WIP: parse flow filter configs and use it to update manifest

Signed-off-by: Mohamed Mahmoud <[email protected]>
netobserv · Apr 16, 2024 · 4551ec3 · 4551ec3
1 parent 753351e
commit 4551ec3
Show file tree

Hide file tree

Showing 4 changed files with 163 additions and 23 deletions.
diff --git a/oc/oc-netobserv-flows b/oc/oc-netobserv-flows
@@ -1,23 +1,13 @@
 #!/bin/bash
 source "./scripts/functions.sh"
 
-# interface filter such as 'br-ex'
-filter=""
-
-if [ -z "${1:-}" ]
-then
-  echo "Filters not set"
-else
-  echo "Filters set as $1"
-  filter=$1
-fi
-
 # CLI image to use
 img="quay.io/netobserv/network-observability-cli:main"
 
 trap cleanup EXIT
 
-setup flows $filter
+
+setup flows "$*"
 
 echo "Running network-observability-cli get-flows... "
 oc run \
@@ -35,4 +25,4 @@ oc wait \
 oc exec -i --tty \
   -n netobserv-cli \
   collector \
-  -- /network-observability-cli get-flows ${filter:+"--filter" "$filter"}
+  -- /network-observability-cli get-flows
diff --git a/res/flow-capture.yml b/res/flow-capture.yml
@@ -41,6 +41,34 @@ spec:
             value: "true"
           - name: ENABLE_DNS_TRACKING
             value: "true"
+          - name: ENABLE_FLOW_FILTER
+            value: "{{ENABLE_FLOW_FILTER}}"
+          - name: FLOW_FILTER_DIRECTION
+            value: "{{FLOW_FILTER_DIRECTION}}"
+          - name: FLOW_FILTER_IP_CIDR
+            value: "{{FLOW_FILTER_IP_CIDR}}"
+          - name: FLOW_FILTER_PROTOCOL
+            value: "{{FLOW_FILTER_PROTOCOL}}"
+          - name: FLOW_FILTER_SOURCE_PORT
+            value: "{{FLOW_FILTER_SOURCE_PORT}}"
+          - name: FLOW_FILTER_DESTINATION_PORT
+            value: "{{FLOW_FILTER_DESTINATION_PORT}}"
+          - name: FLOW_FILTER_PORT
+            value: "{{FLOW_FILTER_PORT}}"
+          - name:  FLOW_FILTER_SOURCE_PORT_RANGE
+            value: "{{FLOW_FILTER_SOURCE_PORT_RANGE}}"
+          - name: FLOW_FILTER_DESTINATION_PORT_RANGE
+            value: "{{FLOW_FILTER_DESTINATION_PORT_RANGE}}"
+          - name: FLOW_FILTER_PORT_RANGE
+            value: "{{FLOW_FILTER_PORT_RANGE}}"
+          - name: FLOW_FILTER_ICMP_TYPE
+            value: "{{FLOW_FILTER_ICMP_TYPE}}"
+          - name: FLOW_FILTER_ICMP_CODE
+            value: "{{FLOW_FILTER_ICMP_CODE}}"
+          - name: FLOW_FILTER_PEER_IP
+            value: "{{FLOW_FILTER_PEER_IP}}"
+          - name: FLOW_FILTER_ACTION
+            value: "{{FLOW_FILTER_ACTION}}"
           - name: EXPORT
             value: "direct-flp"
           - name: FLP_CONFIG

diff --git a/scripts/functions.sh b/scripts/functions.sh
@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+source ./scripts/update_flowcapture.sh
+
 set -eu
 
 function loadYAMLs() {
@@ -16,13 +18,6 @@ function loadYAMLs() {
     saYAML="$(cat ./res/service-account.yml)"
   fi
 
-  flowAgentYAML='
-    flowAgentYAMLContent
-  '
-  if [ -f ./res/flow-capture.yml ]; then
-    flowAgentYAML="$(cat ./res/flow-capture.yml)"
-  fi
-
   packetAgentYAML='
     packetAgentYAMLContent
   '
@@ -46,6 +41,9 @@ function clusterIsReady() {
     fi
 }
 
+MANIFEST_FILE="flow-capture.yml"
+MANIFEST_OUTPUT_PATH="output"
+
 function setup {
   echo "Setting up... "
 
@@ -74,9 +72,65 @@ function setup {
   echo "$collectorServiceYAML" | oc apply -f -
 
   if [ "$1" = "flows" ]; then
-    echo "creating flow-capture agents"
-    echo "${flowAgentYAML/"{{FLOW_FILTER_VALUE}}"/${2:-}}" | oc apply -f -
-    oc rollout status daemonset netobserv-cli -n netobserv-cli --timeout 60s
+    shift
+    echo "creating flow-capture agents:"
+    while getopts "i:e:dir:cidr:prot:sp:dp:p:spr:dpr:pr:t:c:ip:a" opt; do
+      case $opt in
+      i) #interfaces
+        edit_manifest "interfaces" "${OPTARG}"
+        ;;
+      e) # enable flow filter
+        edit_manifest "filter_enable" "${OPTARG}"
+        ;;
+      dir) # configure flow filter direction
+        edit_manifest "filter_direction" "${OPTARG}"
+        ;;
+      cidr) # configure flow filter cidr
+        edit_manifest "filter_cidr" "${OPTARG}"
+        ;;
+      prot) # configure flow filter protocol
+        edit_manifest "filter_protocol" "${OPTARG}"
+        ;;
+      sp) # configure flow filter source port
+        edit_manifest "filter_src_port" "${OPTARG}"
+        ;;
+      dp) # configure flow filter destination port
+        edit_manifest "filter_dst_port" "${OPTARG}"
+        ;;
+      p) # configure flow filter port
+        edit_manifest "filter_port" "${OPTARG}"
+        ;;
+      spr) # configure flow filter source port range
+        edit_manifest "filter_src_port_range" "${OPTARG}"
+        ;;
+      dpr) # configure flow filter destination port range
+        edit_manifest "filter_dst_port_range" "${OPTARG}"
+        ;;
+      pr) # configure flow filter port range
+        edit_manifest "filter_port_range" "${OPTARG}"
+        ;;
+      t) #icmp type
+        edit_manifest "icmp_type" "${OPTARG}"
+        ;;
+      c) #icmp code
+        edit_manifest "icmp_code" "${OPTARG}"
+        ;;
+      ip) #peer ip
+        edit_manifest "peer_ip" "${OPTARG}"
+        ;;
+      a) #filter action
+        edit_manifest "action" "${OPTARG}"
+        ;;
+      *) # invalid option
+        echo "invalid option"
+        exit;;
+      esac
+    done
+    manifest="$MANIFEST_OUTPUT_PATH"/"$MANIFEST_FILE"
+    if [[ -f "$manifest" ]]; then
+      oc apply -f "$manifest"
+      oc rollout status daemonset netobserv-cli -n netobserv-cli --timeout 60s
+    fi
   elif [ "$1" = "packets" ]; then
     echo "creating packet-capture agents"
     echo "${packetAgentYAML/"{{PCA_FILTER_VALUE}}"/${2:-}}" | oc apply -f -

diff --git a/scripts/update_flowcapture.sh b/scripts/update_flowcapture.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+MANIFEST_FILE="flow-capture.yml"
+MANIFEST_PATH="res"
+MANIFEST_OUTPUT_PATH="output"
+
+if ! command -v yq &> /dev/null
+then
+    echo "yq binary not found, installing... "
+    go install -mod='' github.com/mikefarah/yq/[email protected]
+fi
+
+function edit_manifest() {
+  echo "Editing manifest file...$*"
+  if [[ ! -d ${MANIFEST_OUTPUT_PATH} ]]; then
+    mkdir -p ${MANIFEST_OUTPUT_PATH} > /dev/null
+  fi
+  ## replace the env variable in the manifest file
+  echo "env: $1, env_value: $2"
+  case "$1" in
+  "interfaces")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"INTERFACES\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_enable")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"ENABLE_FLOW_FILTER\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_direction")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_DIRECTION\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_cidr")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_IP_CIDR\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_protocol")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_PROTOCOL\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_sport")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_SOURCE_PORT\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_dport")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_DESTINATION_PORT\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_port")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_PORT\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_sport_range")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_SOURCE_PORT_RANGE\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_dport_range")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_DESTINATION_PORT_RANGE\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_port_range")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_PORT_RANGE\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_icmp_type")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_ICMP_TYPE\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_icmp_code")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_ICMP_CODE\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filter_peer_ip")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_PEER_IP\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  "filer_action")
+    yq e "select(.kind == \"DaemonSet\" and .metadata.name == \"netobserv-cli\" and .spec.template.spec.containers[0].name == \"netobserv-cli\").spec.template.spec.containers[0].env[] | select(.name==\"FLOW_FILTER_ACTION\").value|=\"$2\"" ${MANIFEST_PATH}/${MANIFEST_FILE}>${MANIFEST_OUTPUT_PATH}/${MANIFEST_FILE}
+    ;;
+  esac
+
+}