Merge from gitee for VA arp enhancement

f5devcentral · Dec 22, 2021 · 12a0c07 · 12a0c07
2 parents 0656ba9 + eb3cc07
commit 12a0c07
Show file tree

Hide file tree

Showing 8 changed files with 129 additions and 41 deletions.
diff --git a/config/ces-conf.yaml b/config/ces-conf.yaml
@@ -11,23 +11,29 @@ iRule:
 tenant:
   ##common partiton config, init AS3 needs
   - name: "Common"
-    namespaces: "default,dwb-test1,dwb-test"
+    namespaces: "dwb-test1,dwb-test"
     virtualService:
       template: ''
       virtualAddresses:
-        - "0.0.0.0"
+        virtualAddress: "0.0.0.0"
+        icmpEcho: "disable"
+        arpEnabled: false
+        template: ''
     gwPool:
       serverAddresses:
         - "192.168.10.1"
   - name: p2
-    namespaces: dwb-test
+    namespaces: default
     routeDomain:
       id: 2
       name: "rd2"
     virtualService:
       template: ""
       virtualAddresses:
-        - "1.0.0.0"
+        virtualAddress: "0.0.0.0"
+        icmpEcho: "disable"
+        arpEnabled: false
+        template: ''
     gwPool:
       serverAddresses:
         - "1.16.10.22"

diff --git a/doc/zh_cn.md b/doc/zh_cn.md
@@ -91,7 +91,10 @@ tenant:
         - "0.0.0.0"
     gwPool:
       serverAddresses:
-        - "192.168.10.1"
+        virtualAddress: "0.0.0.0"
+        icmpEcho: "disable"
+        arpEnabled: false
+        template: ''
   - name: project2
     namespaces: project2
     routeDomain:
@@ -103,8 +106,12 @@ tenant:
         - "1.0.0.0"
     gwPool:
       serverAddresses:
-        - "1.16.10.22"
-        - "192.168.10.22"
+        template: '{
+              "class": "Service_Address",
+              "virtualAddress": "0.0.0.0",
+              "icmpEcho": "disable",
+              "arpEnabled": false
+        }'
   - name: project3
     namespaces: project3,test-ns-a
     routeDomain:
@@ -209,29 +216,33 @@ logPool:
 ###上面配置参数说明：
 
 ```
-clusterName： 当前集群名称，用于rule的规则前缀
+clusterName：             当前集群名称，用于rule的规则前缀
 
-isSupportRouteDomain： 是否支持严格的RouteDomain
+isSupportRouteDomain：    是否支持严格的RouteDomain
 
-masterCluster：对于多集群对应单BIG-IP时，需要设置，控制初始化Common tenant
+masterCluster：           对于多集群对应单BIG-IP时，需要设置，控制初始化Common tenant
 
-schemaVersion： AS3中ADC的版本，默认为3.29.0
+schemaVersion：           AS3中ADC的版本，默认为3.29.0
 
-iRule： 流量控制配置，此参数需优先在BIG-IP中设置好。
+iRule：                   流量控制配置，此参数需优先在BIG-IP中设置好。
 
 tenant：
-   name: tenant的名称，对应BIG-IP中的partition
-   namespaces： tenant对应的命名空间，多个可以用逗号隔开，eg: 不支持rd时。此参数可控制监听的namespace下的资源
-   virtualService： ##VS
-     template: VS的模板。用户可自行定义，需要满足AS3规范，具体看上面实例。
-     virtualAddresses： VS中virtualAddresses的值。
-   gwPool： ####gateway
-     serverAddresses: gwpool中的参数值，gateway的ip列表
-   logPool：##日志
-     loggingEnabled： 是否配置log profile
-     enableRemoteLog： 是否开启远程日志
-     serverAddresses： pool中的ip列表
-     template：日志配置模板。可参考上面实例
+   name:                  tenant的名称，对应BIG-IP中的partition
+   namespaces：           tenant对应的命名空间，多个可以用逗号隔开，eg: 不支持rd时。此参数可控制监听的namespace下的资源
+   virtualService：       ##VS
+     template:            VS的模板。用户可自行定义，需要满足AS3规范，具体看上面实例。
+     virtualAddresses：   ##virtualAddresses
+       virtualAddress:    serviceAddress中virtualAddresses的值。
+       icmpEcho:          serviceAddress中icmp的配置
+       arpEnabled:        serviceAddress中arp的配置
+       template:          serviceAddress的模板设置
+   gwPool：               ####gateway
+     serverAddresses:     gwpool中的参数值，gateway的ip列表
+   logPool：              ##日志
+     loggingEnabled：     是否配置log profile
+     enableRemoteLog：    是否开启远程日志
+     serverAddresses：    pool中的ip列表
+     template：           日志配置模板。可参考上面实例
 
 ```
 

diff --git a/examples/examples.yaml b/examples/examples.yaml
@@ -52,7 +52,6 @@ metadata:
   namespace: project3
 spec:
   action: accept
-  subnet: 1.1.1.1
   externalServices:
     - exsvc3
 

diff --git a/pkg/as3/const.go b/pkg/as3/const.go
@@ -20,6 +20,7 @@ const (
 	ClassFirewallRuleList    = "Firewall_Rule_List"
 	ClassFirewallPolicy      = "Firewall_Policy"
 	ClassVirtualServerL4     = "Service_L4"
+	ClassServiceAddress      = "Service_Address"
 	ClassPoll                = "Pool"
 	ClassSecurityLogProfile  = "Security_Log_Profile"
 	ClassLogPublisher        = "Log_Publisher"

diff --git a/pkg/as3/init.go b/pkg/as3/init.go
@@ -214,6 +214,7 @@ func skipDeleteShareApplicationClassOrAttr(partition, attr string) bool {
 		ClassKey:                 true,
 		TemplateKey:              true,
 		getAs3VSAttr():           true,
+		getAs3VsVaAttr():         true,
 		getAs3GwPoolAttr():       true,
 		getAllDenyRuleListAttr(): true,
 	}

diff --git a/pkg/as3/types.go b/pkg/as3/types.go
@@ -52,9 +52,9 @@ type FirewallRule struct {
 	IRule       *IRule              `json:"iRule,omitempty"`
 	Destination FirewallDestination `json:"destination,omitempty"`
 
-	Source FirewallSource `json:"source,omitempty"`
-	Action string         `json:"action,omitempty"`
-	LoggingEnabled bool   `json:"loggingEnabled,omitempty"`
+	Source         FirewallSource `json:"source,omitempty"`
+	Action         string         `json:"action,omitempty"`
+	LoggingEnabled bool           `json:"loggingEnabled,omitempty"`
 }
 
 type IRule struct {
@@ -105,7 +105,7 @@ type VirtualServer struct {
 	Layer4                 string   `json:"layer4"`
 	TranslateServerAddress bool     `json:"translateServerAddress"`
 	TranslateServerPort    bool     `json:"translateServerPort"`
-	VirtualAddresses       []string `json:"virtualAddresses"`
+	VirtualAddresses       []Use `json:"virtualAddresses"`
 	PolicyFirewallEnforced Use      `json:"policyFirewallEnforced"`
 	SecurityLogProfiles    []Use    `json:"securityLogProfiles,omitempty"`
 	VirtualPort            int      `json:"virtualPort"`
@@ -114,6 +114,14 @@ type VirtualServer struct {
 	Pool                   string   `json:"pool"`
 }
 
+//ARP
+type VirtualServerVa struct {
+	Class          string `json:"class"`
+	VirtualAddress string `json:"virtualAddress"`
+	IcmpEcho       string `json:"icmpEcho"`
+	ArpEnabled     bool   `json:"arpEnabled"`
+}
+
 //viper
 type (
 	As3Config struct {
@@ -128,7 +136,7 @@ type (
 
 	LogPool struct {
 		//Whether to configure logging profile
-		LoggingEnabled  bool     `mapstructure:"loggingEnabled"`
+		LoggingEnabled bool `mapstructure:"loggingEnabled"`
 		//Whether to open remote log
 		EnableRemoteLog bool     `mapstructure:"enableRemoteLog"`
 		Template        string   `mapstructure:"template"`
@@ -156,7 +164,14 @@ type (
 	VirtualService struct {
 		//Custom vs structure，if "", use Common vs value
 		Template         string   `mapstructure:"template"`
-		VirtualAddresses []string `mapstructure:"virtualAddresses"`
+		VirtualAddresses VirtualAddresses `mapstructure:"virtualAddresses"`
+	}
+
+	VirtualAddresses struct {
+		VirtualAddress string `mapstructure:"virtualAddress"`
+		IcmpEcho       string `mapstructure:"icmpEcho"`
+		ArpEnabled     bool   `mapstructure:"arpEnabled"`
+		template       string `mapstructure:"template"`
 	}
 )
 
@@ -188,8 +203,8 @@ type (
 type (
 	portIrule struct {
 		protocol string
-		irule string
-		ports []string
+		irule    string
+		ports    []string
 	}
 
 	//protocol map[string]portIrule

diff --git a/pkg/as3/utils.go b/pkg/as3/utils.go
@@ -84,6 +84,10 @@ func newAs3Obj(partition string, shareApplication interface{}) interface{} {
 	tenant.initDefault(partition)
 	tenant[SharedKey] = shareApplication
 	adc[partition] = tenant
+	//remove Common if partition is not Common
+	if IsSupportRouteDomain() && partition != DefaultPartition{
+		delete(adc, DefaultPartition)
+	}
 	ac[DeclarationKey] = adc
 	return ac
 }
@@ -110,6 +114,9 @@ func (ac *as3Post) processResourcesForAS3(sharedApp as3Application) {
 	//Create log pools
 	ac.newLogPoolDecl(sharedApp)
 
+	//Create VS ARP
+	ac.newVirtualAddressDecl(sharedApp)
+
 	//Create AS3 Service for virtual server
 	ac.newServiceDecl(sharedApp)
 }
@@ -344,6 +351,41 @@ func (ac *as3Post) newLogPoolDecl(sharedApp as3Application) {
 	}
 }
 
+//Create VS ARP
+func(ac *as3Post) newVirtualAddressDecl(sharedApp as3Application){
+	virtualAddress := ac.tenantConfig.VirtualService.VirtualAddresses.VirtualAddress
+	if len(virtualAddress) == 0 {
+		virtualAddress = "0.0.0.0"
+	}
+	//Enhance the ARP control ability of VS's virtualaddress
+	//virtualAddress of VA use first value if config one address in VirtualAddresses of VS
+	defaultVa := &VirtualServerVa{
+		Class: ClassServiceAddress,
+		VirtualAddress: virtualAddress,
+		IcmpEcho: "disable",
+		ArpEnabled: false,
+	}
+	vaTemplate := ac.tenantConfig.VirtualService.VirtualAddresses.template
+	if strings.TrimSpace(vaTemplate) != ""{
+		va := map[string]interface{}{}
+		err := validateJSONAndFetchObject(vaTemplate, &va)
+		if err == nil{
+			sharedApp[getAs3VsVaAttr()] = defaultVa
+		}
+	}
+	if _, ok := sharedApp[getAs3VsVaAttr()]; !ok{
+		virtualAddresses := ac.tenantConfig.VirtualService.VirtualAddresses
+		if virtualAddresses.VirtualAddress != ""{
+			defaultVa.VirtualAddress = virtualAddresses.VirtualAddress
+		}
+		if virtualAddresses.IcmpEcho != ""{
+			defaultVa.IcmpEcho = virtualAddresses.IcmpEcho
+		}
+		defaultVa.ArpEnabled = virtualAddresses.ArpEnabled
+	}
+	sharedApp[getAs3VsVaAttr()] = defaultVa
+}
+
 // Create AS3 Service for Route
 func (ac *as3Post) newServiceDecl(sharedApp as3Application) {
 	svcPolicyPath := getAs3UsePathForPartition(ac.tenantConfig.Name, getAs3PolicyAttr("svc", ac.tenantConfig.RouteDomain.Name))
@@ -352,7 +394,7 @@ func (ac *as3Post) newServiceDecl(sharedApp as3Application) {
 	if isConfigLogProfile() {
 		enableSecurityLog = true
 	}
-	if ac.tenantConfig.VirtualService.Template != "" {
+	if strings.TrimSpace(ac.tenantConfig.VirtualService.Template) != "" {
 		vsTemplate := strings.ReplaceAll(ac.tenantConfig.VirtualService.Template, "k8s", GetCluster())
 		vsTemplate = strings.ReplaceAll(vsTemplate, "{{tenant}}", ac.tenantConfig.Name)
 
@@ -366,20 +408,25 @@ func (ac *as3Post) newServiceDecl(sharedApp as3Application) {
 			if !enableSecurityLog {
 				delete(vs, "securityLogProfiles")
 			}
+			vs["virtualAddresses"] = []Use{
+				{
+					getAs3UsePathForPartition(ac.tenantConfig.Name, getAs3VsVaAttr()),
+				},
+			}
 			sharedApp[getAs3VSAttr()] = vs
 			return
 		}
 	}
 	//error not nil or template is '', set default
-	VirtualAddresses := ac.tenantConfig.VirtualService.VirtualAddresses
-	if len(ac.tenantConfig.VirtualService.VirtualAddresses) == 0 {
-		VirtualAddresses = []string{"0.0.0.0"}
-	}
 	defaultVs := &VirtualServer{
 		Layer4:                 "any",
 		TranslateServerAddress: false,
 		TranslateServerPort:    false,
-		VirtualAddresses:       VirtualAddresses,
+		VirtualAddresses:       []Use{
+			{
+				getAs3UsePathForPartition(ac.tenantConfig.Name, getAs3VsVaAttr()),
+			},
+		},
 		PolicyFirewallEnforced: Use{
 			svcPolicyPath,
 		},
@@ -668,6 +715,10 @@ func getAs3VSAttr() string {
 	return fmt.Sprintf("%s_outbound_vs", GetCluster())
 }
 
+func getAs3VsVaAttr() string{
+	return fmt.Sprintf("%s_outbound_va", GetCluster())
+}
+
 func getAs3UsePathForPartition(partition, attr string) string {
 	if attr == "" {
 		return ""

diff --git a/pkg/as3/utils_test.go b/pkg/as3/utils_test.go
@@ -2389,7 +2389,7 @@ func TestMockServiceEgressRule(t *testing.T){
 		Tenant: []TenantConfig{
 			{
 				Name: "Common",
-				Namespaces: "",
+				Namespaces: "dwb-test",
 				RouteDomain: RouteDomain{
 					Name: "0",
 					Id:   0,
@@ -2986,7 +2986,11 @@ func TestSupportRouteDomain(t *testing.T) {
 					Id:   1,
 				},
 				VirtualService: VirtualService{
-					VirtualAddresses: []string{"2.2.2.2"},
+					VirtualAddresses: VirtualAddresses{
+						VirtualAddress: "1.1.1.1",
+						IcmpEcho: "disable",
+						ArpEnabled: true,
+					},
 				},
 				Gwpool: Gwpool{
 					ServerAddresses: []string{"192.168.132.2"},