summary |
shortlog | log |
commit |
commitdiff |
review |
tree
first ⋅ prev ⋅ next
Kuralamudhan Ramakrishnan [Thu, 3 Dec 2020 04:27:51 +0000 (20:27 -0800)]
adding validation and end2end test results
Signed-off-by: Kuralamudhan R <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I43bacb5a9769d6c45689f042371eee3e92dce6d5
Kuralamudhan Ramakrishnan [Thu, 3 Dec 2020 03:59:42 +0000 (19:59 -0800)]
adding markdown fixes
Signed-off-by: Kuralamudhan R <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I20ceb6ae8961344585be165602da2111907c65dc
Kuralamudhan Ramakrishnan [Thu, 3 Dec 2020 03:51:00 +0000 (19:51 -0800)]
update readme
Signed-off-by: Kuralamudhan R <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I9b7e25ba79a6d340c328aed4607bd7acbea84499
Kuralamudhan Ramakrishnan [Thu, 3 Dec 2020 02:47:00 +0000 (18:47 -0800)]
adding contributing documents
Signed-off-by: Kuralamudhan R <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I556ec1a67f3051cbfee2fbf39320a66a59c485ca
Huifeng Le [Tue, 1 Dec 2020 02:45:10 +0000 (02:45 +0000)]
Merge "Add api-server SNAT rule and enable forward"
Le Yao [Fri, 27 Nov 2020 05:54:11 +0000 (05:54 +0000)]
Fix helm issue from v2 to v3
Update the scripts to use helm v3
Signed-off-by: Le Yao <le.yao@intel.com>
Change-Id: I79496e1a92e00a9ce60ceac789e81f007dd208c0
Le Yao [Wed, 18 Nov 2020 06:28:22 +0000 (06:28 +0000)]
Add api-server SNAT rule and enable forward
Add the SNAT rule for api-server
Enable net.ipv4.ip_forward in CNF
Signed-off-by: Le Yao <le.yao@intel.com>
Change-Id: If31a6d8070d922a1f3e70bb94f85f349b3682379
Huifeng Le [Fri, 30 Oct 2020 08:19:07 +0000 (08:19 +0000)]
Merge "Add OpenAPI definition for Central Controller"
Huifeng Le [Thu, 29 Oct 2020 06:41:34 +0000 (06:41 +0000)]
Merge "Update the firewall restart script"
Huifeng Le [Thu, 29 Oct 2020 06:37:19 +0000 (06:37 +0000)]
Merge "Service CR implemention"
Huifeng Le [Thu, 29 Oct 2020 06:29:22 +0000 (14:29 +0800)]
Add OpenAPI definition for Central Controller
Signed-off-by: Huifeng Le <huifeng.le@intel.com>
Change-Id: Id4cd1ff4e53b2435aa30a116495f88931983a053
Huifeng Le [Tue, 13 Oct 2020 02:18:11 +0000 (02:18 +0000)]
Merge "Implement Service RESTful API for hub"
Yao Le [Thu, 17 Sep 2020 04:25:47 +0000 (04:25 +0000)]
Implement Service RESTful API for hub
The API handles service POST, GET and DELETE call
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: I2e75f1ae0d7a33b58c620f5637b36994fecc7381
Yao Le [Sun, 27 Sep 2020 08:29:44 +0000 (08:29 +0000)]
Service CR implemention
When apply a Service CR, the controller will call service RESTful API
to configure iptables in CNF.
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: Ifb645c7d0712b9719a72c09623cba9f7fe778459
Yao Le [Mon, 21 Sep 2020 03:08:44 +0000 (03:08 +0000)]
Update the firewall restart script
Get the service IP and configuration
Config the service iptables NAT rules
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: I74bd5236f4e56ea9d20e7eee6d4210e1ab04e0c0
Huifeng Le [Wed, 23 Sep 2020 08:31:57 +0000 (16:31 +0800)]
Add license header
Change-Id: I10c93df1a3be146a1c0e3c1eb717bdfa368d3e09
Signed-off-by: Huifeng Le <huifeng.le@intel.com>
Ruoyu [Wed, 5 Aug 2020 07:26:43 +0000 (15:26 +0800)]
Minor updates for cnf
* Update the configmap for cnf
* Change default values set for dpd
* Add length check for zone name
Change-Id: Ic0d8fcca36aca2f712354ed3c03ae0e7ae961b43
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
Yao Le [Tue, 4 Aug 2020 03:16:11 +0000 (03:16 +0000)]
A service controller integrated with the watch
A watch to monitor the changes of the service cluster IP and restart the
firewall in CNF.
A controller to hold the watch function and monitor the potential CRs.
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: I46e08e0403debd03e7f6bf7bf16507a0760382b7
Ruoyu [Thu, 23 Jul 2020 01:48:01 +0000 (09:48 +0800)]
Minor changes for Istio configuration
*Apply minor changes for remote access to Istio ingress
Change-Id: I650e57041c317fcf91c674b4ed4fd93ef3cb30df
Huifeng Le [Mon, 20 Jul 2020 06:45:27 +0000 (06:45 +0000)]
Merge "Support e2e test thru CRs"
Ruoyu [Sun, 28 Jun 2020 05:22:40 +0000 (13:22 +0800)]
Support e2e test thru CRs
* Installing the CNF and the controller with helm charts
* Applying the firewall and IPsec configs thru CRs
* Adding default policies to enable remote access to api server and Istio ingress
Issue-ID: ICN-390
Change-Id: I7c5ca03829ad1a7c3c90bc4edb5921ec60d4e530
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
chengli3 [Wed, 1 Jul 2020 00:22:18 +0000 (00:22 +0000)]
Update sdewan readme file
Marking the cnf watchting task as finished
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I81451b4a5aea38d27f1969d9852fb96775eb5516
Yao Le [Wed, 17 Jun 2020 08:40:10 +0000 (08:40 +0000)]
Apply the watch function to all controllers
Add the necessray watch for all CRs and the associated CNFs
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: I52e53afbdcc4034820a6db90c6dd2502b8e31692
Cheng Li [Wed, 17 Jun 2020 05:43:48 +0000 (05:43 +0000)]
Merge "Add watch for CR and CNF"
Cheng Li [Wed, 17 Jun 2020 02:53:22 +0000 (02:53 +0000)]
Merge "Add CRD for IpsecSite"
root [Tue, 16 Jun 2020 09:09:49 +0000 (09:09 +0000)]
Add CRD for IpsecSite
* Add changes for another IPSec crd: IpsecSite
Issue-ID: ICN-289
Change-Id: I9c76c28ec22640b0089e0bc097a316af68b6fd19
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
Ruoyu [Thu, 4 Jun 2020 13:23:02 +0000 (21:23 +0800)]
Upgrade k8s version in e2e script
Issue-ID: ICN-314
Signed-off-by: Ruoyu<ruoyu.ying@intel.com>
Change-Id: I0878e5451a05ce0ffad2a99bd53247c1c670a93a
Yao Le [Thu, 4 Jun 2020 16:13:27 +0000 (00:13 +0800)]
Add watch for CR and CNF
Watch the CNF status and push the related CR requests to queue.
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: Id3adaf68b860efefdb00ffe5620aef11b9aa787f
chengli3 [Fri, 12 Jun 2020 08:33:30 +0000 (08:33 +0000)]
Prevent updating CNF and CR sdewanpuporse label
In sdewan, we use label 'sdewanpurpose' to identify a cnf and to match
with CRs. Updating cnf sdewanpurpose label value means that deleting old
cnf and creating a new cnf. But K8s can only receive an "UPDATE" event,
reconcile can only get the current info of the CNF, no previous label
value. So it can't remove the old rules.
This patch is to prevent updating CNF and CR sdewanpurpose label for
simplify.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I75b7d400981f3103b02c9d73f68d8b62db7da899
Cheng Li [Mon, 15 Jun 2020 07:24:15 +0000 (07:24 +0000)]
Merge "Add CRD for IpsecHost"
Ruoyu [Tue, 9 Jun 2020 00:37:18 +0000 (08:37 +0800)]
Add CRD for IpsecHost
* Contains changes on IpsecHost
- Add CR for IpsecHost
- Add support for 'mark' in /etc/init.d/ipsec
- Change the 'Site' to 'Remote' in rest api calls
Issue-ID: ICN-289
Change-Id: I1f07f1f8f5fdf62f082829fdedf09a7504414611
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
Cheng Li [Fri, 12 Jun 2020 02:23:45 +0000 (02:23 +0000)]
Merge "Lookup pod by owner instead of label"
Cheng Li [Tue, 9 Jun 2020 07:47:34 +0000 (07:47 +0000)]
Merge "Add CRD for IPSec Proposal"
Yao Le [Fri, 29 May 2020 07:01:37 +0000 (07:01 +0000)]
Add missing errors messages
Report the 'Pod no IP' issues
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: Ieaf2997ca0ed1bd1f167d9d5f8c77cb43ab3fb45
chengli3 [Mon, 8 Jun 2020 03:10:21 +0000 (03:10 +0000)]
Lookup pod by owner instead of label
Currently, CNF is represented by deployment. It means that one CNF is
one deployment with special label name `SdewanPurpose`. We use
"Deployment" + "label" to identify a CNF.
To apply rules for CNF, we first need to find out the pods and then
extract the its IP address. It makes more sense to find pod by its owner
deployment/replicaset, than using the label match. Because the pod label
may not be the same with the deployment.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I4174e502c7d50d48f47d61622380e57922b5cf32
Ruoyu [Tue, 2 Jun 2020 01:03:22 +0000 (09:03 +0800)]
Add CRD for IPSec Proposal
*Contains changes for IPSec Proposal
Issue-ID: ICN-289
Change-Id: I31e9effe6d132b9fa82f9ed9bd478255579cc476
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
Cheng Li [Thu, 4 Jun 2020 07:28:43 +0000 (07:28 +0000)]
Merge "Implemente the firewall group CRDs and Controllers"
Ruoyu [Wed, 6 May 2020 23:51:54 +0000 (07:51 +0800)]
Add ipsec dependencies for sdewan cnf
Issue-ID: ICN-355
Change-Id: I742318febe768f988edcf237b3d8171e3b607a7b
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
Cheng Li [Thu, 28 May 2020 05:51:09 +0000 (05:51 +0000)]
Merge "webhook: add bucket permission system"
chengli3 [Thu, 28 May 2020 03:01:51 +0000 (03:01 +0000)]
Implemente the firewall group CRDs and Controllers
This patch implement the firewall groups CRDs/Controllers:
- firewallzones
- firewallrules
- firewallforwardings
- firewallsnat
- firewalldnat
After these firewall* CRDs, we will implement ipsec group CRDs
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I4a792b97771e82776aaa455ad550546eb7a09f92
chengli3 [Wed, 6 May 2020 10:37:09 +0000 (10:37 +0000)]
webhook: add bucket permission system
K8s support permission control on namespace level. For example, user1 may
be able to create/update/delete one kind of resource(e.g. pod) in
namespace ns1, but not namespace ns2. For Sdewan, this can't fit our
requirement. We want label level control of Sdewan rule CRs. For
example, user_onap can create/update/delete Mwan3Rule CR of label
sdewan-bucket-type=app-intent, but not label sdewan-bucket-type=basic.
To enable label based permission validation for sdewan CRs, this patch
parse Annotations["sdewan-bucket-type-permission"] in role and clusterrole.
At the meaning time, sdewan CR Labels.sdewan-bucket-type is also parsed.
We compare role/clusterrole Annotations["sdewan-bucket-type-permission"]
and sdewan CR Labels.sdewan-bucket-type to decide if the
user/serviceaccount has the permission to create/update/delete the CR.
- We grant group "system:master" all the permissions
- We support wildcard match of the permissions
Change-Id: I644f4d3c4efc18fba4cb45cb808301a6895c70e9
Signed-off-by: chengli3 <cheng1.li@intel.com>
Kuralamudhan Ramakrishnan [Wed, 27 May 2020 00:07:10 +0000 (00:07 +0000)]
Merge "Add e2e test scripts for sdewan"
Ruoyu [Mon, 18 May 2020 12:37:52 +0000 (20:37 +0800)]
Add e2e test scripts for sdewan
* Add three vagrant vms to setup env
Three vms are created for edge-a, edge-b and sdewan-hub.
Each with a separate cluster.
* Add test scripts for the e2e IPSec scenario
Establish tunnels between edge and sdewan-hub and test the connections
between two applications reside in edge-a and edge-b.
Issue-ID: ICN-314
Change-Id: I0cb8d9d251f0f1cd8ad4c5d58b60e99809c02d0b
Signed-off-by: Ruoyu <ruoyu.ying@intel.com>
chengli3 [Tue, 26 May 2020 05:29:01 +0000 (05:29 +0000)]
Add jq and bash pkg for openwrt image
jq and bash pkg is used by openwrt entrypoint script. So we need to
install these packages when building image.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I737d88b28189e000aae517276d42a506292dc316
chengli3 [Thu, 14 May 2020 03:18:36 +0000 (03:18 +0000)]
Extract common functions and implement mwan3rule
As we will have several crd/controllers, they have almost the same
reconcile logic. So we extract the common logic and make them as
functions. Controllers call these functions instead of code duplication.
This patch extracts common functions and implements the mwan3rule
crd/controller.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: Ie9fe7ddcac6700605dbcb48ed9d88f96981b898a
chengli3 [Wed, 22 Apr 2020 02:50:41 +0000 (02:50 +0000)]
Runable framework with Mwan3Policy implemented
We are going to implement many rule CRDs/controllers. They are
mwan3policy, mwan3rule, firewallzone, firewallrule, etc.
This patch is the first one which constructs the sdewan controller
framework with Mwan3Policy implemented.
The design is located on the wiki page[1]. The develop framework is
described in the README.md under platform/crd-ctrlr.
[1] https://wiki.akraino.org/display/AK/Sdewan+config+Agent
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I7cf3b34ece8756c80969c99d9ab8c7383c43ea53
chengli3 [Wed, 22 Apr 2020 02:37:53 +0000 (02:37 +0000)]
Remove old sdewan controller code
As we re-design/re-implemente the sdewan controller, new controller code
will be checkedin soon. I would like to remove the old controller code,
so that the reviewers can focus on the new implementation regardless of
the old version.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: If4915a57e568d6dd9c5fcf4b82a7c9867ae9c32e
Huifeng Le [Tue, 21 Apr 2020 02:26:08 +0000 (10:26 +0800)]
SDEWAN folder restructure
Restructure sdewan solution folders.
Signed-off-by: Huifeng Le <huifeng.le@intel.com>
Change-Id: I6ac8e1bfc8e92e1bdd36d523ffd048c6c77d4e89
Huifeng Le [Tue, 17 Mar 2020 06:21:46 +0000 (14:21 +0800)]
SDEWAN API update
update SDEWAN Rest API with plural format
Signed-off-by: Huifeng Le <huifeng.le@intel.com>
Change-Id: I83eb6ff24e4bb571162eb0a42df798da01ced7da
Huifeng Le [Tue, 10 Mar 2020 03:34:36 +0000 (03:34 +0000)]
Merge "SDEWAN CNF Rest API support"
Cheng Li [Fri, 6 Mar 2020 08:47:45 +0000 (08:47 +0000)]
Merge "Fix sdewan reconcile trigger"
chengli3 [Fri, 6 Mar 2020 08:38:06 +0000 (08:38 +0000)]
Fix sdewan reconcile trigger
When mwan3Conf changes, the mwan3Conf controller update the sdewan
instance status to trigger the sdewan reconcile. Before this patch, we
update only the status field `IsApplied=false`. It could happen that the
field `IsApplied` was already false, if this is the case sdewan
reconcile will not be triggered. Because the sdewan CR is not changed.
This patch is to add another field in sdewan status, to make sure sdewan
reconcile is triggered once the mwan3Conf changes.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I8f01733c373326b9167342118fd166834a7a8c45
chengli3 [Fri, 6 Mar 2020 03:38:09 +0000 (11:38 +0800)]
Visit openwrt api with namespace suffix
openwrt api requests are sent from the sdewan controller pod. As
the controller namespace may be different with the openwrt pod.
We add the namespace suffix so that the controller can always resolv
the openwrt svc.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I49c62ecda5d2a22e1feaaf717cfa411d4ba01b05
chengli3 [Tue, 3 Mar 2020 07:18:46 +0000 (15:18 +0800)]
Remove deploy directory
Deploy directory was added by mistake. This patch is to delete the
deploy directory.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: I1e5fddde37821eadb43f46f325a79346a5c11cd9
Huifeng Le [Thu, 27 Feb 2020 13:44:44 +0000 (21:44 +0800)]
SDEWAN CNF Rest API support
Add SDEWAN Rest API implementation for Service, Mwan3, Firewall and IPSec,
API design can be found at:
IPSec: https://wiki.akraino.org/display/AK/IPSec+Design#IPSecDesign
Service/Mwan3/Firewall: https://wiki.akraino.org/display/AK/SDEWAN+CNF
Signed-off-by: Huifeng Le <huifeng.le@intel.com>
Change-Id: I649305d27ab6f0de9f57ff4411a9f4b1267cf504
chengli3 [Wed, 19 Feb 2020 14:30:06 +0000 (22:30 +0800)]
Add Sdewan Mwan3Conf CRD and controller
The sdewan operator is developed under kubebuilder framework
We define two CRDs in this patch: Sdewan and Mwan3Conf
Sdewan defines the CNF base info, which node we should deploy the CNF
on, which network should the CNF use with multus CNI, etc.
The Mwan3Conf defines the mwan3 rules. In the next step, we are going to
develop the firewall and the ipsec functions. Mwan3Conf is validated by
k8s api admission webhook.
For each created Sdewan instance, the controller creates a pod, a
configmap and a service for the instance. The pod runs openswrt which
provides network services, i.e. sdwan, firewall, ipsec etc.
The configmap stores the network interface information and the
entrypoint.sh.
The network interface information has the following format:
```
[
{
"name": "ovn-priv-net",
"isProvider": false,
"interface": "net0",
"defaultGateway": false
}
]
```
The service created by the controller is used for openwrt api access.
We call this svc to apply rules, get openwrt info, restart openwrt
service.
After the openwrt pod ready, the Sdewan controller apply the configured
mwan3 rules.
mwan3 rule details are configured in Mwan3Conf CR, which is referenced
by Sdewan.Spec.Mwan3Conf
Every time the Mwan3Conf instance changes, the controller re-apply the
new rules by calling opwnrt
api. We can also change the rule refernce at the runtime.
Signed-off-by: chengli3 <cheng1.li@intel.com>
Change-Id: Ic6fa4e8c61da5a560d69f749cd40d8f3b9320e81
chengli3 [Tue, 11 Feb 2020 11:13:01 +0000 (19:13 +0800)]
Add .gitreview
Add .gitreview so that the developers can setup with `git review -s`
Change-Id: I9a9e44faecf5190518c5796b8b96e27c31ad6aa5
Code Review / icn / sdwan.git / log