Add Consul interdomain example

examples/basic_interdomain/README.md

@@ -0,0 +1,16 @@
+# Basic examples
+
+Contain basic setup for NSM that includes `nsmgr`, `forwarder-vpp`, `registry-k8s`. This setup can be used to check mechanisms combination or some kind of NSM [features](../features).
+
+## Requires
+
+- [Load balancer](./loadbalancer)
+- [Interdomain DNS](./dns)
+- [Interdomain spire](./spire)
+- [Interdomain nsm](./nsm)
+
+
+## Includes
+
+- [NSM Istio](../nsm_istio)
+- [Kernel to Kernel Connection](../nsm_consul)

examples/nsm_istio/spire/README.md → examples/basic_interdomain/spire/README.md

@@ -23,9 +23,8 @@ bundle2=$(kubectl --kubeconfig=$KUBECONFIG2 exec spire-server-0 -n spire -- bin/
 ```
 
 Setup bundle federation for each cluster
-```
+```bash
 echo $bundle2 | kubectl --kubeconfig=$KUBECONFIG1 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster2"
-
 echo $bundle1 | kubectl --kubeconfig=$KUBECONFIG2 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster1"
 ```
 

examples/nsm_consul/.gitignore

@@ -0,0 +1,2 @@
+!**/kustomization.yaml
+!**/patch-*.yaml

examples/nsm_consul/README.md

@@ -0,0 +1,106 @@
+# NSM + Consul interdomain example over kind clusters
+
+This example show how Consul can be used over nsm 
+
+
+## Requires
+
+- [Load balancer](../basic_interdomain/loadbalancer)
+- [Interdomain DNS](../basic_interdomain/dns)
+- [Interdomain spire](../basic_interdomain/spire)
+- [Interdomain nsm](../basic_interdomain/nsm)
+
+
+## Run
+
+Install Consul
+```bash
+brew tap hashicorp/tap
+brew install hashicorp/tap/consul-k8s
+```
+
+Install Consul for the second cluster:
+```bash
+consul-k8s install -config-file=helm-consul-values.yaml -set global.image=hashicorp/consul:1.12.0 -auto-approve --kubeconfig=$KUBECONFIG2
+```
+
+Install networkservice for the second cluster::
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f networkservice.yaml 
+```
+
+Start `alpine` networkservicemesh client for the first cluster:
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -f client/client.yaml 
+```
+
+Create kubernetes service for the networkservicemesh endpoint:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f service.yaml 
+```
+
+Start `auto-scale` networkservicemesh endpoint:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -k nse-auto-scale
+```
+
+Install `static-server` Consul workload on the second cluster:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f server/static-server.yaml
+```
+
+Wait for proxy-alpine-nsc to be ready:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=3m pod proxy-alpine-nsc
+kubectl --kubeconfig=$KUBECONFIG2 describe pods proxy-alpine-nsc
+kubectl --kubeconfig=$KUBECONFIG2 exec -it proxy-alpine-nsc -- bash -c ls
+```
+
+Wait for static-server to be ready:
+```bash
+stsrv=$(kubectl get pods -l app=static-server --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=3m pod $stsrv
+kubectl --kubeconfig=$KUBECONFIG2 describe pods $stsrv
+```
+
+Wait for nse-supplier to be ready:
+```bash
+supplier=$(kubectl get pods -l app=nse-supplier-k8s --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=3m pod $supplier
+kubectl --kubeconfig=$KUBECONFIG2 describe pods $supplier
+```
+
+Wait for nse-supplier to be ready:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 describe pods alpine-nsc
+kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=10m pod alpine-nsc
+```
+
+Verify connection from networkservicemesh client to consul server:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- apk add curl
+```
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- curl 172.16.1.2:8080 | grep -o "hello world"
+```
+
+
+## Cleanup
+
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 delete deployment static-server
+```
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 delete -k nse-auto-scale
+```
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 delete -f client/client.yaml
+```
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 delete -f networkservice.yaml
+```
+```bash
+consul-k8s uninstall --kubeconfig=$KUBECONFIG2 -auto-approve=true -wipe-data=true
+```

examples/nsm_consul/client/client.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine-nsc
+  labels:
+    app: alpine-nsc
+  annotations:
+    networkservicemesh.io: kernel://[email protected]/nsm-1?app=alpine-nsc
+spec:
+  containers:
+  - name: alpine-nsc
+    image: alpine:3.15.0
+    imagePullPolicy: IfNotPresent
+    stdin: true
+    tty: true

examples/nsm_consul/helm-consul-values.yaml

@@ -0,0 +1,10 @@
+---
+global:
+  name: consul
+  datacenter: dc1
+server:
+  replicas: 1
+connectInject:
+  enabled: true
+  transparentProxy:
+    defaultEnabled: false

examples/nsm_consul/kind-cluster-config.yaml

@@ -0,0 +1,6 @@
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker

examples/nsm_consul/networkservice.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: networkservicemesh.io/v1
+kind: NetworkService
+metadata:
+  name: autoscale-consul-proxy
+  namespace: nsm-system
+spec:
+  payload: IP
+  matches:
+    - source_selector:
+      fallthrough: true
+      routes:
+        - destination_selector:
+            podName: "{{ .podName }}"
+    - source_selector:
+      routes:
+        - destination_selector:
+            any: "true"

examples/nsm_consul/nse-auto-scale/iptables-map.yaml

@@ -0,0 +1,2 @@
+---
+- -I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j DNAT --to-destination 127.0.0.1

examples/nsm_consul/nse-auto-scale/kustomization.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/apps/nse-supplier-k8s?ref=b4bddacfa45fafb7c15a769a1fc0f319e63d6a8d
+
+patchesStrategicMerge:
+- patch-supplier.yaml
+
+configMapGenerator:
+  - name: supplier-pod-template-configmap
+    files:
+      - pod-template.yaml
+  - name: iptables-map
+    files:
+      - iptables-map.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true

examples/nsm_consul/nse-auto-scale/patch-supplier.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nse-supplier-k8s
+spec:
+  template:
+    metadata:
+      annotations:
+        'consul.hashicorp.com/connect-inject': 'false'
+    spec:
+      containers:
+        - name: nse-supplier
+          env:
+            - name: NSM_SERVICE_NAME
+              value: autoscale-consul-proxy
+            - name: NSM_LABELS
+              value: any:true
+            - name: NSM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NSM_POD_DESCRIPTION_FILE
+              value: /run/supplier/pod-template.yaml
+          volumeMounts:
+            - name: pod-file
+              mountPath: /run/supplier
+              readOnly: true
+      volumes:
+        - name: pod-file
+          configMap:
+            name: supplier-pod-template-configmap

examples/nsm_consul/nse-auto-scale/pod-template.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: apps/v1
+kind: Pod
+metadata:
+  name: proxy-{{ index .Labels "podName" }}
+  labels:
+    app: proxy-{{ index .Labels "podName" }}
+    "spiffe.io/spiffe-id": "true"
+  annotations:
+    'consul.hashicorp.com/connect-inject': 'true'
+    'consul.hashicorp.com/connect-service-upstreams': 'static-server:8080'
+spec:
+  restartPolicy: Never
+  containers:
+    - name: nse
+      image: ghcr.io/networkservicemesh/ci/cmd-nse-l7-proxy:08328f3
+      imagePullPolicy: IfNotPresent
+      securityContext:
+        privileged: true
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: unix:///run/spire/sockets/agent.sock
+        - name: NSM_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAME
+          value: {{ index .Labels "podName" }}
+        - name: NSM_CONNECT_TO
+          value: unix:///var/lib/networkservicemesh/nsm.io.sock
+        - name: NSM_CIDR_PREFIX
+          value: 172.16.1.2/31
+        - name: NSM_SERVICE_NAMES
+          value: autoscale-consul-proxy
+        - name: NSM_LABELS
+          value: app:{{ index .Labels "app" }}
+        - name: NSM_IDLE_TIMEOUT
+          value: 240s
+        - name: NSM_LOG_LEVEL
+          value: TRACE
+        - name: NSM_RULES_CONFIG_PATH
+          value: iptables-map/iptables-map.yaml
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+        - name: nsm-socket
+          mountPath: /var/lib/networkservicemesh
+          readOnly: true
+        - name: iptables-config-map
+          mountPath: /iptables-map
+      resources:
+        limits:
+          memory: 40Mi
+          cpu: 150m
+    - name: proxy-alpine-nsc
+      image: hashicorp/http-echo:latest
+      args:
+        - -text="hello world from nse"
+        - -listen=:9090
+      ports:
+        - containerPort: 9090
+          name: http
+  serviceAccountName: proxy-alpine-nsc
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory
+    - name: nsm-socket
+      hostPath:
+        path: /var/lib/networkservicemesh
+        type: DirectoryOrCreate
+    - name: iptables-config-map
+      configMap:
+        name: iptables-map

examples/nsm_consul/server/static-server.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  # This name will be the service name in Consul.
+  name: static-server
+spec:
+  selector:
+    app: static-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: static-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: static-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: static-server
+  template:
+    metadata:
+      name: static-server
+      labels:
+        app: static-server
+      annotations:
+        'consul.hashicorp.com/connect-inject': 'true'
+        'consul.hashicorp.com/connect-service-upstreams': 'proxy-alpine-nsc:9090'
+    spec:
+      containers:
+        - name: static-server
+          image: hashicorp/http-echo:latest
+          args:
+            - -text="hello world"
+            - -listen=:8080
+          ports:
+            - containerPort: 8080
+              name: http
+      # If ACLs are enabled, the serviceAccountName must match the Consul service name.
+      serviceAccountName: static-server

examples/nsm_consul/service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxy-alpine-nsc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxy-alpine-nsc
+spec:
+  selector:
+    app: proxy-alpine-nsc
+  ports:
+    - protocol: TCP
+      port: 9090
+      targetPort: 9090