.conf
sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/shaping_engine/conf/shaping.conf
sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/shaping_engine/conf/shaping.conf
{{- if eq .Values.debug.shaping.enable_prestart_script .Values.define_enable_val_yes }}
echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
cat /opt/tsg/scripts/prestart.sh
chmod 0755 /opt/tsg/scripts/prestart.sh
source /opt/tsg/scripts/prestart.sh
echo PRESTART.sh has been exec......
{{- end }}
{{- if eq .Values.debug.shaping.enable_interactive_startup .Values.define_enable_val_yes }}
while true; do sleep 10;done
{{- else }}
exec /opt/tsg/shaping_engine/bin/shaping_engine
{{- end }}
ports:
- containerPort: 8551
- containerPort: 8552
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-shaping
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if eq .Values.debug.shaping.enable_liveness_probe .Values.define_enable_val_yes }}
livenessProbe:
tcpSocket:
port: 8552
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 8552
failureThreshold: 30
periodSeconds: 10
{{- end }}
securityContext:
privileged: true
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "tsg_sn.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/shaping_engine/conf/shaping.conf"
subPath: "shaping/shaping.conf"
- name: shared-configs-volume
mountPath: "/opt/tsg/etc/tsg_device_tag.json"
subPath: "shaping/tsg_device_tag.json"
- name: shared-configs-volume
mountPath: "/opt/tsg/shaping_engine/conf/zlog.conf"
subPath: "shaping/shaping_log.conf"
- name: shaping-log
mountPath: /opt/tsg/shaping_engine/log
- name: metrics-json-dir
mountPath: "/opt/tsg/shaping_engine/metric"
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if eq .Values.debug.shaping.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: shaping-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- if eq .Values.debug.shaping.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
- name: fieldstat-exporter
image: "registry.gdnt-cloud.website/tsg-shaping:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
ldconfig
python3 /opt/tsg/framework/bin/fieldstat_exporter.py prometheus -p 9007 -d /opt/tsg/shaping_engine/metric
ports:
- containerPort: 9007
securityContext:
privileged: true
livenessProbe:
tcpSocket:
port: 9007
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9007
failureThreshold: 5
periodSeconds: 10
volumeMounts:
- name: metrics-json-dir
mountPath: "/opt/tsg/shaping_engine/metric"
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: shaping-init
image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ecx"
- |
cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/
{{- include "public.prepare-access-API" . | nindent 12 }}
{{- include "public.serialize-node-annotations" . | nindent 12 }}
sed -Ei -c "s|DEVICE_ID_PLACE_HOLDER_MARK|${DEVICE_SN?}|g" /opt/tsg/shared-configs/shaping/shaping.conf
securityContext:
privileged: true
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: shared-configs-volume
mountPath: /opt/tsg/shared-configs
- name: shaping-configs-volume
mountPath: /opt/tsg/configs/shaping
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: shaping-configs-volume
configMap:
name: shaping-{{ .Release.Name }}
- name: shared-configs-volume
emptyDir: {}
- name: metrics-json-dir
emptyDir: {}
- name: shaping-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/shaping_engine/
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if eq .Values.debug.shaping.enable_prestart_script .Values.define_enable_val_yes }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: shaping-prestart
hostPath:
{{- if .Values.debug.shaping.prestart_script }}
path: {{ .Values.debug.shaping.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/shaping_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- if eq .Values.debug.shaping.enable_mount_host_filesystem .Values.define_enable_val_yes }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- end }}

8
ansible/roles/traffic-engine/files/helm/templates/serviceaccount.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}

256
ansible/roles/traffic-engine/files/helm/values.yaml
View File

@@ -1,256 +0,0 @@
external_resources:
cm:
## @param external_resources.cm.connection value in [direct, local_cache], default: direct
##
connectivity: direct
direct:
address: 10.X.X.X
port: 7002
local_cache:
cache_name: tsg_traffic_cm_local_cache_1
port_num: 1
sd:
## @param external_resources.cm.connection value in [direct, local_cache], default: local_cache
##
enable: no
connectivity: direct
db_index: 0
policy_effect_interval_ms: 100
policy_garbage_collection_interval_ms: 30000
policy_update_check_interval_ms: 100
direct:
address: 10.1.1.1
port: 7002
local_cache:
cache_name: tsg_traffic_sd_local_cache_1
olap:
kafka_brokers:
sasl_username:
sasl_password:
addresses:
- address:
port:
udp_collectors:
enable: no
addresses:
- address:
port:
device:
tags:
- key1: value1
- key2: value2
session_id_generator:
snowflake_worker_id_base: 1
snowflake_worker_id_offset: 1
firewall:
enable: yes
enable_smartoffload: no
logs:
enable: yes
contains_app_id:
enable: yes
contains_dns_resource_record:
enable: yes
ringbuf:
size: 100000
appsketch:
enable: yes
qdpi_detector: yes
context_based_detector: yes
transaction_record:
enable_http: yes
enable_dns: yes
enable_mail: yes
session_record:
enable: yes
file_stream_record:
enable: yes
session_manager:
tcp_session_max: 20021
tcp_session_unordered_pkt_max: 128
tcp_session_timeout_in_sec: 30
udp_session_timeout_in_sec: 60
tcp_session_opening_timeout_in_sec: 60
tcp_session_closing_timeout_in_sec: 30
udp_session_max: 5021
tcp_duplicated_packet_filter: yes
udp_duplicated_packet_filter: yes
inject_duplicated_packet_filter: yes
traffic_mirror:
enable_raw_traffic: yes
enable_decrypted_traffic: yes
packet_capture:
enable: yes
proxy:
enable: yes
voip_record:
enable_sip: yes
enable_rtp: yes
overload_protection:
enable: yes
detect_interval_in_ms: 500
detect_smooth_avg_window: 2
detect_threshold_cpu_usages: 90
recovery_detect_cycle_in_sec: 30
vsys_id: 1
etherfabric_settings:
keepalive:
ip: 10.254.19.1
mask: 255.255.255.0
sapp_affinity: [5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76]
tfe_affinity: [77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92]
sce_affinity: [92]
shaping_affinity: [93]
pktio_affinity: [94]
inject_adapter_affinity: [95]
tfe_rps_mask: "00000000"
nic_policy_log_name: eth0
nic_raw_name: eth0
nic_mirror_name:
firewall: eth0
proxy: eth0
define_enable_val_yes: yes
define_enable_val_no: no
coredump:
format: "minidump"
collect: "local"
sentry_url: "www.testing.com"
session_id_generator:
snowflake_worker_id_base: 1
snowflake_worker_id_offset: 1
decoders:
DNS: yes
QUIC: yes
HTTP: yes
HTTP_GZIP: yes
MAIL: yes
MAIL_BASE64: yes
FTP: yes
SSL: yes
SSL_CERT: yes
SSL_JA3: yes
RTP: yes
SIP: yes
SSH: yes
SOCKS: yes
STRATUM: yes
RDP: yes
DTLS: yes
SSL_DETAIN_FRAG_CHELLO: no
configHash: "defaulthash"
shaping:
enable: no
inject_adapter:
enable: yes
service_chaining:
enable: yes
sce_config:
steering_nic: nf_0_sce
vxlan_config:
endpoint_nic: ep_0_sce_l3
endpoint_ip: 127.0.0.1
endpoint_gateway: 127.0.0.1
endpoint_netip: 127.0.0.1
endpoint_mask: 24
vlan_config:
endpoint_nic: ep_0_sce_l2
proxy_config:
proxy_nic: nf_1_proxy
sid:
firewall: 1000
proxy: 1001
sce: 1002
shaping: 1003
inject_adapter: 1064
shaping_config:
shaping_nic: nf_1_shaping_engine
inject_adapter_config:
inject_adapter_nic: nf_1_shaping_engine
app_symbol_index: 1
distmode: 2
debug:
firewall:
enable_liveness_probe: yes
enable_interactive_startup: no
enable_prestart_script: no
enable_mount_host_filesystem: no
#default: /etc/tsg-os/${service_function_name}/firewall_prestart_script.sh
prestart_script: ""
proxy:
enable_liveness_probe: yes
enable_interactive_startup: no
enable_prestart_script: no
enable_mount_host_filesystem: no
#default: /etc/tsg-os/${service_function_name}/proxy_prestart_script.sh
prestart_script: ""
service_chaining:
enable_liveness_probe: yes
enable_interactive_startup: no
enable_prestart_script: no
enable_mount_host_filesystem: no
#default: /etc/tsg-os/${service_function_name}/service_chaining_prestart_script.sh
prestart_script: ""
shaping:
enable_liveness_probe: yes
enable_interactive_startup: no
enable_prestart_script: no
enable_mount_host_filesystem: no
#default: /etc/tsg-os/${service_function_name}/shaping_prestart_script.sh
prestart_script: ""
inject_adapter:
enable_liveness_probe: yes
enable_interactive_startup: no
enable_prestart_script: no
enable_mount_host_filesystem: no
#default: /etc/tsg-os/${service_function_name}/shaping_prestart_script.sh
prestart_script: ""
session_flags:
enable: yes
dos_protector:
enable: no
stat_policy_enforcer:
enable: yes
traffic_sketch:
enable: yes
policy_sketch:
enable: yes