Add Consul interdomain example

examples/basic_interdomain/nsm/README.md

@@ -0,0 +1,26 @@
+# NSM interdomain setup
+
+
+This example simply show how can be deployed and configured two NSM on different clusters
+
+## Run
+
+Install NSM
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -k https://github.com/networkservicemesh/deployments-k8s/examples/basic_interdomain/nsm/cluster1?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+kubectl --kubeconfig=$KUBECONFIG2 apply -k https://github.com/networkservicemesh/deployments-k8s/examples/basic_interdomain/nsm/cluster2?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+```
+
+## Cleanup
+
+Cleanup NSM
+```bash
+WH=$(kubectl --kubeconfig=$KUBECONFIG1 get pods -l app=admission-webhook-k8s -n nsm-system --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --kubeconfig=$KUBECONFIG1 delete mutatingwebhookconfiguration ${WH}
+
+WH=$(kubectl --kubeconfig=$KUBECONFIG2 get pods -l app=admission-webhook-k8s -n nsm-system --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --kubeconfig=$KUBECONFIG2 delete mutatingwebhookconfiguration ${WH}
+
+kubectl --kubeconfig=$KUBECONFIG1 delete -k https://github.com/networkservicemesh/deployments-k8s/examples/basic_interdomain/nsm/cluster1?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+kubectl --kubeconfig=$KUBECONFIG2 delete -k https://github.com/networkservicemesh/deployments-k8s/examples/basic_interdomain/nsm/cluster2?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+```

examples/nsm_istio/spire/README.md → examples/basic_interdomain/spire/README.md

@@ -6,8 +6,8 @@ This example shows how to simply configure two spire servers from different clus
 
 Install spire
 ```bash
-kubectl --kubeconfig=$KUBECONFIG1 apply -k ./cluster1
-kubectl --kubeconfig=$KUBECONFIG2 apply -k ./cluster2
+kubectl --kubeconfig=$KUBECONFIG1 apply -k https://github.com/networkservicemesh/deployments-k8s/examples/basic_interdomain/spire/cluster1?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+kubectl --kubeconfig=$KUBECONFIG2 apply -k https://github.com/networkservicemesh/deployments-k8s/examples/basic_interdomain/spire/cluster2?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
 ```
 
 Wait for spire ready

examples/nsm_consul/.gitignore

@@ -0,0 +1,2 @@
+!**/kustomization.yaml
+!**/patch-*.yaml

examples/nsm_consul/README.md

@@ -0,0 +1,73 @@
+# NSM + Consul interdomain example over kind clusters
+
+This example show how Consul can be used over nsm 
+
+
+## Requires
+
+- [Load balancer](../basic_interdomain/loadbalancer)
+- [Interdomain DNS](../basic_interdomain/dns)
+- [Interdomain spire](../basic_interdomain/spire)
+- [Interdomain nsm](../basic_interdomain/nsm)
+
+
+## Run
+
+Install Consul
+```bash
+brew tap hashicorp/tap
+brew install hashicorp/tap/consul-k8s
+```
+
+Install Consul for the second cluster:
+```bash
+consul-k8s install -config-file=https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/helm-consul-values.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a -set global.image=hashicorp/consul:1.12.0 --kubeconfig=$KUBECONFIG2
+```
+
+### Verify NSM+CONSUL
+
+Install networkservice for the second cluster::
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/networkservice.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a 
+```
+
+Start `alpine` networkservicemesh client for the first cluster:
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -f https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/client/client.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a 
+```
+
+Create kubernetes service for the networkservicemesh endpoint:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/service.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a 
+```
+
+Start `auto-scale` networkservicemesh endpoint:
+```bash
+
+kubectl --kubeconfig=$KUBECONFIG2 apply -k https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/nse-auto-scale?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+```
+
+Install `static-server` Consul workload on the second cluster:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/server/static-server.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a  
+```
+
+Verify connection from networkservicemesh client to consul server:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- apk add curl
+kubectl --kubeconfig=$KUBECONFIG1 exec -it alpine-nsc -- curl 172.16.1.2:8080
+```
+
+You should see "hello world" answer.
+
+## Cleanup
+
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 delete deployment static-server
+kubectl --kubeconfig=$KUBECONFIG2 delete -k https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/nse-auto-scale?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a 
+kubectl --kubeconfig=$KUBECONFIG1 delete -f https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/client/client.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+kubectl --kubeconfig=$KUBECONFIG2 delete -f https://github.com/networkservicemesh/deployments-k8s/examples/nsm_consul/networkservice.yaml?ref=9b2e8e76fbc7505da8e87ea24bf90ac39f4b6c1a
+consul-k8s uninstall --kubeconfig=$KUBECONFIG2 -auto-approve=true -wipe-data=true
+```

examples/nsm_consul/client/client.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine-nsc
+  labels:
+    app: alpine-nsc
+  annotations:
+    networkservicemesh.io: kernel://autoscale-consul-proxy@my.cluster2/nsm-1?app=alpine-nsc
+spec:
+  containers:
+  - name: alpine-nsc
+    image: alpine:3.15.0
+    imagePullPolicy: IfNotPresent
+    stdin: true
+    tty: true

examples/nsm_consul/helm-consul-values.yaml

@@ -0,0 +1,10 @@
+---
+global:
+  name: consul
+  datacenter: dc1
+server:
+  replicas: 1
+connectInject:
+  enabled: true
+  transparentProxy:
+    defaultEnabled: false

examples/nsm_consul/kind-cluster-config.yaml

@@ -0,0 +1,6 @@
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker

examples/nsm_consul/networkservice.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: networkservicemesh.io/v1
+kind: NetworkService
+metadata:
+  name: autoscale-consul-proxy
+  namespace: nsm-system
+spec:
+  payload: IP
+  matches:
+    - source_selector:
+      fallthrough: true
+      routes:
+        - destination_selector:
+            podName: "{{ .podName }}"
+    - source_selector:
+      routes:
+        - destination_selector:
+            any: "true"

examples/nsm_consul/nse-auto-scale/iptables-map.yaml

@@ -0,0 +1,2 @@
+---
+- -I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j DNAT --to-destination 127.0.0.1

examples/nsm_consul/nse-auto-scale/kustomization.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/apps/nse-supplier-k8s?ref=b4bddacfa45fafb7c15a769a1fc0f319e63d6a8d
+
+patchesStrategicMerge:
+- patch-supplier.yaml
+
+configMapGenerator:
+  - name: supplier-pod-template-configmap
+    files:
+      - pod-template.yaml
+  - name: iptables-map
+    files:
+      - iptables-map.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true

examples/nsm_consul/nse-auto-scale/patch-supplier.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nse-supplier-k8s
+spec:
+  template:
+    metadata:
+      annotations:
+        'consul.hashicorp.com/connect-inject': 'false'
+    spec:
+      containers:
+        - name: nse-supplier
+          env:
+            - name: NSM_SERVICE_NAME
+              value: autoscale-consul-proxy
+            - name: NSM_LABELS
+              value: any:true
+            - name: NSM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NSM_POD_DESCRIPTION_FILE
+              value: /run/supplier/pod-template.yaml
+          volumeMounts:
+            - name: pod-file
+              mountPath: /run/supplier
+              readOnly: true
+      volumes:
+        - name: pod-file
+          configMap:
+            name: supplier-pod-template-configmap

examples/nsm_consul/nse-auto-scale/pod-template.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: apps/v1
+kind: Pod
+metadata:
+  name: proxy-{{ index .Labels "podName" }}
+  labels:
+    app: proxy-{{ index .Labels "podName" }}
+    "spiffe.io/spiffe-id": "true"
+  annotations:
+    'consul.hashicorp.com/connect-inject': 'true'
+    'consul.hashicorp.com/connect-service-upstreams': 'static-server:8080'
+spec:
+  restartPolicy: Never
+  containers:
+    - name: nse
+      image: ghcr.io/networkservicemesh/ci/cmd-nse-l7-proxy:32fbf26
+      imagePullPolicy: IfNotPresent
+      securityContext:
+        privileged: true
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: unix:///run/spire/sockets/agent.sock
+        - name: NSM_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAME
+          value: {{ index .Labels "podName" }}
+        - name: NSM_CONNECT_TO
+          value: unix:///var/lib/networkservicemesh/nsm.io.sock
+        - name: NSM_CIDR_PREFIX
+          value: 172.16.1.2/31
+        - name: NSM_SERVICE_NAMES
+          value: autoscale-consul-proxy
+        - name: NSM_LABELS
+          value: app:{{ index .Labels "app" }}
+        - name: NSM_IDLE_TIMEOUT
+          value: 240s
+        - name: NSM_LOG_LEVEL
+          value: TRACE
+        - name: NSM_RULES_CONFIG_PATH
+          value: iptables-map.yaml
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+        - name: nsm-socket
+          mountPath: /var/lib/networkservicemesh
+          readOnly: true
+        - name: iptables-config-map
+          mountPath: /iptables-map
+      resources:
+        limits:
+          memory: 40Mi
+          cpu: 150m
+    - name: proxy-alpine-nsc
+      image: hashicorp/http-echo:latest
+      args:
+        - -text="hello world from nse"
+        - -listen=:9090
+      ports:
+        - containerPort: 9090
+          name: http
+  serviceAccountName: proxy-alpine-nsc
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory
+    - name: nsm-socket
+      hostPath:
+        path: /var/lib/networkservicemesh
+        type: DirectoryOrCreate
+    - name: iptables-config-map
+      configMap:
+        name: iptables-map

examples/nsm_consul/server/static-server.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  # This name will be the service name in Consul.
+  name: static-server
+spec:
+  selector:
+    app: static-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: static-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: static-server
+  namespace: nsm-consul
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: static-server
+  template:
+    metadata:
+      name: static-server
+      labels:
+        app: static-server
+      annotations:
+        'consul.hashicorp.com/connect-inject': 'true'
+        'consul.hashicorp.com/connect-service-upstreams': 'proxy-alpine-nsc:9090'
+    spec:
+      containers:
+        - name: static-server
+          image: hashicorp/http-echo:latest
+          args:
+            - -text="hello world"
+            - -listen=:8080
+          ports:
+            - containerPort: 8080
+              name: http
+      # If ACLs are enabled, the serviceAccountName must match the Consul service name.
+      serviceAccountName: static-server

examples/nsm_consul/service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: proxy-alpine-nsc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxy-alpine-nsc
+spec:
+  selector:
+    app: proxy-alpine-nsc
+  ports:
+    - protocol: TCP
+      port: 9090
+      targetPort: 9090

examples/nsm_istio/README.md

@@ -7,10 +7,10 @@ This example show how can be used nsm over
 
 ## Requires
 
-- [Load balancer](./loadbalancer)
-- [Interdomain DNS](./dns)
-- [Interdomain spire](./spire)
-- [Interdomain nsm](./nsm)
+- [Load balancer](../basic_interdomain/loadbalancer)
+- [Interdomain DNS](../basic_interdomain/dns)
+- [Interdomain spire](../basic_interdomain/spire)
+- [Interdomain nsm](../basic_interdomain/nsm)
 
 
 ## Run

examples/nsm_istio/nse-auto-scale/iptables-map.yaml

@@ -0,0 +1,10 @@
+---
+- -N NSM_PREROUTE
+- -A NSM_PREROUTE -j ISTIO_REDIRECT
+- -I PREROUTING 1 -p tcp -i {{ .NsmInterfaceName }} -j NSM_PREROUTE
+- -N NSM_OUTPUT
+- -A NSM_OUTPUT -j DNAT --to-destination {{ index .NsmSrcIPs 0 }}
+- -A OUTPUT -p tcp -s 127.0.0.6 -j NSM_OUTPUT
+- -N NSM_POSTROUTING
+- -A NSM_POSTROUTING -j SNAT --to-source {{ index .NsmDstIPs 0 }}
+- -A POSTROUTING -p tcp -o {{ .NsmInterfaceName }} -j NSM_POSTROUTING