Coder Social home page Coder Social logo

paloaltonetworks / cn-series-helm Goto Github PK

View Code? Open in Web Editor NEW
13.0 15.0 24.0 298 KB

This repo is for deploying CN-series firewall using Helm Package Manager for Kubernetes

License: MIT License

Mustache 100.00%
kubernetes cn-series pan-os helm helm-charts

cn-series-helm's Introduction

CN-Series Helm Chart ⛵⎈

This repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Package Manager for Kubernetes

The Helm Charts support 10.1.x and 10.2.x PanOS versions. The Helm Charts is based on v3.0 yaml set which can be found at https://github.com/PaloAltoNetworks/Kubernetes/tree/v3.0.3

The Release Notes and Deployment Guide is at https://docs.paloaltonetworks.com/cn-series/cn-series-firewall-release-notes/cn-series-firewall-release-notes

Minimum requirements

  • CN-Series
    • CN-Series 10.1.x container images
  • Panorama
    • Panorama 10.1.x
    • Kubernetes plugin for Panorama version 1.0.x,2.0.x
    • Panorama must be accessible from the Kubernetes cluster
  • Kubernetes
    • Kubernetes 1.16 - 1.24 cluster
    • A current kubeconfig file
  • Helm

Usage

Method 1 - With Repo

  1. Generate the VM authorization key on Panorama

  2. Clone the repository from GitHub

$ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
  1. Change into the repo directory
$ cd cn-series-helm
helm_cnv1 are charts that deploy as a daemon set
helm_cnv2 are charts that deploy as a service
helm_cnv3 are charts that deploy as a cnf
  1. Edit the values.yaml file and plug in your specific configs. Make sure to read through the values.yaml to chose the specific deployment tyoe and additional configurations.

Use the public-facing CN-Series repository for images from https://console.cloud.google.com/gcr/images/pan-cn-series/GLOBAL

Below is an example of values.yaml for cnv1

# The K8s environment 
# Valid deployTo tags are: [gke|eks|aks|openshift|native]
# Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments.
cluster:
  deployTo: eks
  multus: disable

# Panorama tags
panorama:
  ip: panorama.acmewidgets.com
  ip2: 
  authKey: "000000000000000"
  deviceGroup: my-devicegroup
  template: my-stack
  cgName: my-collector

# MP container tags
mp:
 initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init
 initVersion: latest
 image: gcr.io/pan-cn-series/panos_cn_mgmt
 version: 10.2.3
 cpuLimit: 4

# DP container tags
dp:
 image: gcr.io/pan-cn-series/panos_cn_ngfw
 version: 10.2.3
 cpuLimit: 2

# CNI container tags
cni:
 image: gcr.io/pan-cn-series/pan_cni
 version: latest
  1. To view the rendered YAMLs
helm install --debug --generate-name helm_cnv1/ --dry-run

Do a lint check on the helm charts

helm lint helm_cnv1/
  1. To deploy the helm charts
helm install <deployment-name> helm_cnv1

Method 2 - Without Repo

  1. Generate the VM authorization key on Panorama

  2. Add the cn-series repo to your local Helm client

$ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
"cn-series" has been added to your repositories
  1. Confirm the repo has been added to your Helm client
$ helm search repo cn-series
NAME               	CHART VERSION	APP VERSION	DESCRIPTION
cn-series/cn-series	2.0.0        	10.2.0      	Palo Alto Networks CN-Series firewall Helm char...
  1. Select the Kubernetes cluster
$ kubectl config set-cluster NAME
  1. Deploy using the Helm chart repo
$ helm install cn-series/cn-series --name="deployment name" \
--set cluster.deployTo="gke|eks|aks|openshift"
--set cluster.multus="enable|disable"
--set panorama.ip="panorama hostname or ip" \
--set panorama.ip2="panorama2 hostname or ip" \
--set-string panorama.authKey="vm auth key" \
--set panorama.deviceGroup="device group" \
--set panorama.template="template stack" \
--set panorama.cgName="collector group" \
--set cni.image="container repo" \
--set cni.version="container version" \
--set mp.initImage="container repo" \
--set mp.initVersion="container version" \
--set mp.image="container repo" \
--set mp.version="container version" \
--set mp.cpuLimit="cpu max" \
--set dp.image="container repo" \
--set dp.version="container version" \
--set dp.cpuLimit="cpu max"

Add additional parameters to the above command with respect to your desired deployment and configuration.

cn-series-helm's People

Contributors

ayuspin avatar danfathom5 avatar gowrinaras avatar gunjan5 avatar karabijavad avatar rnnair avatar skrish-murt avatar stealthllama avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jasonmeurer rajp3126 kalranitin nbansal0 rushins ssumner32 alian2000 cperson-palo devsecfranklin salsop danfathom5 fathom5 acornett21 amemni sddbrown mattmclimans rnnair lastcoolnameleft ayuspin parramiguel seanyoungberg rahilgulaliyev

cn-series-helm's Issues

[Community Health Assessment] Changes needed

Health Check Pass Score More Info
Contains a meaningful README.md file 20 / 20 More info
SUPPORT.md file exists 20 / 20 More info
Repo has a description 15 / 15 More info
Has a recognized open source license 15 / 15 More info
Has a descriptive repo name 15 / 15 More info
Required topics attached to repo 15 / 15 More info
CONTRIBUTING.md file with contribution guidelines 5 / 5 More info
Has custom issue and pull request templates 0 / 5 More info

Current score: 105
Target threshold: 100
Total possible: 110

Prerequisites for a native cluster

Documentation link

https://github.com/PaloAltoNetworks/cn-series-helm/blob/master/helm_cnv2/templates/pan-cn-pv-local.yaml#L32-L39

Describe the problem

request for improvement

In the above link, it seems that there is a requirement for the worker node host names.

From what I can tell so far, the requirements for a native installation are:

  • the creation of the /mnt/pan-local* and /mnt/auto* directories on the hosts
  • the hostnames being worker-node-X

are there other prerequisites about the cluster which are required to install cn series in a native deployTo target?

Suggested fix

The suggestion is to add documentation to the readme, which includes the prerequisites that this helm chart expects on the host node.

I am happy to make a PR for this.

[Community Health Assessment] Changes needed

Health Check Pass Score More Info
Contains a meaningful README.md file 20 / 20 More info
SUPPORT.md file exists 20 / 20 More info
Repo has a description 15 / 15 More info
Has a recognized open source license 15 / 15 More info
Has a descriptive repo name 15 / 15 More info
Required topics attached to repo 15 / 15 More info
CONTRIBUTING.md file with contribution guidelines 5 / 5 More info
Has custom issue and pull request templates 0 / 5 More info

Current score: 105
Target threshold: 100
Total possible: 110

APIs for HPA deprecated

Describe the bug

This APIs bellow are deprecated.

autoscaling/v2beta2
apiregistration.k8s.io/v1beta1
apiextensions.k8s.io/v1beta1

For succeed install HPA in AKS wi helm I need to change for version bellow.

autoscaling/v2
apiregistration.k8s.io/v1
apiextensions.k8s.io/v1

Expected behavior

N/A

Current behavior

Errors bellow:

ensure CRDs are installed first, resource mapping not found for name: "custommetrics.azure.com" namespace: "" from "": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "hpa-dp-eks" namespace: "pan-cn-series" from "": no matches for kind "HorizontalPodAutoscaler" in version "autoscaling/v2beta2"
ensure CRDs are installed first, resource mapping not found for name: "hpa-mp-aks" namespace: "pan-cn-series" from "": no matches for kind "HorizontalPodAutoscaler" in version "autoscaling/v2beta2"
ensure CRDs are installed first, resource mapping not found for name: "v1beta1.custom.metrics.k8s.io" namespace: "" from "": no matches for kind "APIService" in version "apiregistration.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "v1beta1.external.metrics.k8s.io" namespace: "" from "": no matches for kind "APIService" in version "apiregistration.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "pandataplaneslots" namespace: "pan-cn-series" from "": no matches for kind "CustomMetric" in version "azure.com/v1alpha2"
ensure CRDs are installed first]

Possible solution

Update the helm chart file with actually versions.

Steps to reproduce

1 - Try to install on Azure AKS with Helm and HPA enable.

Screenshots

Context

Your Environment

  • Version used: AKS 1.26.3
  • Helm: v3

Missing `PAN_BUNDLE_TYPE` in file `pan-cn-mgmt-configmap.yaml`

Describe the bug

Missing PAN_BUNDLE_TYPE in file pan-cn-mgmt-configmap.yaml

Current behavior

Bundle type is missing from template.

Possible solution

Set PAN_BUNDLE_TYPE like so with a CN-X-BND1 or CN-X-BND2 style license:
(look at last line)

apiVersion: v1
kind: ConfigMap
metadata:
  name: pan-mgmt-config
  namespace: kube-system
data:
  PAN_SERVICE_NAME: pan-mgmt-svc
  PAN_MGMT_SECRET: pan-mgmt-secret

  # Panorama settings
  PAN_PANORAMA_IP: "44.124.31.336"
  PAN_DEVICE_GROUP: "gke-cluster-device group"
  PAN_TEMPLATE_STACK: "gke-cluster-franklin"
  PAN_CGNAME: "gke-cluster-cg"
  PAN_BUNDLE_TYPE: "CN-X-BND2"

Context

You will have an issue connecting to cluster from Kubernetes plug in in Panorama.

Your Environment

I am using:

Dynamic namespace from values

Is your feature request related to a problem?

No, just a improvement.

Describe the solution you'd like

Add a new field in values ​​file and change yaml files to get dynamic attribute.

Sample:

Yaml files:

metadata:
    name: dataplanecpuutilizationpct
    namespace: "{{ .Values.cluster.namespace }}"

Values files:

cluster:
    deployTo: "aks"
    namespace: "pan-cn-series"

Describe alternatives you've considered

N/A

Additional context

This feature request makes more easier to change the namespace. It's a good practice put the Apps outside of namespace kube-system.

Invalid Helm release name

Can you please modify the folder name and remove the "_". During the dry run there is an error invalid release name. I believe this was caused by the _ in the folder name.

Pods stuck in ContainerCreating state

Describe the bug

When running the helm chart, pan-ngfw-dep-777d6f847f-gqtqh and pan-ngfw-dep-777d6f847f-mxhtq pods are stuck in ContainerCreating status

❯ kubectl get pods
NAME                            READY   STATUS              RESTARTS   AGE
aws-node-kd2tl                  1/1     Running             0          25h
aws-node-w4dww                  1/1     Running             0          25h
coredns-65bfc5645f-5j6s8        1/1     Running             0          25h
coredns-65bfc5645f-xqtf6        1/1     Running             0          25h
kube-proxy-4pd97                1/1     Running             0          25h
kube-proxy-h2tkv                1/1     Running             0          25h
pan-cni-kvcf4                   1/1     Running             0          107m
pan-cni-p4lsb                   1/1     Running             0          107m
pan-mgmt-sts-0                  0/1     Pending             0          107m
pan-mgmt-sts-1                  0/1     Pending             0          107m
pan-ngfw-dep-777d6f847f-gqtqh   0/1     ContainerCreating   0          107m
pan-ngfw-dep-777d6f847f-mxhtq   0/1     ContainerCreating   0          107m

Name:                 pan-ngfw-dep-777d6f847f-gqtqh
Namespace:            kube-system
Priority:             2000000000
Priority Class Name:  system-cluster-critical
Node:                 ip-192-168-85-200.ec2.internal/192.168.85.200
Start Time:           Tue, 19 Apr 2022 16:33:07 -0700
Labels:               app=pan-ngfw
                      pod-template-hash=777d6f847f
Annotations:          k8s.v1.cni.cncf.io/networks: pan-cni
                      kubernetes.io/psp: eks.privileged
                      paloaltonetworks.com/app: pan-fw
                      paloaltonetworks.com/firewall: pan-fw
Status:               Pending
IP:
IPs:                  <none>
Controlled By:        ReplicaSet/pan-ngfw-dep-777d6f847f
Containers:
  pan-ngfw-container:
    Container ID:
    Image:         709825985650.dkr.ecr.us-east-1.amazonaws.com/palo-alto-networks/panos_cn_ngfw:10.1.3
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Command:
      /sbin/pan_start
      newnns
      nspan-fw
      eac8617ee91
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     1
      memory:  4Gi
    Requests:
      cpu:      1
      memory:   4Gi
    Liveness:   exec [/sbin/pan_alive_check] delay=600s timeout=1s period=5s #success=1 #failure=2
    Readiness:  exec [/sbin/pan_ready_check] delay=15s timeout=1s period=2s #success=2 #failure=1
    Environment Variables from:
      pan-ngfw-config  ConfigMap  Optional: false
    Environment:
      CPU_REQUEST:             1 (requests.cpu)
      CPU_LIMIT:               1 (limits.cpu)
      MEMORY_REQUEST:          4294967296 (requests.memory)
      MEMORY_LIMIT:            4294967296 (limits.memory)
      MY_POD_UUID:              (v1:metadata.uid)
      MY_NODE_NAME:             (v1:spec.nodeName)
      MY_POD_NAME:             pan-ngfw-dep-777d6f847f-gqtqh (v1:metadata.name)
      MY_POD_NAMESPACE:        kube-system (v1:metadata.namespace)
      MY_POD_SERVICE_ACCOUNT:   (v1:spec.serviceAccountName)
      MY_POD_IP:                (v1:status.podIP)
    Mounts:
      /dev/net/tun from devnettun (rw)
      /dev/shm from dshm (rw)
      /etc/custom-ca from pancustomca (rw)
      /etc/pan-fw-sw from sw-secret (rw)
      /opt/appinfo from appinfo (rw)
      /opt/pan-cni-ready from pan-cni-ready (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-5n6mh (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  devnettun:
    Type:          HostPath (bare host directory volume)
    Path:          /dev/net/tun
    HostPathType:
  dshm:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     Memory
    SizeLimit:  <unset>
  appinfo:
    Type:          HostPath (bare host directory volume)
    Path:          /var/log/pan-appinfo
    HostPathType:  Directory
  pan-cni-ready:
    Type:          HostPath (bare host directory volume)
    Path:          /var/log/pan-appinfo/pan-cni-ready
    HostPathType:  Directory
  sw-secret:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  pan-fw-sw
    Optional:    false
  pancustomca:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  custom-ca-secret
    Optional:    true
  default-token-5n6mh:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-5n6mh
    Optional:    false
QoS Class:       Guaranteed
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason       Age                    From     Message
  ----     ------       ----                   ----     -------
  Warning  FailedMount  59m (x2 over 70m)      kubelet  Unable to attach or mount volumes: unmounted volumes=[sw-secret], unattached volumes=[pan-cni-ready devnettun dshm sw-secret pancustomca default-token-5n6mh appinfo]: timed out waiting for the condition
  Warning  FailedMount  43m (x5 over 100m)     kubelet  Unable to attach or mount volumes: unmounted volumes=[sw-secret], unattached volumes=[dshm sw-secret pancustomca default-token-5n6mh appinfo pan-cni-ready devnettun]: timed out waiting for the condition
  Warning  FailedMount  14m (x6 over 91m)      kubelet  Unable to attach or mount volumes: unmounted volumes=[sw-secret], unattached volumes=[devnettun dshm sw-secret pancustomca default-token-5n6mh appinfo pan-cni-ready]: timed out waiting for the condition
  Warning  FailedMount  8m42s (x55 over 104m)  kubelet  MountVolume.SetUp failed for volume "sw-secret" : secret "pan-fw-sw" not found
  Warning  FailedMount  2m48s (x10 over 79m)   kubelet  Unable to attach or mount volumes: unmounted volumes=[sw-secret], unattached volumes=[sw-secret pancustomca default-token-5n6mh appinfo pan-cni-ready devnettun dshm]: timed out waiting for the condition

Expected behavior

Pod should start

Current behavior

Pod doesn't start

Your Environment

  • Version used: 709825985650.dkr.ecr.us-east-1.amazonaws.com/palo-alto-networks/panos_cn_helm_charts --version 1.0.2
  • Operating System and version (desktop or mobile): Desktop, Deploying on EKS.

[Community Health Assessment] Changes needed

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Health Check Pass Score More Info
Contains a meaningful README.md file 20 / 20 More info
SUPPORT.md file exists 0 / 20 More info
Repo has a description 15 / 15 More info
Has a recognized open source license 15 / 15 More info
Has a descriptive repo name 15 / 15 More info
Required topics attached to repo 15 / 15 More info
CONTRIBUTING.md file with contribution guidelines 5 / 5 More info
Has custom issue and pull request templates 0 / 5 More info

Current score: 85
Target threshold: 100
Total possible: 110

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.