networkservicemesh · MarinaShustowa · Jun 23, 2022 · Jun 24, 2022 · Jun 24, 2022 · Jun 24, 2022
diff --git a/examples/nsm_consul/.gitignore b/examples/nsm_consul/.gitignore
@@ -0,0 +1,2 @@
+!**/kustomization.yaml
+!**/patch-*.yaml
diff --git a/examples/nsm_consul/README.md b/examples/nsm_consul/README.md
@@ -0,0 +1,70 @@
+# NSM + Consul interdomain example over kind clusters
+
+This example show how Consul can be used over nsm 
+
+
+## Requires
+
+- [Load balancer](../nsm_istio/loadbalancer)
+- [Interdomain DNS](../nsm_istio/dns)
+- [Interdomain spire](../nsm_istio/spire)
+- [Interdomain nsm](../nsm_istio/nsm)
+
+
+## Run
+
+Install Consul for the second cluster:
+```bash
+brew tap hashicorp/tap
+brew install hashicorp/tap/consul-k8s
+consul-k8s install -config-file=helm-consul-values.yaml -set global.image=hashicorp/consul:1.12.0 --kubeconfig=$KUBECONFIG2
+```
+
+### Verify NSM+CONSUL
+
+Install networkservice for the second cluster::
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f networkservice.yaml
+```
+
+Start `alpine` networkservicemesh client for the first cluster:
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -f client/client.yaml
+```
+
+Create kubernetes service for the networkservicemesh endpoint:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f service.yaml 
+```
+
+Start `auto-scale` networkservicemesh endpoint:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -k nse-auto-scale 
+```
+
+Install `static-server` Consul workload on the second cluster:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f server/static-server.yaml 
+```
+
+Verify connection from networkservicemesh client to consul server:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- apk add curl
+kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- curl 172.16.1.2:8080
+```
+
+You should see "hello world" answer.
+
+## Cleanup
+
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 delete deployment static-server
+kubectl --kubeconfig=$KUBECONFIG2 delete -k nse-auto-scale 
+kubectl --kubeconfig=$KUBECONFIG1 delete -f client/client.yaml
+kubectl --kubeconfig=$KUBECONFIG2 delete -f networkservice.yaml
+consul-k8s uninstall --kubeconfig=$KUBECONFIG2 -auto-approve=true -wipe-data=true
+kubectl --kubeconfig=$KUBECONFIG2 delete pods --all
+kind delete clusters cluster-1 cluster-2
+```
diff --git a/examples/nsm_consul/client/client.yaml b/examples/nsm_consul/client/client.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine-nsc
+  labels:
+    app: alpine-nsc
+  annotations:
+    networkservicemesh.io: kernel://[email protected]/nsm-1?app=alpine-nsc
+spec:
+  containers:
+  - name: alpine-nsc
+    image: alpine:3.15.0
+    imagePullPolicy: IfNotPresent
+    stdin: true
+    tty: true
diff --git a/examples/nsm_consul/helm-consul-values.yaml b/examples/nsm_consul/helm-consul-values.yaml
@@ -0,0 +1,10 @@
+---
+global:
+  name: consul
+  datacenter: dc1
+server:
+  replicas: 1
+connectInject:
+  enabled: true
+  transparentProxy:
+    defaultEnabled: false
diff --git a/examples/nsm_consul/kind-cluster-config.yaml b/examples/nsm_consul/kind-cluster-config.yaml
@@ -0,0 +1,6 @@
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker
diff --git a/examples/nsm_consul/networkservice.yaml b/examples/nsm_consul/networkservice.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: networkservicemesh.io/v1
+kind: NetworkService
+metadata:
+  name: autoscale-consul-proxy
+  namespace: nsm-system
+spec:
+  payload: IP
+  matches:
+    - source_selector:
+      fallthrough: true
+      routes:
+        - destination_selector:
+            podName: "{{ .podName }}"
+    - source_selector:
+      routes:
+        - destination_selector:
+            any: "true"
diff --git a/examples/nsm_consul/nse-auto-scale/iptables-map b/examples/nsm_consul/nse-auto-scale/iptables-map
@@ -0,0 +1 @@
+-I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j DNAT --to-destination 127.0.0.1
diff --git a/examples/nsm_consul/nse-auto-scale/kustomization.yaml b/examples/nsm_consul/nse-auto-scale/kustomization.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/apps/nse-supplier-k8s?ref=b4bddacfa45fafb7c15a769a1fc0f319e63d6a8d
+
+patchesStrategicMerge:
+- patch-supplier.yaml
+
+configMapGenerator:
+  - name: supplier-pod-template-configmap
+    files:
+      - pod-template.yaml
+  - name: iptables-map
+    files:
+      - iptables-map
+
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/examples/nsm_consul/nse-auto-scale/patch-supplier.yaml b/examples/nsm_consul/nse-auto-scale/patch-supplier.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nse-supplier-k8s
+spec:
+  template:
+    metadata:
+      annotations:
+        'consul.hashicorp.com/connect-inject': 'false'
+    spec:
+      containers:
+        - name: nse-supplier
+          env:
+            - name: NSM_SERVICE_NAME
+              value: autoscale-consul-proxy
+            - name: NSM_LABELS
+              value: any:true
+            - name: NSM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NSM_POD_DESCRIPTION_FILE
+              value: /run/supplier/pod-template.yaml
+          volumeMounts:
+            - name: pod-file
+              mountPath: /run/supplier
+              readOnly: true
+      volumes:
+        - name: pod-file
+          configMap:
+            name: supplier-pod-template-configmap
diff --git a/examples/nsm_consul/nse-auto-scale/pod-template.yaml b/examples/nsm_consul/nse-auto-scale/pod-template.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: apps/v1
+kind: Pod
+metadata:
+  name: proxy-{{ index .Labels "podName" }}
+  labels:
+    app: proxy-{{ index .Labels "podName" }}
+    "spiffe.io/spiffe-id": "true"
+  annotations:
+    'consul.hashicorp.com/connect-inject': 'true'
+    'consul.hashicorp.com/connect-service-upstreams': 'static-server:8080'
+spec:
+  restartPolicy: Never
+  containers:
+    - name: nse
+      image: ghcr.io/networkservicemesh/ci/cmd-nse-l7-proxy:32fbf26
+      imagePullPolicy: IfNotPresent
+      securityContext:
+        privileged: true
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: unix:///run/spire/sockets/agent.sock
+        - name: NSM_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAME
+          value: {{ index .Labels "podName" }}
+        - name: NSM_CONNECT_TO
+          value: unix:///var/lib/networkservicemesh/nsm.io.sock
+        - name: NSM_CIDR_PREFIX
+          value: 172.16.1.2/31
+        - name: NSM_SERVICE_NAMES
+          value: autoscale-consul-proxy
+        - name: NSM_LABELS
+          value: app:{{ index .Labels "app" }}
+        - name: NSM_IDLE_TIMEOUT
+          value: 240s
+        - name: NSM_LOG_LEVEL
+          value: TRACE
+        - name: NSM_RULES_CONFIG
+          value: iptables-map
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+        - name: nsm-socket
+          mountPath: /var/lib/networkservicemesh
+          readOnly: true
+        - name: iptables-config-map
+          mountPath: /iptables-map
+      resources:
+        limits:
+          memory: 40Mi
+          cpu: 150m
+    - name: proxy-alpine-nsc
+      image: hashicorp/http-echo:latest
+      args:
+        - -text="hello world from nse"
+        - -listen=:9090
+      ports:
+        - containerPort: 9090
+          name: http
+  serviceAccountName: proxy-alpine-nsc
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory
+    - name: nsm-socket
+      hostPath:
+        path: /var/lib/networkservicemesh
+        type: DirectoryOrCreate
+    - name: iptables-config-map
+      configMap:
+        name: iptables-map
diff --git a/examples/nsm_consul/server/static-server.yaml b/examples/nsm_consul/server/static-server.yaml
@@ -0,0 +1,48 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  # This name will be the service name in Consul.
+  name: static-server
+spec:
+  selector:
+    app: static-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: static-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: static-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: static-server
+  template:
+    metadata:
+      name: static-server
+      labels:
+        app: static-server
+      annotations:
+        'consul.hashicorp.com/connect-inject': 'true'
+        'consul.hashicorp.com/connect-service-upstreams': 'proxy-alpine-nsc:9090'
+    spec:
+      containers:
+        - name: static-server
+          image: hashicorp/http-echo:latest
+          args:
+            - -text="hello world"
+            - -listen=:8080
+          ports:
+            - containerPort: 8080
+              name: http
+      # If ACLs are enabled, the serviceAccountName must match the Consul service name.
+      serviceAccountName: static-server
diff --git a/examples/nsm_consul/service.yaml b/examples/nsm_consul/service.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxy-alpine-nsc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxy-alpine-nsc
+spec:
+  selector:
+    app: proxy-alpine-nsc
+  ports:
+    - protocol: TCP
+      port: 9090
+      targetPort: 9090
diff --git a/examples/nsm_istio/nse-auto-scale/iptables-map b/examples/nsm_istio/nse-auto-scale/iptables-map
@@ -0,0 +1,9 @@
+-N NSM_PREROUTE,
+-A NSM_PREROUTE -j ISTIO_REDIRECT,
+-I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j NSM_PREROUTE,
+-N NSM_OUTPUT,
+-A NSM_OUTPUT -j DNAT --to-destination {{ index .NsmSrcIPs 0 }},
+-A OUTPUT -p tcp -s 127.0.0.6 -j NSM_OUTPUT,
+-N NSM_POSTROUTING,
+-A NSM_POSTROUTING -j SNAT --to-source {{ index .NsmDstIPs 0 }},
+-A POSTROUTING -p tcp -o {{ .NsmInterfaceName }} -j NSM_POSTROUTING
diff --git a/examples/nsm_istio/nse-auto-scale/kustomization.yaml b/examples/nsm_istio/nse-auto-scale/kustomization.yaml
@@ -12,6 +12,9 @@ configMapGenerator:
   - name: supplier-pod-template-configmap
     files:
       - pod-template.yaml
+  - name: iptables-map
+    files:
+      - iptables-map
 
 generatorOptions:
   disableNameSuffixHash: true
diff --git a/examples/nsm_istio/nse-auto-scale/pod-template.yaml b/examples/nsm_istio/nse-auto-scale/pod-template.yaml
@@ -11,7 +11,7 @@ spec:
   restartPolicy: Never
   containers:
     - name: nse
-      image: ghcr.io/networkservicemesh/ci/cmd-nse-istio-proxy:c26db55
+      image: ghcr.io/networkservicemesh/ci/cmd-nse-l7-proxy:32fbf26
       imagePullPolicy: IfNotPresent
       env:
         - name: SPIFFE_ENDPOINT_SOCKET
@@ -34,13 +34,17 @@ spec:
           value: 240s
         - name: NSM_LOG_LEVEL
           value: TRACE
+        - name: NSM_RULES_CONFIG
+          value: iptables-map
       volumeMounts:
         - name: spire-agent-socket
           mountPath: /run/spire/sockets
           readOnly: true
         - name: nsm-socket
           mountPath: /var/lib/networkservicemesh
           readOnly: true
+        - name: iptables-config-map
+          mountPath: /iptables-map
       resources:
         limits:
           memory: 40Mi
@@ -54,3 +58,6 @@ spec:
       hostPath:
         path: /var/lib/networkservicemesh
         type: DirectoryOrCreate
+    - name: iptables-config-map
+      configMap:
+        name: iptables-map
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		-I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j DNAT --to-destination 127.0.0.1