From 3874f48a8c18948684bd799a09142fde719b0b04 Mon Sep 17 00:00:00 2001 From: Apple <932817900@qq.com> Date: Mon, 13 Dec 2021 18:15:39 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E5=A2=9E=E5=BC=BAVS=E7=9A=84virtualaddress?= =?UTF-8?q?=E7=9A=84ARP=E6=8E=A7=E5=88=B6=E8=83=BD=E5=8A=9B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config/ces-conf.yaml | 12 ++++++--- doc/zh_cn.md | 51 ++++++++++++++++++++++-------------- examples/examples.yaml | 1 - pkg/as3/const.go | 1 + pkg/as3/init.go | 1 + pkg/as3/types.go | 31 ++++++++++++++++------ pkg/as3/utils.go | 59 +++++++++++++++++++++++++++++++++++++----- pkg/as3/utils_test.go | 6 ++++- 8 files changed, 123 insertions(+), 39 deletions(-) diff --git a/config/ces-conf.yaml b/config/ces-conf.yaml index 9efc0c3..fbbec9b 100755 --- a/config/ces-conf.yaml +++ b/config/ces-conf.yaml @@ -1,5 +1,5 @@ clusterName: k8s -isSupportRouteDomain: true +isSupportRouteDomain: false ##AS3 basic configuration ##Multi-cluster docking single BIG-IP, controller Common init and remote log masterCluster: k8s @@ -15,7 +15,10 @@ tenant: virtualService: template: '' virtualAddresses: - - "0.0.0.0" + virtualAddress: "0.0.0.0" + icmpEcho: "disable" + arpEnabled: false + template: '' gwPool: serverAddresses: - "192.168.10.1" @@ -27,7 +30,10 @@ tenant: virtualService: template: "" virtualAddresses: - - "1.0.0.0" + virtualAddress: "0.0.0.0" + icmpEcho: "disable" + arpEnabled: false + template: '' gwPool: serverAddresses: - "1.16.10.22" diff --git a/doc/zh_cn.md b/doc/zh_cn.md index 3dc3321..93f11c8 100755 --- a/doc/zh_cn.md +++ b/doc/zh_cn.md @@ -91,7 +91,10 @@ tenant: - "0.0.0.0" gwPool: serverAddresses: - - "192.168.10.1" + virtualAddress: "0.0.0.0" + icmpEcho: "disable" + arpEnabled: false + template: '' - name: project2 namespaces: project2 routeDomain: @@ -103,8 +106,12 @@ tenant: - "1.0.0.0" gwPool: serverAddresses: - - "1.16.10.22" - - "192.168.10.22" + template: '{ + "class": "Service_Address", + "virtualAddress": "0.0.0.0", + "icmpEcho": "disable", + "arpEnabled": false + }' - name: project3 namespaces: project3,test-ns-a routeDomain: @@ -209,29 +216,33 @@ logPool: ###上面配置参数说明: ``` -clusterName: 当前集群名称,用于rule的规则前缀 +clusterName: 当前集群名称,用于rule的规则前缀 -isSupportRouteDomain: 是否支持严格的RouteDomain +isSupportRouteDomain: 是否支持严格的RouteDomain -masterCluster:对于多集群对应单BIG-IP时,需要设置,控制初始化Common tenant +masterCluster: 对于多集群对应单BIG-IP时,需要设置,控制初始化Common tenant -schemaVersion: AS3中ADC的版本,默认为3.29.0 +schemaVersion: AS3中ADC的版本,默认为3.29.0 -iRule: 流量控制配置,此参数需优先在BIG-IP中设置好。 +iRule: 流量控制配置,此参数需优先在BIG-IP中设置好。 tenant: - name: tenant的名称,对应BIG-IP中的partition - namespaces: tenant对应的命名空间,多个可以用逗号隔开,eg: 不支持rd时。此参数可控制监听的namespace下的资源 - virtualService: ##VS - template: VS的模板。用户可自行定义,需要满足AS3规范,具体看上面实例。 - virtualAddresses: VS中virtualAddresses的值。 - gwPool: ####gateway - serverAddresses: gwpool中的参数值,gateway的ip列表 - logPool:##日志 - loggingEnabled: 是否配置log profile - enableRemoteLog: 是否开启远程日志 - serverAddresses: pool中的ip列表 - template:日志配置模板。可参考上面实例 + name: tenant的名称,对应BIG-IP中的partition + namespaces: tenant对应的命名空间,多个可以用逗号隔开,eg: 不支持rd时。此参数可控制监听的namespace下的资源 + virtualService: ##VS + template: VS的模板。用户可自行定义,需要满足AS3规范,具体看上面实例。 + virtualAddresses: ##virtualAddresses + virtualAddress: serviceAddress中virtualAddresses的值。 + icmpEcho: serviceAddress中icmp的配置 + arpEnabled: serviceAddress中arp的配置 + template: serviceAddress的模板设置 + gwPool: ####gateway + serverAddresses: gwpool中的参数值,gateway的ip列表 + logPool: ##日志 + loggingEnabled: 是否配置log profile + enableRemoteLog: 是否开启远程日志 + serverAddresses: pool中的ip列表 + template: 日志配置模板。可参考上面实例 ``` diff --git a/examples/examples.yaml b/examples/examples.yaml index 07c63cd..6359961 100755 --- a/examples/examples.yaml +++ b/examples/examples.yaml @@ -52,7 +52,6 @@ metadata: namespace: project3 spec: action: accept - subnet: 1.1.1.1 externalServices: - exsvc3 diff --git a/pkg/as3/const.go b/pkg/as3/const.go index 9313606..7224ef4 100755 --- a/pkg/as3/const.go +++ b/pkg/as3/const.go @@ -20,6 +20,7 @@ const ( ClassFirewallRuleList = "Firewall_Rule_List" ClassFirewallPolicy = "Firewall_Policy" ClassVirtualServerL4 = "Service_L4" + ClassServiceAddress = "Service_Address" ClassPoll = "Pool" ClassSecurityLogProfile = "Security_Log_Profile" ClassLogPublisher = "Log_Publisher" diff --git a/pkg/as3/init.go b/pkg/as3/init.go index 17ddf6b..daa89fc 100755 --- a/pkg/as3/init.go +++ b/pkg/as3/init.go @@ -214,6 +214,7 @@ func skipDeleteShareApplicationClassOrAttr(partition, attr string) bool { ClassKey: true, TemplateKey: true, getAs3VSAttr(): true, + getAs3VsVaAttr(): true, getAs3GwPoolAttr(): true, getAllDenyRuleListAttr(): true, } diff --git a/pkg/as3/types.go b/pkg/as3/types.go index 04488d3..4360a92 100755 --- a/pkg/as3/types.go +++ b/pkg/as3/types.go @@ -52,9 +52,9 @@ type FirewallRule struct { IRule *IRule `json:"iRule,omitempty"` Destination FirewallDestination `json:"destination,omitempty"` - Source FirewallSource `json:"source,omitempty"` - Action string `json:"action,omitempty"` - LoggingEnabled bool `json:"loggingEnabled,omitempty"` + Source FirewallSource `json:"source,omitempty"` + Action string `json:"action,omitempty"` + LoggingEnabled bool `json:"loggingEnabled,omitempty"` } type IRule struct { @@ -105,7 +105,7 @@ type VirtualServer struct { Layer4 string `json:"layer4"` TranslateServerAddress bool `json:"translateServerAddress"` TranslateServerPort bool `json:"translateServerPort"` - VirtualAddresses []string `json:"virtualAddresses"` + VirtualAddresses []Use `json:"virtualAddresses"` PolicyFirewallEnforced Use `json:"policyFirewallEnforced"` SecurityLogProfiles []Use `json:"securityLogProfiles,omitempty"` VirtualPort int `json:"virtualPort"` @@ -114,6 +114,14 @@ type VirtualServer struct { Pool string `json:"pool"` } +//ARP +type VirtualServerVa struct { + Class string `json:"class"` + VirtualAddress string `json:"virtualAddress"` + IcmpEcho string `json:"icmpEcho"` + ArpEnabled bool `json:"arpEnabled"` +} + //viper type ( As3Config struct { @@ -128,7 +136,7 @@ type ( LogPool struct { //Whether to configure logging profile - LoggingEnabled bool `mapstructure:"loggingEnabled"` + LoggingEnabled bool `mapstructure:"loggingEnabled"` //Whether to open remote log EnableRemoteLog bool `mapstructure:"enableRemoteLog"` Template string `mapstructure:"template"` @@ -156,7 +164,14 @@ type ( VirtualService struct { //Custom vs structure,if "", use Common vs value Template string `mapstructure:"template"` - VirtualAddresses []string `mapstructure:"virtualAddresses"` + VirtualAddresses VirtualAddresses `mapstructure:"virtualAddresses"` + } + + VirtualAddresses struct { + VirtualAddress string `mapstructure:"virtualAddress"` + IcmpEcho string `mapstructure:"icmpEcho"` + ArpEnabled bool `mapstructure:"arpEnabled"` + template string `mapstructure:"template"` } ) @@ -188,8 +203,8 @@ type ( type ( portIrule struct { protocol string - irule string - ports []string + irule string + ports []string } //protocol map[string]portIrule diff --git a/pkg/as3/utils.go b/pkg/as3/utils.go index a7f75c2..eba81d9 100755 --- a/pkg/as3/utils.go +++ b/pkg/as3/utils.go @@ -110,6 +110,9 @@ func (ac *as3Post) processResourcesForAS3(sharedApp as3Application) { //Create log pools ac.newLogPoolDecl(sharedApp) + //Create VS ARP + ac.newVirtualAddressDecl(sharedApp) + //Create AS3 Service for virtual server ac.newServiceDecl(sharedApp) } @@ -344,6 +347,41 @@ func (ac *as3Post) newLogPoolDecl(sharedApp as3Application) { } } +//Create VS ARP +func(ac *as3Post) newVirtualAddressDecl(sharedApp as3Application){ + virtualAddress := ac.tenantConfig.VirtualService.VirtualAddresses.VirtualAddress + if len(virtualAddress) == 0 { + virtualAddress = "0.0.0.0" + } + //Enhance the ARP control ability of VS's virtualaddress + //virtualAddress of VA use first value if config one address in VirtualAddresses of VS + defaultVa := &VirtualServerVa{ + Class: ClassServiceAddress, + VirtualAddress: virtualAddress, + IcmpEcho: "disable", + ArpEnabled: false, + } + vaTemplate := ac.tenantConfig.VirtualService.VirtualAddresses.template + if strings.TrimSpace(vaTemplate) != ""{ + va := map[string]interface{}{} + err := validateJSONAndFetchObject(vaTemplate, &va) + if err == nil{ + sharedApp[getAs3VsVaAttr()] = defaultVa + } + } + if _, ok := sharedApp[getAs3VsVaAttr()]; !ok{ + virtualAddresses := ac.tenantConfig.VirtualService.VirtualAddresses + if virtualAddresses.VirtualAddress != ""{ + defaultVa.VirtualAddress = virtualAddresses.VirtualAddress + } + if virtualAddresses.IcmpEcho != ""{ + defaultVa.IcmpEcho = virtualAddresses.IcmpEcho + } + defaultVa.ArpEnabled = virtualAddresses.ArpEnabled + } + sharedApp[getAs3VsVaAttr()] = defaultVa +} + // Create AS3 Service for Route func (ac *as3Post) newServiceDecl(sharedApp as3Application) { svcPolicyPath := getAs3UsePathForPartition(ac.tenantConfig.Name, getAs3PolicyAttr("svc", ac.tenantConfig.RouteDomain.Name)) @@ -352,7 +390,7 @@ func (ac *as3Post) newServiceDecl(sharedApp as3Application) { if isConfigLogProfile() { enableSecurityLog = true } - if ac.tenantConfig.VirtualService.Template != "" { + if strings.TrimSpace(ac.tenantConfig.VirtualService.Template) != "" { vsTemplate := strings.ReplaceAll(ac.tenantConfig.VirtualService.Template, "k8s", GetCluster()) vsTemplate = strings.ReplaceAll(vsTemplate, "{{tenant}}", ac.tenantConfig.Name) @@ -366,20 +404,25 @@ func (ac *as3Post) newServiceDecl(sharedApp as3Application) { if !enableSecurityLog { delete(vs, "securityLogProfiles") } + vs["virtualAddresses"] = []Use{ + { + getAs3UsePathForPartition(ac.tenantConfig.Name, getAs3VsVaAttr()), + }, + } sharedApp[getAs3VSAttr()] = vs return } } //error not nil or template is '', set default - VirtualAddresses := ac.tenantConfig.VirtualService.VirtualAddresses - if len(ac.tenantConfig.VirtualService.VirtualAddresses) == 0 { - VirtualAddresses = []string{"0.0.0.0"} - } defaultVs := &VirtualServer{ Layer4: "any", TranslateServerAddress: false, TranslateServerPort: false, - VirtualAddresses: VirtualAddresses, + VirtualAddresses: []Use{ + { + getAs3UsePathForPartition(ac.tenantConfig.Name, getAs3VsVaAttr()), + }, + }, PolicyFirewallEnforced: Use{ svcPolicyPath, }, @@ -668,6 +711,10 @@ func getAs3VSAttr() string { return fmt.Sprintf("%s_outbound_vs", GetCluster()) } +func getAs3VsVaAttr() string{ + return fmt.Sprintf("%s_outbound_va", GetCluster()) +} + func getAs3UsePathForPartition(partition, attr string) string { if attr == "" { return "" diff --git a/pkg/as3/utils_test.go b/pkg/as3/utils_test.go index 9dcdd52..c039c13 100755 --- a/pkg/as3/utils_test.go +++ b/pkg/as3/utils_test.go @@ -2986,7 +2986,11 @@ func TestSupportRouteDomain(t *testing.T) { Id: 1, }, VirtualService: VirtualService{ - VirtualAddresses: []string{"2.2.2.2"}, + VirtualAddresses: VirtualAddresses{ + VirtualAddress: "1.1.1.1", + IcmpEcho: "disable", + ArpEnabled: true, + }, }, Gwpool: Gwpool{ ServerAddresses: []string{"192.168.132.2"}, From 8a04830513334f7c0ef6e565de2f16e3ca386963 Mon Sep 17 00:00:00 2001 From: Apple <932817900@qq.com> Date: Fri, 17 Dec 2021 09:56:29 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E5=9C=A8=E6=94=AF=E6=8C=81rd=E6=97=B6?= =?UTF-8?q?=EF=BC=8Cpost=E6=97=B6=E5=88=A0=E9=99=A4Common?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config/ces-conf.yaml | 6 +++--- pkg/as3/utils.go | 4 ++++ pkg/as3/utils_test.go | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/config/ces-conf.yaml b/config/ces-conf.yaml index fbbec9b..b3a41b4 100755 --- a/config/ces-conf.yaml +++ b/config/ces-conf.yaml @@ -1,5 +1,5 @@ clusterName: k8s -isSupportRouteDomain: false +isSupportRouteDomain: true ##AS3 basic configuration ##Multi-cluster docking single BIG-IP, controller Common init and remote log masterCluster: k8s @@ -11,7 +11,7 @@ iRule: tenant: ##common partiton config, init AS3 needs - name: "Common" - namespaces: "default,dwb-test1,dwb-test" + namespaces: "dwb-test1,dwb-test" virtualService: template: '' virtualAddresses: @@ -23,7 +23,7 @@ tenant: serverAddresses: - "192.168.10.1" - name: p2 - namespaces: dwb-test + namespaces: default routeDomain: id: 2 name: "rd2" diff --git a/pkg/as3/utils.go b/pkg/as3/utils.go index eba81d9..fcf3661 100755 --- a/pkg/as3/utils.go +++ b/pkg/as3/utils.go @@ -84,6 +84,10 @@ func newAs3Obj(partition string, shareApplication interface{}) interface{} { tenant.initDefault(partition) tenant[SharedKey] = shareApplication adc[partition] = tenant + //remove Common if partition is not Common + if IsSupportRouteDomain() && partition != DefaultPartition{ + delete(adc, DefaultPartition) + } ac[DeclarationKey] = adc return ac } diff --git a/pkg/as3/utils_test.go b/pkg/as3/utils_test.go index c039c13..1c3f48a 100755 --- a/pkg/as3/utils_test.go +++ b/pkg/as3/utils_test.go @@ -2389,7 +2389,7 @@ func TestMockServiceEgressRule(t *testing.T){ Tenant: []TenantConfig{ { Name: "Common", - Namespaces: "", + Namespaces: "dwb-test", RouteDomain: RouteDomain{ Name: "0", Id: 0,