| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
JIRA: CLOVER-84
There will be some Bug in SDC after we upgrade the Istio to 1.0.0
Istio 1.0 have some concept, for example : virtualservice gateway.
So we change the yaml file using the 1.0.0 concepts.
Add mirror function
Change-Id: Id138cfec2c7d94b44eb508a056c91e193ac1b08b
Signed-off-by: Ace Lee <liyin11@huawei.com>
|
|
JIRA: CLOVER-86
This external authorization HTTP filter calls an external HTTP service (ModSecuruty service) to check if the incoming HTTP request is authorized or not. If the request is deemed unauthorized then the request will be denied normally with 403 (Forbidden) response.
Change-Id: I0fe14c73defec027c54f42713cbdf69b0b83e102
Signed-off-by: JingLu5 <lvjing5@huawei.com>
|
|
JIRA: CLOVER-84
we change the env in clover and change some deploy script.
will upgrade the doc later
Change-Id: I73a78afb91676efc3278b623c5d263a4a215ccd9
Signed-off-by: Ace Lee <liyin11@huawei.com>
|
|
|
|
test istio service-mesh"
|
|
- Left the file samples/scenarios/service_delivery_controller_opnfv.yaml unchanged.
- Added a yaml definition of Cassandra StatefulSet and its service into a separate file under tools directory
- Cassandra Service run with 1 replica
- Deleted 'data-plane-ns' and use 'default' instead for cassandra containers.
- Revoked changes for samples/scenarios/service_delivery_controller_opnfv.yaml.
- Added new line (Wutien suggested it)
JIRA: CLOVER-000
Change-Id: I2bb4249cf2523f5011d6fefc69dc469a90e20eaf
Signed-off-by: iharijono <indra.harijono@huawei.com>
|
|
service-mesh
Checking into CLEARWATER_ISTIO branch
This part of the project is intended to validate the clearwater IMS with istio service-mesh.
Change-Id: Ia5ba86301a363fcf9cfe0bac525606b0d897713e
Signed-off-by: Muhammad Shaikh (Salman) <muhammad.shaikh@huawei.com>
|
|
there is a issue "No module named google.protobuf",
when trying to run the services docker.
Add the protobuf in services Dockerfile.
Change-Id: I280dc1d5908bcec784e9e1e7c4d07e145f092cdb
Signed-off-by: wutianwei <wutianwei1@huawei.com>
|
|
- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP
Some packet data is missing in alerts from snort.
Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
- Exposed the 'content' field in the GRPC server AddRules method
- Allows the 'MALWARE-CNC User-Agent ASafaWeb Scan' signature
in the community rules to be copied to local rules
- Above ensures more deterministic alerts by snort each time
the signature is hit
- Added here to support the SDC configuration guide, which details
how to add this scan rule via GRPC client script
Change-Id: I6945c1e500075444134543bb9eb6003a03f1d5cc
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Added deploy/clean scripts for use in Clover container
- Deployment of entire SDC scenario
- Deployment includes istio install for manual sidecar injection
without TLS authentication (deploy.sh)
- Added Jaeger tracing and Prometheus monitoring install (view.sh)
- Exposes NodePort for monitoring/tracing to access UIs outside
of cluster
- Clean.sh attempts to remove all of the above
Change-Id: Id9548a77d71465a814a6e0cb1cbdf02d37235590
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
|
|
- Modified snort-ids alert process to use k8s DNS name
'proxy-access-control' to align with SDC scenario naming
- Added default port 50054 to the manifest yaml template and
rendering script for communication with proxy-access-control
Change-Id: Ib04ee75e5d8ea9921b16b3b4469bed87b1cd2018
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Provide workaround to make nginx lb work properly
- nginx_client sample can modify default load balancing
from three to two servers at runtime
- Ensure port 9180 is used for default deploy for lb and
servers
- Modify render_yaml to specify deploy_name so that
clover-server1, 2, 3 can be used for default lb config
- Ensure proxy template is aligned to lb to allow the
source IP from originating host to be propagated to final
destination
- Fix default nginx proxy server_name to 'proxy-access-control'
and change default proxy destination to 'http-lb'
- Split lb service_type to 'lbv1' and 'lbv2' to provide an example
of how to modify the run-time configuration of the load balancer
after deployment - modify http-lb-v2 to use clover-server4/5 instead
of the defualt clover-server1/2/3 - modify http-lb-v1 to use
clover-server1/2 instead of 1/2/3
- Aligned pod IP retrival method with nginx_client.py
Change-Id: I73fa60a69c93ae1e82a477ef6283c00f67a21360
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Added missing k8s manifest yaml files for overall service delivery
controller scenario - cannot be deployed coherently without this manifest
- One file for private docker registry and one for opnfv
public registry
- Outlined in JIRA ticket CLOVER-16 and validated per
description
- Includes ingress rule, community redis pod/service and deployments
for http-lb (v1/v2), snort-ids, proxy-access-controller,
and clover-server1-5
- All above pod/deployment naming matches default container
configuration
- Tested with istio manual injection
Change-Id: Ia03782b38020d744ab00c99adbf4832d15bbd9f3
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
- Initial commit to show potential structure of a sample service
- This wil be part of a larger sample application currently dubbed
Service Delivery Controller
- Docker container needs to be built and employs open-source Linux packages
- Service is deployable in Istio service mesh using provided yaml
- Control snort daemon and add custom rules with GRPC messaging
- Process snort alerts actively and send to redis and upstream service
mesh components
- Integrates a web server for better HTTP signature detection
- Improved build script for CI with variables
- Render k8s yaml snort manifest dynamically with command
line options
- Improve snort_client sample script for runtime modifications
including passing args on CLI, error checking
- Update nginx proxy interface
- Added logging to snort server and alert process
Change-Id: Ic56f9fcd9ed21f64b84b85ac8ee280d69af7b7c9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Proxy allows ingress traffic to be sent to another element in
service mesh
- Mirroring is also in the default configuration
- Default configuration is to proxy to a clover-server and mirror
to snort-ids
- A location_path (URI in HTTP requests) can be reconfigured to
restrict proxing; default to '/'
- A proxy_path can be reconfigured to specify an alternate destination
- A mirror path can be reconfigured to specify where traffic
will be spanned
- The default server_port (listen port) for the proxy is 9180 but can be
reconfigured
- The default server_name is http-proxy but can be reconfigured
- Reconfiguration is done over GRPC with jinja2 template for nginx
- Currently snort ids sends alerts to proxy with stub code in GRPC
- Refactored the code to have a nginx base with subservices
- Proxy, Load Balancer (lb), and Server can share code - mainly GRPC
server
- Nginx subservices have separate docker builds
- Improved build scripts for CI
- Render yaml manifests dynamically
- Improve nginx_client for runtime modifications (but not really
useful yet)
Change-Id: Icbff6890021bcc8a8da4690c9261205d6e1ca43a
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
Stephen Wong
Ace Lee
JingLu5
iharijono
Muhammad Shaikh (Salman)
wutianwei
Eddie Arrage