Add initial k8s deployments

alpine.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: alpine
+  labels:
+    app: alpine
+spec:
+  selector:
+    matchLabels:
+      app: alpine
+  template:
+    metadata:
+      labels:
+        app: alpine
+    spec:
+      containers:
+        - image: alpine:latest
+          command:
+            - /bin/sh
+            - "-c"
+            - "sleep 60m"
+          imagePullPolicy: IfNotPresent
+          name: alpine
+          volumeMounts:
+            - name: nsm-socket
+              mountPath: /var/lib/networkservicemesh
+              readOnly: true
+      volumes:
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

fake-cross-nse.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fake-cross-nse
+  namespace: nsm-system
+  labels:
+    app: fake-cross-nse
+spec:
+  selector:
+    matchLabels:
+      app: fake-cross-nse
+  template:
+    metadata:
+      labels:
+        app: fake-cross-nse
+    spec:
+      containers:
+        - image: networkservicemeshci/fake-cross-nse:latest
+          imagePullPolicy: IfNotPresent
+          name: fake-cross-nse
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+            - name: FAKE-CROSS-NSE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: true
+            - name: nsm-socket
+              mountPath: /var/lib/networkservicemesh
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nsm-system

nsc.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nsc
+  labels:
+    app: nsc
+spec:
+  selector:
+    matchLabels:
+      app: nsc
+  template:
+    metadata:
+      labels:
+        app: nsc
+    spec:
+      containers:
+        - image: networkservicemeshci/cmd-nsc:f5401987
+          imagePullPolicy: IfNotPresent
+          name: nsc
+          env:
+            - name: NSM_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NSM_NETWORK_SERVICES
+              value: kernel://icmp-responder/nsm-1
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: true
+            - name: nsm-socket
+              mountPath: /var/lib/networkservicemesh
+              readOnly: true
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

nse.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nse
+  labels:
+    app: nse
+spec:
+  selector:
+    matchLabels:
+      app: nse
+  template:
+    metadata:
+      labels:
+        app: nse
+    spec:
+      containers:
+        - image: networkservicemeshci/cmd-nse-icmp-responder:2ab24506
+          imagePullPolicy: IfNotPresent
+          name: nse
+          env:
+            - name: NSE_CONNECT_TO
+              value: unix:///var/lib/networkservicemesh/nsm.io.sock
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+            - name: NSE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: true
+            - name: nsm-socket
+              mountPath: /var/lib/networkservicemesh
+              readOnly: true
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

nsmgr.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nsmgr
+  namespace: nsm-system
+  labels:
+    app: nsmgr
+spec:
+  selector:
+    matchLabels:
+      app: nsmgr
+  template:
+    metadata:
+      labels:
+        app: nsmgr
+    spec:
+      containers:
+        - image: networkservicemeshci/cmd-nsmgr:3639f650
+          imagePullPolicy: IfNotPresent
+          name: nsmgr
+          ports:
+            - containerPort: 5001
+              hostPort: 5001
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+            - name: NSM_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NSM_REGISTRY_URL
+              value: "nsm-registry-svc:5002"
+            #            - name: DLV_LISTEN_NSMGR
+            #              value: :40000
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: NSM_LISTEN_ON
+              value: unix:///var/lib/networkservicemesh/nsm.io.sock,tcp://:5001
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+              readOnly: true
+            - name: nsm-socket
+              mountPath: /var/lib/networkservicemesh
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

proxy-registry-service.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nsm-registry-proxy-dns-svc
+spec:
+  selector:
+    app: nsm-registry-proxy-dns
+  ports:
+    - name: nsm-registry-proxy-dns
+      protocol: TCP
+      port: 5003
+      targetPort: 5003

registry-memory.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: nsm-system
+  name: nsm-registry
+  labels:
+    app: nsm-registry
+spec:
+  selector:
+    matchLabels:
+      app: nsm-registry
+  template:
+    metadata:
+      labels:
+        app: nsm-registry
+    spec:
+      containers:
+        - image: networkservicemeshci/cmd-registry-memory:b6f1d58a
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+            - name: REGISTRY_MEMORY_LISTEN_ON
+              value: tcp://:5002
+            - name: REGISTRY_MEMORY_PROXY_REGISTRY_URL
+              value: nsm-registry-proxy-dns-svc:5003
+          imagePullPolicy: IfNotPresent
+          name: nsm-registry
+          ports:
+            - containerPort: 5002
+              hostPort: 5002
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

registry-proxy-dns.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: nsm-system
+  name: nsm-registry-proxy-dns
+  labels:
+    app: nsm-registry-proxy-dns
+spec:
+  selector:
+    matchLabels:
+      app: nsm-registry-proxy-dns
+  template:
+    metadata:
+      labels:
+        app: nsm-registry-proxy-dns
+    spec:
+      containers:
+        - image: networkservicemeshci/cmd-registry-proxy-dns:f2bb4611
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
+            - name: REGISTRY-PROXY-DNS_LISTEN_ON
+              value: tcp://:5003
+          imagePullPolicy: IfNotPresent
+          name: nsm-registry-proxy-dns
+          ports:
+            - containerPort: 5003
+              hostPort: 5003
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+            - name: nsm-socket
+              mountPath: /var/lib/networkservicemesh
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: Directory
+        - name: nsm-socket
+          hostPath:
+            path: /var/lib/networkservicemesh
+            type: DirectoryOrCreate

registry-service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: nsm-system
+  name: nsm-registry-svc
+spec:
+  selector:
+    app: nsm-registry
+  ports:
+    - name: nsm-registry-svc
+      protocol: TCP
+      port: 5002
+      targetPort: 5002

spire/agent-account.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spire-agent
+  namespace: spire

spire/agent-cluster-role.yaml

@@ -0,0 +1,25 @@
+---
+# Required cluster role to allow spire-agent to query k8s API server
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-agent-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "nodes", "nodes/proxy"]
+  verbs: ["get"]
+
+---
+# Binds above cluster role to spire-agent service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-agent-cluster-role-binding
+subjects:
+- kind: ServiceAccount
+  name: spire-agent
+  namespace: spire
+roleRef:
+  kind: ClusterRole
+  name: spire-agent-cluster-role
+  apiGroup: rbac.authorization.k8s.io