summaryrefslogtreecommitdiffstats
path: root/samples
AgeCommit message (Collapse)AuthorFilesLines
2018-10-30Update modsecurity image docker registryJingLu51-1/+1
The clover-ns-modsecurity-crs docker image is now built by Jenkins and uploaded to the OPNFV docker hub. This patch updates the modsecurity deployment kubernetes manifest to pull image from OPNFV docker hub. Change-Id: I7e8afd27f726600de9247fc98fe3f5d491000f1c Signed-off-by: JingLu5 <lvjing5@huawei.com>
2018-10-12Add nginx services control functionalityearrage3-5/+49
- Modify nginx server template to use clover-controller in clover-system namespace for file upload - Add ability to set nginx server paths and move uploaded files in clover-controller and set/get file upload metadata - Add cloverctl commands to set nginx server and lb configurations - Add example yaml files to configure nginx server and lb v1/v2 from cloverctl - Modify service definition for http-lb versions to distinguish the two versions for GRPC messaging from clover-controller in SDC deployment yaml Change-Id: I5c6866c5ff3de358939c58ea8c0bde64a69c6eca Signed-off-by: earrage <eddie.arrage@huawei.com>
2018-09-19Merge "Add ModSecurity config guide"Stephen Wong6-3/+76
2018-09-08Fix missing psutil dependency in nginx servicesEddie Arrage3-3/+3
- A psutil dependency was added in the latest Clover server version that was not added to the docker builds of the lb/proxy Change-Id: Id48c3446a93d6b9cef65d453266d0bf15eddf6cc Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-09-07Add ModSecurity config guideJingLu56-3/+76
This patch adds ModSecurity config guide. This patch also deploy the modsecurity and ext_authz filter to clover-gateway namespace. Change-Id: I5ab21e6337b8f8b839ddd028370df378686bd017 Signed-off-by: JingLu5 <lvjing5@huawei.com>
2018-09-05Merge "Add file upload/download and configure URL paths"Stephen Wong9-87/+393
2018-09-05Merge "Modsecurity as a service"Stephen Wong10-0/+434
2018-08-31Merge "Add envoy.ext_authz filter"Stephen Wong1-0/+24
2018-08-29Bug fix in SDC after istio to 1.0.0Ace Lee1-12/+33
JIRA: CLOVER-84 There will be some Bug in SDC after we upgrade the Istio to 1.0.0 Istio 1.0 have some concept, for example : virtualservice gateway. So we change the yaml file using the 1.0.0 concepts. Add mirror function Change-Id: Id138cfec2c7d94b44eb508a056c91e193ac1b08b Signed-off-by: Ace Lee <liyin11@huawei.com>
2018-08-28Add file upload/download and configure URL pathsEddie Arrage9-87/+393
- Compile nginx from source in order to employ additional modules - Add nginx-upload-module for high performance file upload that avoids the need for file copies with a web application. - File upload allows for placement of files for file download for performance benchmarking. - File upload can also be used directly for bi-directional throughput testing having emulated clients upload files while file downloads simultaneously occur. - Nginx file upload stores files with hash to avoid conflicting file names. Upload block in nginx config is configured to send REST message to clover-controller with file metadata (original filename, size, etc.) clover-controller will be responsible for modifying the hashed filename and placing in a target directory within an nginx server. - Build also adds nginx-rtmp module to act as streaming media server L7 loader will be extended to fetch streaming files from RTMP servers. - Add ability to create directories in server site root and create the location directive(s) in nginx configuration - Separated upload for configuration (download files in various paths) from upload for testing (upload to create bi-directional session throughput) - Upload for testing does not sent upload metadata to clover-controller - Added ability to move upload files to file folders in the nginx site root to use for download - Delete files in upload folder - Fixed issue with 426 Upgrade Required error message when upload module sends upload metadata to clover-controller - Added server name to metadata sent to clover-controller Change-Id: Ib4cf6240f92360b82f378c062675f4fdaa19ca93 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-08-28Add envoy.ext_authz filterJingLu51-0/+24
JIRA: CLOVER-86 This external authorization HTTP filter calls an external HTTP service (ModSecuruty service) to check if the incoming HTTP request is authorized or not. If the request is deemed unauthorized then the request will be denied normally with 403 (Forbidden) response. Change-Id: I0fe14c73defec027c54f42713cbdf69b0b83e102 Signed-off-by: JingLu5 <lvjing5@huawei.com>
2018-08-28Modsecurity as a serviceJingLu510-0/+434
JIRA: CLOVER-68 1. Add Dockerfile and related files to build clover's modsecurity Docekr container 2. Add mainfest to install the Modsecurity in kubernetes cluster Change-Id: Ia92926e730c04720f931999d7ec30565ce9e54be Signed-off-by: JingLu5 <lvjing5@huawei.com>
2018-08-10upgrade istio to 1.0.0Ace Lee1-1/+1
JIRA: CLOVER-84 we change the env in clover and change some deploy script. will upgrade the doc later Change-Id: I73a78afb91676efc3278b623c5d263a4a215ccd9 Signed-off-by: Ace Lee <liyin11@huawei.com>
2018-08-01Merge "Adding cassandra service with a separate yaml file."Stephen Wong1-1/+0
2018-08-01Merge "Adding clearwater IMS yaml and clearwater live test dockerfile to ↵Stephen Wong14-0/+363
test istio service-mesh"
2018-07-23Adding cassandra service with a separate yaml file.iharijono1-1/+0
- Left the file samples/scenarios/service_delivery_controller_opnfv.yaml unchanged. - Added a yaml definition of Cassandra StatefulSet and its service into a separate file under tools directory - Cassandra Service run with 1 replica - Deleted 'data-plane-ns' and use 'default' instead for cassandra containers. - Revoked changes for samples/scenarios/service_delivery_controller_opnfv.yaml. - Added new line (Wutien suggested it) JIRA: CLOVER-000 Change-Id: I2bb4249cf2523f5011d6fefc69dc469a90e20eaf Signed-off-by: iharijono <indra.harijono@huawei.com>
2018-05-30Adding clearwater IMS yaml and clearwater live test dockerfile to test istio ↵Muhammad Shaikh (Salman)14-0/+363
service-mesh Checking into CLEARWATER_ISTIO branch This part of the project is intended to validate the clearwater IMS with istio service-mesh. Change-Id: Ia5ba86301a363fcf9cfe0bac525606b0d897713e Signed-off-by: Muhammad Shaikh (Salman) <muhammad.shaikh@huawei.com>
2018-05-28fix the sdc sample deploy issuewutianwei4-4/+4
there is a issue "No module named google.protobuf", when trying to run the services docker. Add the protobuf in services Dockerfile. Change-Id: I280dc1d5908bcec784e9e1e7c4d07e145f092cdb Signed-off-by: wutianwei <wutianwei1@huawei.com>
2018-04-24Fix snort rule with blank content & WR packet in alertEddie Arrage2-12/+20
- Fix bug with addition of content field in rule definition that causes rules with a blank content fields to inhibit snort from starting successfully. - Write more of the packet data for snort alert into Redis - Above includes X-Real-IP, X-Forwarded-For header fields for http traffic from proxy that shows source IP Some packet data is missing in alerts from snort. Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-04-17Merge "Extended snort rule add to allow content field"Stephen Wong4-11/+36
2018-04-16Extended snort rule add to allow content fieldEddie Arrage4-11/+36
- Exposed the 'content' field in the GRPC server AddRules method - Allows the 'MALWARE-CNC User-Agent ASafaWeb Scan' signature in the community rules to be copied to local rules - Above ensures more deterministic alerts by snort each time the signature is hit - Added here to support the SDC configuration guide, which details how to add this scan rule via GRPC client script Change-Id: I6945c1e500075444134543bb9eb6003a03f1d5cc Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-04-13Add SDC deploy/clean scriptsEddie Arrage3-0/+80
- Added deploy/clean scripts for use in Clover container - Deployment of entire SDC scenario - Deployment includes istio install for manual sidecar injection without TLS authentication (deploy.sh) - Added Jaeger tracing and Prometheus monitoring install (view.sh) - Exposes NodePort for monitoring/tracing to access UIs outside of cluster - Clean.sh attempts to remove all of the above Change-Id: Id9548a77d71465a814a6e0cb1cbdf02d37235590 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-04-05Merge "Fix Nginx lb in k8s/istio"Stephen Wong5-24/+56
2018-04-05Merge "Added toplevel manifests for SDC sample scenario"Stephen Wong2-1/+722
2018-04-04Aligned snort-ids default config for SDC scenarioEddie Arrage3-4/+12
- Modified snort-ids alert process to use k8s DNS name 'proxy-access-control' to align with SDC scenario naming - Added default port 50054 to the manifest yaml template and rendering script for communication with proxy-access-control Change-Id: Ib04ee75e5d8ea9921b16b3b4469bed87b1cd2018 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-04-03Fix Nginx lb in k8s/istioEddie Arrage5-24/+56
- Provide workaround to make nginx lb work properly - nginx_client sample can modify default load balancing from three to two servers at runtime - Ensure port 9180 is used for default deploy for lb and servers - Modify render_yaml to specify deploy_name so that clover-server1, 2, 3 can be used for default lb config - Ensure proxy template is aligned to lb to allow the source IP from originating host to be propagated to final destination - Fix default nginx proxy server_name to 'proxy-access-control' and change default proxy destination to 'http-lb' - Split lb service_type to 'lbv1' and 'lbv2' to provide an example of how to modify the run-time configuration of the load balancer after deployment - modify http-lb-v2 to use clover-server4/5 instead of the defualt clover-server1/2/3 - modify http-lb-v1 to use clover-server1/2 instead of 1/2/3 - Aligned pod IP retrival method with nginx_client.py Change-Id: I73fa60a69c93ae1e82a477ef6283c00f67a21360 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-04-03Added toplevel manifests for SDC sample scenarioEddie Arrage2-1/+722
- Added missing k8s manifest yaml files for overall service delivery controller scenario - cannot be deployed coherently without this manifest - One file for private docker registry and one for opnfv public registry - Outlined in JIRA ticket CLOVER-16 and validated per description - Includes ingress rule, community redis pod/service and deployments for http-lb (v1/v2), snort-ids, proxy-access-controller, and clover-server1-5 - All above pod/deployment naming matches default container configuration - Tested with istio manual injection Change-Id: Ia03782b38020d744ab00c99adbf4832d15bbd9f3 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-03-31Merge "Added initial nginx services"Stephen Wong20-0/+1255
2018-03-31Develop snort IDS and content inspect serviceEddie Arrage17-0/+1319
- Initial commit to show potential structure of a sample service - This wil be part of a larger sample application currently dubbed Service Delivery Controller - Docker container needs to be built and employs open-source Linux packages - Service is deployable in Istio service mesh using provided yaml - Control snort daemon and add custom rules with GRPC messaging - Process snort alerts actively and send to redis and upstream service mesh components - Integrates a web server for better HTTP signature detection - Improved build script for CI with variables - Render k8s yaml snort manifest dynamically with command line options - Improve snort_client sample script for runtime modifications including passing args on CLI, error checking - Update nginx proxy interface - Added logging to snort server and alert process Change-Id: Ic56f9fcd9ed21f64b84b85ac8ee280d69af7b7c9 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
2018-03-30Added initial nginx servicesEddie Arrage20-0/+1255
- Proxy allows ingress traffic to be sent to another element in service mesh - Mirroring is also in the default configuration - Default configuration is to proxy to a clover-server and mirror to snort-ids - A location_path (URI in HTTP requests) can be reconfigured to restrict proxing; default to '/' - A proxy_path can be reconfigured to specify an alternate destination - A mirror path can be reconfigured to specify where traffic will be spanned - The default server_port (listen port) for the proxy is 9180 but can be reconfigured - The default server_name is http-proxy but can be reconfigured - Reconfiguration is done over GRPC with jinja2 template for nginx - Currently snort ids sends alerts to proxy with stub code in GRPC - Refactored the code to have a nginx base with subservices - Proxy, Load Balancer (lb), and Server can share code - mainly GRPC server - Nginx subservices have separate docker builds - Improved build scripts for CI - Render yaml manifests dynamically - Improve nginx_client for runtime modifications (but not really useful yet) Change-Id: Icbff6890021bcc8a8da4690c9261205d6e1ca43a Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>