-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathcni-wrapper-plugin.conflist.erb
121 lines (110 loc) · 3.67 KB
/
cni-wrapper-plugin.conflist.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<% unless p('disable') %>
<%=
require 'ipaddr'
require 'json'
def compute_mtu
vxlan_overhead = 50
mtu = p('mtu')
if mtu > 0
return mtu - vxlan_overhead
else
return mtu
end
end
# this method is here to check for leading 0s
def parse_ips (ips, var_name)
ips.map {|ip| ip.split(":")[0]}.each do |ip|
parse_ip(ip, var_name)
end
end
def parse_ip (ip, var_name)
unless ip.empty?
begin
parsed = IPAddr.new ip
rescue => e
raise "Invalid #{var_name} '#{ip}': #{e}"
end
end
end
def no_masquerade_cidr_range
if_p('no_masquerade_cidr_range') do |cidr|
if !cidr.empty?
parse_ip(cidr, 'no_masquerade_cidr_range')
end
return p('no_masquerade_cidr_range')
end
end
if_p('deny_networks') do |deny_networks|
deny_networks.each do |network, destinations|
destinations.each do |dest|
begin
validated_dest = IPAddr.new(dest)
unless validated_dest.ipv4?
raise "Invalid deny_networks.#{network} entry #{dest} not an IPv4 address"
end
rescue IPAddr::Error => e
raise "Invalid deny_networks.#{network} entry #{dest} #{e}"
end
end
end
end
parse_ips(p('dns_servers'), 'dns_servers')
parse_ips(p('host_tcp_services'), 'host_tcp_services')
parse_ips(p('host_udp_services'), 'host_udp_services')
toRender = {
'name' => 'cni-wrapper',
'disableCheck' => true,
'cniVersion' => '1.0.0',
'plugins' => [{
'type' => 'cni-wrapper-plugin',
'datastore' => '/var/vcap/data/container-metadata/store.json',
'datastore_file_owner' => 'vcap',
'datastore_file_group' => 'vcap',
'iptables_lock_file' => '/var/vcap/data/garden-cni/iptables.lock',
'instance_address' => spec.ip,
'no_masquerade_cidr_range' => no_masquerade_cidr_range,
'temporary_underlay_interface_names' => p('temporary.underlay_interface_names'),
'underlay_ips' => spec.networks.to_h.values.map(&:ip),
'iptables_asg_logging' => p('iptables_logging'),
'iptables_c2c_logging' => p('iptables_logging'),
'iptables_denied_logs_per_sec' => p('iptables_denied_logs_per_sec'),
'iptables_accepted_udp_logs_per_sec' => p('iptables_accepted_udp_logs_per_sec'),
'ingress_tag' => 'ffff0000',
'vtep_name' => 'silk-vtep',
'policy_agent_force_poll_address' => '127.0.0.1:' + link('vpa').p('force_policy_poll_cycle_port').to_s,
'dns_servers' => p('dns_servers'),
'host_tcp_services' => p('host_tcp_services'),
'host_udp_services' => p('host_udp_services'),
'deny_networks' => {
'always' => p('deny_networks.always'),
'running' => p('deny_networks.running'),
'staging' => p('deny_networks.staging'),
},
'delegate' => {
'cniVersion' => '1.0.0',
'name' => 'silk',
'type' => 'silk-cni',
'daemonPort' => p('silk_daemon.listen_port'),
'dataDir' => '/var/vcap/data/host-local',
'datastore' => '/var/vcap/data/silk/store.json',
'mtu' => compute_mtu,
},
'outbound_connections' => {
'limit' => p('outbound_connections.limit'),
'logging' => p('iptables_logging'),
'burst' => p('outbound_connections.burst'),
'rate_per_sec' => p('outbound_connections.rate_per_sec'),
'dry_run' => p('outbound_connections.dry_run'),
}
}, {
'name' => 'bandwidth-limit',
'type' => 'bandwidth',
'ingressRate' => p('rate') * 1024,
'ingressBurst' => p('burst') * 1024,
'egressRate' => p('rate') * 1024,
'egressBurst' => p('burst') * 1024
}]
}
JSON.pretty_generate(toRender)
%>
<% end %>