This PR will provide the support of using latest ambassador edge-stack

changes:
• Updated all services to use the latest Ambassador Edge Stack routing rules.

fixes #2359

Signed-off-by: saikumarbommakanti <[email protected]>

platforms/hyperledger-indy/charts/indy-node/templates/service.yaml

@@ -9,11 +9,7 @@ kind: Service
 metadata:
   name: "{{ $.Values.metadata.name }}"
   namespace: "{{ $.Values.metadata.namespace }}"
-  {{ if $.Values.ambassador.annotations }}
   annotations:
-    getambassador.io/config: | 
-    {{ $.Values.ambassador.annotations  | nindent 6 }}
-  {{ end }}
 spec:
   type: {{ $.Values.service.type }}
   ports:
@@ -30,4 +26,53 @@ spec:
     nodePort: {{ $.Values.service.ports.clientTargetPort }}
     {{ end }}
   selector:
-    app: "{{ $.Values.metadata.name }}"
+    app: "{{ $.Values.metadata.name }}"
+
+{{- if eq $.Values.proxy.provider "ambassador" }}
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Listener
+metadata:
+  name: "{{ .Values.node.name }}-node-listener"
+  namespace: {{ .Values.metadata.namespace }}
+spec:
+  port: {{ .Values.node.ambassadorPort }}
+  protocol: TCP
+  securityModel: XFP
+  hostBinding:
+    namespace:
+      from: SELF
+---
+apiVersion: getambassador.io/v3alpha1
+kind: TCPMapping
+metadata:
+  name: "{{ .Values.node.name }}-node-mapping"
+  namespace: {{ .Values.metadata.namespace }}
+spec:
+  port: {{ .Values.node.ambassadorPort }}
+  service: "{{ .Values.node.name }}.{{ .Values.metadata.namespace }}:{{ .Values.service.ports.nodeTargetPort }}"
+
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Listener
+metadata:
+  name: "{{ .Values.node.name }}-client-listener"
+  namespace: {{ .Values.metadata.namespace }}
+spec:
+  port: {{ .Values.client.ambassadorPort }}
+  protocol: TCP
+  securityModel: XFP
+  hostBinding:
+    namespace:
+      from: SELF
+---
+apiVersion: getambassador.io/v3alpha1
+kind: TCPMapping
+metadata:
+  name: "{{ .Values.node.name }}-client-mapping"
+  namespace: {{ .Values.metadata.namespace }}
+spec:
+  port: {{ .Values.client.ambassadorPort }}
+  service:  "{{ .Values.client.name }}.{{ .Values.metadata.namespace }}:{{ .Values.service.ports.clientTargetPort }}"
+{{- end }}
+

platforms/hyperledger-indy/configuration/roles/create/helm_component/node/templates/node.tpl

@@ -44,6 +44,7 @@ spec:
       port: {{ stewardItem.node.port }}
       ambassadorPort: {{ stewardItem.node.ambassador }}
     client:
+      name: {{ stewardItem.name }}
       publicIp: {{ stewardItem.publicIp }}
       ip: 0.0.0.0
       port: {{ stewardItem.client.port }}

platforms/shared/configuration/roles/setup/edge-stack/tasks/main.yaml

@@ -1,9 +1,3 @@
-##############################################################################################
-#  Copyright Accenture. All Rights Reserved.
-#
-#  SPDX-License-Identifier: Apache-2.0
-##############################################################################################
-
 # Create build directory
 - name: Create build directory
   file:
@@ -39,12 +33,184 @@
   template:
     src={{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl
     dest={{ playbook_dir }}/../../../platforms/shared/configuration/build/aes-custom-values.yaml
+  when:
+    - network.type != 'indy'
+
+- name: Check if ambassador installed
+  k8s_info:
+    api_version: v1
+    kind: Service
+    name: ambassador
+    kubeconfig: "{{ kubeconfig_path }}"
+    namespace: "{{ proxy_namespace }}"
+  register: result
+
+- name: Set ambassador installed
+  set_fact:
+    ambassador_installed: "{{ result.resources|length > 0 }}"
+
+- name: Get available ports of installed ambassador
+  set_fact:
+    ports: "{{ result | json_query('resources[0].spec.ports[*].port') }}"
+  when: ambassador_installed
+
+- name: Format ambassador ports
+  args:
+    executable: /bin/bash
+  shell: |
+    json='{{ stewards | to_json }}'
+    length=$(echo "${json}" | jq '.[] | length')
+    index=0
+    declare -A ports
+    while [[ ${index} < ${length} ]]
+    do
+      steward=$( echo ${json} | jq ".[${index}]")
+      name=$(echo ${steward} | jq '.name' | tr -d '"')
+      node_port=$(echo ${steward} | jq '.node.ambassador' | tr -d '"')
+      client_port=$(echo ${steward} | jq '.client.ambassador' | tr -d '"')
+      if [[ ${name} != null ]]
+      then
+        if [[ ${ports["{{ kubecontext }}"]} != "" ]]
+        then
+          ports+=( ["{{ kubecontext }}"]+=, )
+        fi
+        ports+=( ["{{ kubecontext }}"]+=${node_port},${client_port} )
+      fi
+      index=$(( ${index} + 1 ))
+    done
+    echo ${ports["{{ kubecontext }}"]}
+  register: terminal
+  when:
+    - network['type'] == 'indy' and item.services.stewards is defined
+
+- name: Get Elastic IP
+  environment:
+    AWS_ACCESS_KEY_ID: "{{ aws.access_key }}"
+    AWS_SECRET_ACCESS_KEY: "{{ aws.secret_key }}"
+  shell: |
+    # format ip addresses list to string with space separator
+    ips=$(echo '{{ item.publicIps }}' | tr -d '["]' | sed 's/,/\ /g')
+    data=$(aws ec2 describe-addresses --public-ips ${ips} --region {{ aws.region }} --output json | jq '.Addresses[].AllocationId')
+    # format eip addresses list to string with comma separator (comma has to be escaped)
+    echo ${data} | tr -d '"' | sed 's/\ /\,/g'
+  register: allocation_ips
+  when:
+     - ( network.type == 'indy' and item.services.stewards is defined )
+     - item.cloud_provider == 'aws' or item.cloud_provider == 'aws-baremetal' #As this shell code is specific to AWS, cloud provider check has been added
+  tags:
+    - notest
+
+- name: Set Helm value for ambassador_eip
+  set_fact:
+    allocation_ips_stdout: "{{ allocation_ips.stdout | default('No value', true) }}"
+  when:
+    - allocation_ips is defined
+
+- name: Extract port numbers from the 'ports' string
+  set_fact:
+    extracted_ports: "{{ ports | regex_replace('[^0-9,]', ' ') | split(',') | map('int') | list | default('No value', true) }}"
+  vars:
+    ports: "{{ network.env.ambassadorPorts.ports | default('') }}"
+  register: ambassadorports_list
+  when:
+    - network.type == 'indy'
+
+- name: Create custom values for aes helm chart
+  vars:
+    ports: "{{ network.env.ambassadorPorts.ports | default([]) }}"
+    lbSourceRangeDefault:
+      - 0.0.0.0/0
+    loadBalancerSourceRanges: "{{ network.env.loadBalancerSourceRanges | default(lbSourceRangeDefault) }}"
+    elastic_ip: "{{ allocation_ips_stdout }}"
+    extracted_ports: "{{ ambassadorports_list }}"
+  template:
+    src={{ playbook_dir }}/../../../platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl
+    dest={{ playbook_dir }}/../../../platforms/shared/configuration/build/aes-custom-values.yaml
+  when:
+    - network.type == 'indy'
+
+- name: Format ambassador range
+  args:
+    executable: /bin/bash
+  shell: |
+    from='{{ network.env.ambassadorPorts.portRange.from | default('') }}'
+    to='{{ network.env.ambassadorPorts.portRange.to | default('') }}'
+    if [ -z "$from" ] || [ -z "$to" ] 
+    then
+      echo ""
+    else
+      echo "--set ambassador.otherPorts.portRange.from=${from} --set ambassador.otherPorts.portRange.to=${to}"
+    fi
+  register: ambassadorRange
+
+
+- name: Format ambassador ports for Indy
+  args:
+    executable: /bin/bash
+  shell: |
+    ports=$(echo '{{ network.env.ambassadorPorts.ports | default('') }}' | sed -e 's/\[/\{/' -e 's/\]/\}/')
+    terminalPorts='{{ terminal.stdout | default('') }}'
+    if [ -z "$ports" ] 
+    then
+      echo ""
+    else
+      echo "--set ambassador.otherPorts.ports={'${ports},${terminalPorts}'}"
+    fi
+  register: ambassadorPortsIndy
+  when:
+    - network.type == 'indy'
+
+- name: check required ports available for Indy
+  args:
+    executable: /bin/bash
+  shell: |
+    availablePortRange=$(echo '{{ ports }}' | sed -e 's/\[/\(/' -e 's/\]/\)/' | sed 's/,/\n/g')
+    from=$(echo '{{ network.env.ambassadorPorts.ports | default('') }}' |sed -e 's/\[/\(/' -e 's/\]/\)/' | sed 's/,/\n/g')
+    to='{{ terminal.stdout | default('') }}'
+
+    if [[ "$from" == "" || "$to" == "" ]]; then
+       echo "false" && exit 0
+    fi
+    arr=( $(seq $from $to) )
+
+    for i in "${arr[@]}"
+    do
+      if [[ ! ${availablePortRange[*]} =~ ${i} ]]; then
+        echo "false" && exit 0
+      fi
+    done
+    echo "true"
+  register: indy_ports_available
+  when:
+    - network.type == 'indy'
+    - ambassador_installed
 
 # Adding the datawire chart repo
 - name: Add datawire chart repo
   kubernetes.core.helm_repository:
     name: datawire
-    repo_url: "https://app.getambassador.io"
+    repo_url: "https://app.getambassador.io" 
+
+# Install edge-stack for indy (NLB) via helmchart
+- name: Deploy the edge-stack
+  kubernetes.core.helm:
+    kubeconfig: "{{ kubeconfig_path }}"
+    name: "edge-stack"
+    chart_ref: datawire/edge-stack
+    chart_version: 8.7.2
+    release_namespace: "{{ proxy_namespace }}"
+    create_namespace: true
+    values:
+      namespace: "{{ proxy_namespace }}"
+      ambassador_Range: "{{ ambassadorRange.stdout }}"
+      extracted_ports: "{{ ambassadorports_list }}"
+    values_files:
+      - "{{ playbook_dir }}/../../../platforms/shared/configuration/build/aes-custom-values.yaml"
+  when:
+    - network.type == 'indy'
+    - allocation_ips is defined
+    - ambassadorRange is defined
+    - ambassadorPortsIndy is defined
 
 # Install edge-stack via helmchart
 - name: Deploy the edge-stack
@@ -59,10 +225,10 @@
       namespace: "{{ proxy_namespace }}"
     values_files:
       - "{{ playbook_dir }}/../../../platforms/shared/configuration/build/aes-custom-values.yaml"
+  when:
+    - network.type != 'indy'
+
 
-# Create aes custom resources manifest file
-# fallback-self-signed-cert will be we used for default TLS termination on all host
-# **NOTE** : By default aes creates a fallback-self-signed-cert; custom cert can be used here
 - name: Create ambassador custom resources manifest file
   vars:
     ambassadorDefaultTlsSecretName: "fallback-self-signed-cert"
@@ -99,3 +265,4 @@
     component_type: "Pod"
     label_selectors:
       - app.kubernetes.io/name=edge-stack
+

platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-resources.tpl

@@ -17,3 +17,15 @@ spec:
     namespace: {{ ambassadorDefaultTlsSecretNamespace }}
   tls:
     min_tls_version: v1.2
+{% if network.type == 'indy' %}
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Module
+metadata:
+  name: ambassador-module
+  namespace: ambassador
+spec:
+  config:
+    use_proxy_proto: true
+    use_remote_address: false
+{% endif %}

platforms/shared/configuration/roles/setup/edge-stack/templates/aes-custom-values.tpl

@@ -14,6 +14,12 @@ namespaceOverride: ''
 # Emissary Chart Values.
 emissary-ingress:
   service:
+{% if network.type == 'indy' %}
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+      service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "{{ elastic_ip }}"
+{% endif %}
     type: LoadBalancer
 
     # Note that target http ports need to match your ambassador configurations service_port
@@ -25,12 +31,14 @@ emissary-ingress:
     - name: https
       port: 443
       targetPort: 8443
-{% for port in ports or [] %}
+{% if extracted_ports is defined %}
+{% for port in extracted_ports %}
     - name: tcp-{{ port }}
       port: {{ port | int }}
       targetPort: {{ port | int }}
 {% endfor %}
-{% if (port_range_from and port_range_to) is defined %}
+{% endif %}
+{% if port_range_from is defined and port_range_to is defined %}
 {% for port in range(port_range_from | int, port_range_to | int + 1) %}
     - name: tcp-{{ port }}
       port: {{ port }}
@@ -62,3 +70,4 @@ licenseKey:
   secretName:
   # Annotations to attach to the license-key-secret.
   annotations: {}
+