diff --git a/examples/basic_interdomain/README.md b/examples/basic_interdomain/README.md new file mode 100644 index 000000000000..e5bdae99944b --- /dev/null +++ b/examples/basic_interdomain/README.md @@ -0,0 +1,16 @@ +# Basic examples + +Contain basic setup for NSM that includes `nsmgr`, `forwarder-vpp`, `registry-k8s`. This setup can be used to check mechanisms combination or some kind of NSM [features](../features). + +## Requires + +- [Load balancer](./loadbalancer) +- [Interdomain DNS](./dns) +- [Interdomain spire](./spire) +- [Interdomain nsm](./nsm) + + +## Includes + +- [NSM Istio](../nsm_istio) +- [Kernel to Kernel Connection](../nsm_consul) diff --git a/examples/nsm_istio/dns/README.md b/examples/basic_interdomain/dns/README.md similarity index 100% rename from examples/nsm_istio/dns/README.md rename to examples/basic_interdomain/dns/README.md diff --git a/examples/nsm_istio/loadbalancer/README.md b/examples/basic_interdomain/loadbalancer/README.md similarity index 100% rename from examples/nsm_istio/loadbalancer/README.md rename to examples/basic_interdomain/loadbalancer/README.md diff --git a/examples/nsm_istio/nsm/README.md b/examples/basic_interdomain/nsm/README.md similarity index 100% rename from examples/nsm_istio/nsm/README.md rename to examples/basic_interdomain/nsm/README.md diff --git a/examples/nsm_istio/nsm/cluster1/kustomization.yaml b/examples/basic_interdomain/nsm/cluster1/kustomization.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster1/kustomization.yaml rename to examples/basic_interdomain/nsm/cluster1/kustomization.yaml diff --git a/examples/nsm_istio/nsm/cluster1/namespace.yaml b/examples/basic_interdomain/nsm/cluster1/namespace.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster1/namespace.yaml rename to examples/basic_interdomain/nsm/cluster1/namespace.yaml diff --git a/examples/nsm_istio/nsm/cluster1/patch-nsmgr-proxy.yaml b/examples/basic_interdomain/nsm/cluster1/patch-nsmgr-proxy.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster1/patch-nsmgr-proxy.yaml rename to examples/basic_interdomain/nsm/cluster1/patch-nsmgr-proxy.yaml diff --git a/examples/nsm_istio/nsm/cluster1/patch-registry-proxy-dns.yaml b/examples/basic_interdomain/nsm/cluster1/patch-registry-proxy-dns.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster1/patch-registry-proxy-dns.yaml rename to examples/basic_interdomain/nsm/cluster1/patch-registry-proxy-dns.yaml diff --git a/examples/nsm_istio/nsm/cluster1/patch-registry.yaml b/examples/basic_interdomain/nsm/cluster1/patch-registry.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster1/patch-registry.yaml rename to examples/basic_interdomain/nsm/cluster1/patch-registry.yaml diff --git a/examples/nsm_istio/nsm/cluster2/kustomization.yaml b/examples/basic_interdomain/nsm/cluster2/kustomization.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster2/kustomization.yaml rename to examples/basic_interdomain/nsm/cluster2/kustomization.yaml diff --git a/examples/nsm_istio/nsm/cluster2/namespace.yaml b/examples/basic_interdomain/nsm/cluster2/namespace.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster2/namespace.yaml rename to examples/basic_interdomain/nsm/cluster2/namespace.yaml diff --git a/examples/nsm_istio/nsm/cluster2/patch-nsmgr-proxy.yaml b/examples/basic_interdomain/nsm/cluster2/patch-nsmgr-proxy.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster2/patch-nsmgr-proxy.yaml rename to examples/basic_interdomain/nsm/cluster2/patch-nsmgr-proxy.yaml diff --git a/examples/nsm_istio/nsm/cluster2/patch-registry-proxy-dns.yaml b/examples/basic_interdomain/nsm/cluster2/patch-registry-proxy-dns.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster2/patch-registry-proxy-dns.yaml rename to examples/basic_interdomain/nsm/cluster2/patch-registry-proxy-dns.yaml diff --git a/examples/nsm_istio/nsm/cluster2/patch-registry.yaml b/examples/basic_interdomain/nsm/cluster2/patch-registry.yaml similarity index 100% rename from examples/nsm_istio/nsm/cluster2/patch-registry.yaml rename to examples/basic_interdomain/nsm/cluster2/patch-registry.yaml diff --git a/examples/nsm_istio/spire/README.md b/examples/basic_interdomain/spire/README.md similarity index 99% rename from examples/nsm_istio/spire/README.md rename to examples/basic_interdomain/spire/README.md index ddee788ed03f..0cc79457336c 100644 --- a/examples/nsm_istio/spire/README.md +++ b/examples/basic_interdomain/spire/README.md @@ -23,9 +23,8 @@ bundle2=$(kubectl --kubeconfig=$KUBECONFIG2 exec spire-server-0 -n spire -- bin/ ``` Setup bundle federation for each cluster -``` +```bash echo $bundle2 | kubectl --kubeconfig=$KUBECONFIG1 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster2" - echo $bundle1 | kubectl --kubeconfig=$KUBECONFIG2 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster1" ``` diff --git a/examples/nsm_istio/spire/cluster1/agent.conf b/examples/basic_interdomain/spire/cluster1/agent.conf similarity index 100% rename from examples/nsm_istio/spire/cluster1/agent.conf rename to examples/basic_interdomain/spire/cluster1/agent.conf diff --git a/examples/nsm_istio/spire/cluster1/k8s-workload-registrar.conf b/examples/basic_interdomain/spire/cluster1/k8s-workload-registrar.conf similarity index 100% rename from examples/nsm_istio/spire/cluster1/k8s-workload-registrar.conf rename to examples/basic_interdomain/spire/cluster1/k8s-workload-registrar.conf diff --git a/examples/nsm_istio/spire/cluster1/kustomization.yaml b/examples/basic_interdomain/spire/cluster1/kustomization.yaml similarity index 100% rename from examples/nsm_istio/spire/cluster1/kustomization.yaml rename to examples/basic_interdomain/spire/cluster1/kustomization.yaml diff --git a/examples/nsm_istio/spire/cluster1/server.conf b/examples/basic_interdomain/spire/cluster1/server.conf similarity index 100% rename from examples/nsm_istio/spire/cluster1/server.conf rename to examples/basic_interdomain/spire/cluster1/server.conf diff --git a/examples/nsm_istio/spire/cluster2/agent.conf b/examples/basic_interdomain/spire/cluster2/agent.conf similarity index 100% rename from examples/nsm_istio/spire/cluster2/agent.conf rename to examples/basic_interdomain/spire/cluster2/agent.conf diff --git a/examples/nsm_istio/spire/cluster2/k8s-workload-registrar.conf b/examples/basic_interdomain/spire/cluster2/k8s-workload-registrar.conf similarity index 100% rename from examples/nsm_istio/spire/cluster2/k8s-workload-registrar.conf rename to examples/basic_interdomain/spire/cluster2/k8s-workload-registrar.conf diff --git a/examples/nsm_istio/spire/cluster2/kustomization.yaml b/examples/basic_interdomain/spire/cluster2/kustomization.yaml similarity index 100% rename from examples/nsm_istio/spire/cluster2/kustomization.yaml rename to examples/basic_interdomain/spire/cluster2/kustomization.yaml diff --git a/examples/nsm_istio/spire/cluster2/server.conf b/examples/basic_interdomain/spire/cluster2/server.conf similarity index 100% rename from examples/nsm_istio/spire/cluster2/server.conf rename to examples/basic_interdomain/spire/cluster2/server.conf diff --git a/examples/nsm_consul/.gitignore b/examples/nsm_consul/.gitignore new file mode 100644 index 000000000000..bc946ca4e91d --- /dev/null +++ b/examples/nsm_consul/.gitignore @@ -0,0 +1,2 @@ +!**/kustomization.yaml +!**/patch-*.yaml \ No newline at end of file diff --git a/examples/nsm_consul/README.md b/examples/nsm_consul/README.md new file mode 100644 index 000000000000..25454026543f --- /dev/null +++ b/examples/nsm_consul/README.md @@ -0,0 +1,106 @@ +# NSM + Consul interdomain example over kind clusters + +This example show how Consul can be used over nsm + + +## Requires + +- [Load balancer](../basic_interdomain/loadbalancer) +- [Interdomain DNS](../basic_interdomain/dns) +- [Interdomain spire](../basic_interdomain/spire) +- [Interdomain nsm](../basic_interdomain/nsm) + + +## Run + +Install Consul +```bash +brew tap hashicorp/tap +brew install hashicorp/tap/consul-k8s +``` + +Install Consul for the second cluster: +```bash +consul-k8s install -config-file=helm-consul-values.yaml -set global.image=hashicorp/consul:1.12.0 -auto-approve --kubeconfig=$KUBECONFIG2 +``` + +Install networkservice for the second cluster:: +```bash +kubectl --kubeconfig=$KUBECONFIG2 apply -f networkservice.yaml +``` + +Start `alpine` networkservicemesh client for the first cluster: + +```bash +kubectl --kubeconfig=$KUBECONFIG1 apply -f client/client.yaml +``` + +Create kubernetes service for the networkservicemesh endpoint: +```bash +kubectl --kubeconfig=$KUBECONFIG2 apply -f service.yaml +``` + +Start `auto-scale` networkservicemesh endpoint: +```bash +kubectl --kubeconfig=$KUBECONFIG2 apply -k nse-auto-scale +``` + +Install `static-server` Consul workload on the second cluster: +```bash +kubectl --kubeconfig=$KUBECONFIG2 apply -f server/static-server.yaml +``` + +Wait for proxy-alpine-nsc to be ready: +```bash +kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=3m pod proxy-alpine-nsc +kubectl --kubeconfig=$KUBECONFIG2 describe pods proxy-alpine-nsc +kubectl --kubeconfig=$KUBECONFIG2 exec -it proxy-alpine-nsc -- bash -c ls +``` + +Wait for static-server to be ready: +```bash +stsrv=$(kubectl get pods -l app=static-server --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}') +kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=3m pod $stsrv +kubectl --kubeconfig=$KUBECONFIG2 describe pods $stsrv +``` + +Wait for nse-supplier to be ready: +```bash +supplier=$(kubectl get pods -l app=nse-supplier-k8s --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}') +kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=3m pod $supplier +kubectl --kubeconfig=$KUBECONFIG2 describe pods $supplier +``` + +Wait for nse-supplier to be ready: +```bash +kubectl --kubeconfig=$KUBECONFIG2 describe pods alpine-nsc +kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=10m pod alpine-nsc +``` + +Verify connection from networkservicemesh client to consul server: +```bash +kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- apk add curl +``` +```bash +kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- curl 172.16.1.2:8080 | grep -o "hello world" +``` + + +## Cleanup + + +```bash +kubectl --kubeconfig=$KUBECONFIG2 delete deployment static-server +``` +```bash +kubectl --kubeconfig=$KUBECONFIG2 delete -k nse-auto-scale +``` +```bash +kubectl --kubeconfig=$KUBECONFIG1 delete -f client/client.yaml +``` +```bash +kubectl --kubeconfig=$KUBECONFIG2 delete -f networkservice.yaml +``` +```bash +consul-k8s uninstall --kubeconfig=$KUBECONFIG2 -auto-approve=true -wipe-data=true +``` diff --git a/examples/nsm_consul/client/client.yaml b/examples/nsm_consul/client/client.yaml new file mode 100644 index 000000000000..06723b6a6093 --- /dev/null +++ b/examples/nsm_consul/client/client.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: alpine-nsc + labels: + app: alpine-nsc + annotations: + networkservicemesh.io: kernel://autoscale-consul-proxy@my.cluster2/nsm-1?app=alpine-nsc +spec: + containers: + - name: alpine-nsc + image: alpine:3.15.0 + imagePullPolicy: IfNotPresent + stdin: true + tty: true diff --git a/examples/nsm_consul/helm-consul-values.yaml b/examples/nsm_consul/helm-consul-values.yaml new file mode 100644 index 000000000000..b0b8be1b6db3 --- /dev/null +++ b/examples/nsm_consul/helm-consul-values.yaml @@ -0,0 +1,10 @@ +--- +global: + name: consul + datacenter: dc1 +server: + replicas: 1 +connectInject: + enabled: true + transparentProxy: + defaultEnabled: false diff --git a/examples/nsm_consul/kind-cluster-config.yaml b/examples/nsm_consul/kind-cluster-config.yaml new file mode 100644 index 000000000000..f57c67e5b02b --- /dev/null +++ b/examples/nsm_consul/kind-cluster-config.yaml @@ -0,0 +1,6 @@ +--- +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + - role: worker diff --git a/examples/nsm_consul/networkservice.yaml b/examples/nsm_consul/networkservice.yaml new file mode 100644 index 000000000000..72f6d769eb30 --- /dev/null +++ b/examples/nsm_consul/networkservice.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: networkservicemesh.io/v1 +kind: NetworkService +metadata: + name: autoscale-consul-proxy + namespace: nsm-system +spec: + payload: IP + matches: + - source_selector: + fallthrough: true + routes: + - destination_selector: + podName: "{{ .podName }}" + - source_selector: + routes: + - destination_selector: + any: "true" diff --git a/examples/nsm_consul/nse-auto-scale/iptables-map.yaml b/examples/nsm_consul/nse-auto-scale/iptables-map.yaml new file mode 100644 index 000000000000..5a19fc53fa7d --- /dev/null +++ b/examples/nsm_consul/nse-auto-scale/iptables-map.yaml @@ -0,0 +1,2 @@ +--- +- -I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j DNAT --to-destination 127.0.0.1 diff --git a/examples/nsm_consul/nse-auto-scale/kustomization.yaml b/examples/nsm_consul/nse-auto-scale/kustomization.yaml new file mode 100644 index 000000000000..a4820096fc2b --- /dev/null +++ b/examples/nsm_consul/nse-auto-scale/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- https://github.com/networkservicemesh/deployments-k8s/apps/nse-supplier-k8s?ref=b4bddacfa45fafb7c15a769a1fc0f319e63d6a8d + +patchesStrategicMerge: +- patch-supplier.yaml + +configMapGenerator: + - name: supplier-pod-template-configmap + files: + - pod-template.yaml + - name: iptables-map + files: + - iptables-map.yaml + +generatorOptions: + disableNameSuffixHash: true diff --git a/examples/nsm_consul/nse-auto-scale/patch-supplier.yaml b/examples/nsm_consul/nse-auto-scale/patch-supplier.yaml new file mode 100644 index 000000000000..eab4bae2a9bf --- /dev/null +++ b/examples/nsm_consul/nse-auto-scale/patch-supplier.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nse-supplier-k8s +spec: + template: + metadata: + annotations: + 'consul.hashicorp.com/connect-inject': 'false' + spec: + containers: + - name: nse-supplier + env: + - name: NSM_SERVICE_NAME + value: autoscale-consul-proxy + - name: NSM_LABELS + value: any:true + - name: NSM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NSM_POD_DESCRIPTION_FILE + value: /run/supplier/pod-template.yaml + volumeMounts: + - name: pod-file + mountPath: /run/supplier + readOnly: true + volumes: + - name: pod-file + configMap: + name: supplier-pod-template-configmap diff --git a/examples/nsm_consul/nse-auto-scale/pod-template.yaml b/examples/nsm_consul/nse-auto-scale/pod-template.yaml new file mode 100644 index 000000000000..7a6220074d59 --- /dev/null +++ b/examples/nsm_consul/nse-auto-scale/pod-template.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: apps/v1 +kind: Pod +metadata: + name: proxy-{{ index .Labels "podName" }} + labels: + app: proxy-{{ index .Labels "podName" }} + "spiffe.io/spiffe-id": "true" + annotations: + 'consul.hashicorp.com/connect-inject': 'true' + 'consul.hashicorp.com/connect-service-upstreams': 'static-server:8080' +spec: + restartPolicy: Never + containers: + - name: nse + image: ghcr.io/networkservicemesh/ci/cmd-nse-l7-proxy:08328f3 + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: NSM_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAME + value: {{ index .Labels "podName" }} + - name: NSM_CONNECT_TO + value: unix:///var/lib/networkservicemesh/nsm.io.sock + - name: NSM_CIDR_PREFIX + value: 172.16.1.2/31 + - name: NSM_SERVICE_NAMES + value: autoscale-consul-proxy + - name: NSM_LABELS + value: app:{{ index .Labels "app" }} + - name: NSM_IDLE_TIMEOUT + value: 240s + - name: NSM_LOG_LEVEL + value: TRACE + - name: NSM_RULES_CONFIG_PATH + value: iptables-map/iptables-map.yaml + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + readOnly: true + - name: iptables-config-map + mountPath: /iptables-map + resources: + limits: + memory: 40Mi + cpu: 150m + - name: proxy-alpine-nsc + image: hashicorp/http-echo:latest + args: + - -text="hello world from nse" + - -listen=:9090 + ports: + - containerPort: 9090 + name: http + serviceAccountName: proxy-alpine-nsc + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate + - name: iptables-config-map + configMap: + name: iptables-map diff --git a/examples/nsm_consul/server/static-server.yaml b/examples/nsm_consul/server/static-server.yaml new file mode 100644 index 000000000000..efa7878ff8c7 --- /dev/null +++ b/examples/nsm_consul/server/static-server.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: v1 +kind: Service +metadata: + # This name will be the service name in Consul. + name: static-server +spec: + selector: + app: static-server + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: static-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-server + template: + metadata: + name: static-server + labels: + app: static-server + annotations: + 'consul.hashicorp.com/connect-inject': 'true' + 'consul.hashicorp.com/connect-service-upstreams': 'proxy-alpine-nsc:9090' + spec: + containers: + - name: static-server + image: hashicorp/http-echo:latest + args: + - -text="hello world" + - -listen=:8080 + ports: + - containerPort: 8080 + name: http + # If ACLs are enabled, the serviceAccountName must match the Consul service name. + serviceAccountName: static-server diff --git a/examples/nsm_consul/service.yaml b/examples/nsm_consul/service.yaml new file mode 100644 index 000000000000..51d89d1d3c7e --- /dev/null +++ b/examples/nsm_consul/service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: proxy-alpine-nsc +--- +apiVersion: v1 +kind: Service +metadata: + name: proxy-alpine-nsc +spec: + selector: + app: proxy-alpine-nsc + ports: + - protocol: TCP + port: 9090 + targetPort: 9090 diff --git a/examples/nsm_istio/README.md b/examples/nsm_istio/README.md index 88dd394c4230..31e9e707f974 100644 --- a/examples/nsm_istio/README.md +++ b/examples/nsm_istio/README.md @@ -7,10 +7,10 @@ This example show how can be used nsm over ## Requires -- [Load balancer](./loadbalancer) -- [Interdomain DNS](./dns) -- [Interdomain spire](./spire) -- [Interdomain nsm](./nsm) +- [Load balancer](../basic_interdomain/loadbalancer) +- [Interdomain DNS](../basic_interdomain/dns) +- [Interdomain spire](../basic_interdomain/spire) +- [Interdomain nsm](../basic_interdomain/nsm) ## Run diff --git a/examples/nsm_istio/nse-auto-scale/iptables-map.yaml b/examples/nsm_istio/nse-auto-scale/iptables-map.yaml new file mode 100644 index 000000000000..6c9772137714 --- /dev/null +++ b/examples/nsm_istio/nse-auto-scale/iptables-map.yaml @@ -0,0 +1,10 @@ +--- +- -N NSM_PREROUTE +- -A NSM_PREROUTE -j ISTIO_REDIRECT +- -I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j NSM_PREROUTE +- -N NSM_OUTPUT +- -A NSM_OUTPUT -j DNAT --to-destination {{ index .NsmSrcIPs 0 }} +- -A OUTPUT -p tcp -s 127.0.0.6 -j NSM_OUTPUT +- -N NSM_POSTROUTING +- -A NSM_POSTROUTING -j SNAT --to-source {{ index .NsmDstIPs 0 }} +- -A POSTROUTING -p tcp -o {{ .NsmInterfaceName }} -j NSM_POSTROUTING diff --git a/examples/nsm_istio/nse-auto-scale/kustomization.yaml b/examples/nsm_istio/nse-auto-scale/kustomization.yaml index ff034e883c24..b9e3b03b2f0e 100644 --- a/examples/nsm_istio/nse-auto-scale/kustomization.yaml +++ b/examples/nsm_istio/nse-auto-scale/kustomization.yaml @@ -12,6 +12,9 @@ configMapGenerator: - name: supplier-pod-template-configmap files: - pod-template.yaml + - name: iptables-map + files: + - iptables-map.yaml generatorOptions: disableNameSuffixHash: true diff --git a/examples/nsm_istio/nse-auto-scale/pod-template.yaml b/examples/nsm_istio/nse-auto-scale/pod-template.yaml index 63ade4e9e55d..df62e3bf08bd 100644 --- a/examples/nsm_istio/nse-auto-scale/pod-template.yaml +++ b/examples/nsm_istio/nse-auto-scale/pod-template.yaml @@ -11,7 +11,7 @@ spec: restartPolicy: Never containers: - name: nse - image: ghcr.io/networkservicemesh/ci/cmd-nse-istio-proxy:c26db55 + image: ghcr.io/networkservicemesh/ci/cmd-nse-l7-proxy:08328f3 imagePullPolicy: IfNotPresent env: - name: SPIFFE_ENDPOINT_SOCKET @@ -34,6 +34,8 @@ spec: value: 240s - name: NSM_LOG_LEVEL value: TRACE + - name: NSM_RULES_CONFIG_PATH + value: iptables-map/iptables-map.yaml volumeMounts: - name: spire-agent-socket mountPath: /run/spire/sockets @@ -41,6 +43,8 @@ spec: - name: nsm-socket mountPath: /var/lib/networkservicemesh readOnly: true + - name: iptables-config-map + mountPath: /iptables-map resources: limits: memory: 40Mi @@ -54,3 +58,6 @@ spec: hostPath: path: /var/lib/networkservicemesh type: DirectoryOrCreate + - name: iptables-config-map + configMap: + name: iptables-map