beppe/cicdTest
1
0
Fork 0
mirror of https://github.com/bvanroll/cicdTest.git synced 2025-08-29 12:02:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

cleanup and use of namespace for safety/ease of use

Browse Source
This commit is contained in:
Beppe Vanrolleghem
2020-03-03 11:16:46 +01:00
parent 65ef51a518
commit f1e2d0c6c8
2 changed files with 33 additions and 737 deletions
Download Patch File Download Diff File Expand all files Collapse all files

726
deploy.istio.yaml
View File

@@ -1,726 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
name: server-a
spec:
replicas: 1
selector:
matchLabels:
expose: "true"
server: http
strategy: {}
template:
metadata:
annotations:
sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}'
creationTimestamp: null
labels:
expose: "true"
security.istio.io/tlsMode: istio
server: http
spec:
containers:
- image: beppev/server-a:latest
name: front-end
ports:
- containerPort: 5000
resources: {}
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --configPath
- /etc/istio/proxy
- --binaryPath
- /usr/local/bin/envoy
- --serviceCluster
- server-a.default
- --drainDuration
- 45s
- --parentShutdownDuration
- 1m0s
- --discoveryAddress
- istio-pilot.istio-system:15010
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --connectTimeout
- 10s
- --proxyAdminPort
- "15000"
- --concurrency
- "2"
- --controlPlaneAuthPolicy
- NONE
- --dnsRefreshRate
- 300s
- --statusPort
- "15020"
- --applicationPorts
- "5000"
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: ISTIO_META_POD_PORTS
value: |-
[
{"containerPort":5000}
]
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "false"
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "5000"
- name: ISTIO_METAJSON_LABELS
value: |
{"expose":"true","server":"http"}
- name: ISTIO_META_WORKLOAD_NAME
value: server-a
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/default/deployments/server-a
- name: ISTIO_META_MESH_ID
value: cluster.local
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
initialDelaySeconds: 1
periodSeconds: 2
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
initContainers:
- command:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- "15020"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
secretName: istio.default
status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
name: server-b
spec:
replicas: 1
selector:
matchLabels:
app: ja
server: http
version: v1
strategy: {}
template:
metadata:
annotations:
sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}'
creationTimestamp: null
labels:
app: ja
security.istio.io/tlsMode: istio
server: http
version: v1
spec:
containers:
- image: beppev/server-b:latest
name: front-end
ports:
- containerPort: 6000
resources: {}
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --configPath
- /etc/istio/proxy
- --binaryPath
- /usr/local/bin/envoy
- --serviceCluster
- ja.$(POD_NAMESPACE)
- --drainDuration
- 45s
- --parentShutdownDuration
- 1m0s
- --discoveryAddress
- istio-pilot.istio-system:15010
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --connectTimeout
- 10s
- --proxyAdminPort
- "15000"
- --concurrency
- "2"
- --controlPlaneAuthPolicy
- NONE
- --dnsRefreshRate
- 300s
- --statusPort
- "15020"
- --applicationPorts
- "6000"
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: ISTIO_META_POD_PORTS
value: |-
[
{"containerPort":6000}
]
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "false"
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "6000"
- name: ISTIO_METAJSON_LABELS
value: |
{"app":"ja","server":"http","version":"v1"}
- name: ISTIO_META_WORKLOAD_NAME
value: server-b
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/default/deployments/server-b
- name: ISTIO_META_MESH_ID
value: cluster.local
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
initialDelaySeconds: 1
periodSeconds: 2
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
initContainers:
- command:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- "15020"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
secretName: istio.default
status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
name: server-c
spec:
replicas: 1
selector:
matchLabels:
app: ja
server: http
version: v2
strategy: {}
template:
metadata:
annotations:
sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}'
creationTimestamp: null
labels:
app: ja
security.istio.io/tlsMode: istio
server: http
version: v2
spec:
containers:
- image: beppev/server-c:latest
name: front-end
ports:
- containerPort: 6000
resources: {}
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --configPath
- /etc/istio/proxy
- --binaryPath
- /usr/local/bin/envoy
- --serviceCluster
- ja.$(POD_NAMESPACE)
- --drainDuration
- 45s
- --parentShutdownDuration
- 1m0s
- --discoveryAddress
- istio-pilot.istio-system:15010
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --connectTimeout
- 10s
- --proxyAdminPort
- "15000"
- --concurrency
- "2"
- --controlPlaneAuthPolicy
- NONE
- --dnsRefreshRate
- 300s
- --statusPort
- "15020"
- --applicationPorts
- "6000"
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: ISTIO_META_POD_PORTS
value: |-
[
{"containerPort":6000}
]
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "false"
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "6000"
- name: ISTIO_METAJSON_LABELS
value: |
{"app":"ja","server":"http","version":"v2"}
- name: ISTIO_META_WORKLOAD_NAME
value: server-c
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/default/deployments/server-c
- name: ISTIO_META_MESH_ID
value: cluster.local
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
initialDelaySeconds: 1
periodSeconds: 2
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
initContainers:
- command:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- "15020"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
secretName: istio.default
status: {}
---
apiVersion: v1
kind: Service
metadata:
name: server-b-c-service
spec:
selector:
app: "ja"
ports:
- name: http
protocol: TCP
port: 6000
---
kind: Service
apiVersion: v1
metadata:
name: expose-server
spec:
type: NodePort
selector:
expose: "true"
ports:
- name: http
protocol: TCP
targetPort: 5000
port: 5000
nodePort: 30036
---
kind: Service
apiVersion: v1
metadata:
name: example-loadbalancer
spec:
selector:
expose: "true"
ports:
- name: http
protocol: TCP
targetPort: 5000
port: 80
type: LoadBalancer
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: server-check-destination
spec:
host: server-check
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: server-check-gateway
spec:
selector:
expose: "true"
istio: ingressgateway
servers:
- port:
number: 6000
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: v1
kind: Service
metadata:
name: server-check
spec:
selector:
expose: "true"
ports:
- name: http
protocol: TCP
targetPort: 6000
port: 6000
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: server-check-service
spec:
hosts:
- "*"
gateways:
- server-check-gateway
tcp:
- match:
- port: 6000
route:
- destination:
host: server-b-c-service
port:
number: 6000
subset: v1
weight: 50
- destination:
host: server-b-c-service
port:
number: 6000
subset: v2
weight: 50
---

42
deploy.yaml
View File

@@ -1,19 +1,30 @@
--- ---
apiVersion: v1
kind: Namespace
metadata:
name: istio-project-1
labels:
istio-injection: enabled
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: server-a name: server-a
namespace: istio-project-1
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
server: "http" server: "http"
app: "ja"
expose: "true" expose: "true"
template: template:
metadata: metadata:
labels: labels:
server: "http" server: "http"
app: "ja"
expose: "true" expose: "true"
backend: "true"
spec: spec:
containers: containers:
- name: front-end - name: front-end
@@ -25,6 +36,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: server-b name: server-b
namespace: istio-project-1
spec: spec:
replicas: 1 replicas: 1
selector: selector:
@@ -49,6 +61,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: server-c name: server-c
namespace: istio-project-1
spec: spec:
replicas: 1 replicas: 1
selector: selector:
@@ -73,18 +86,21 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: server-b-c-service name: server-b-c-service
namespace: istio-project-1
spec: spec:
selector: selector:
app: "ja" backend: "true"
ports: ports:
- name: http - name: http
protocol: TCP protocol: TCP
port: 6000 port: 6000
--- ---
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: expose-server name: expose-server
namespace: istio-project-1
spec: spec:
type: NodePort type: NodePort
selector: selector:
@@ -99,7 +115,8 @@ spec:
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: example-loadbalancer name: example-loadbalancer
namespace: istio-project-1
spec: spec:
selector: selector:
expose: "true" expose: "true"
@@ -114,8 +131,9 @@ apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule kind: DestinationRule
metadata: metadata:
name: server-check-destination name: server-check-destination
namespace: istio-project-1
spec: spec:
host: server-check host: server-b-c-service
subsets: subsets:
- name: v1 - name: v1
labels: labels:
@@ -128,25 +146,28 @@ apiVersion: networking.istio.io/v1alpha3
kind: Gateway kind: Gateway
metadata: metadata:
name: server-check-gateway name: server-check-gateway
namespace: istio-project-1
spec: spec:
selector: selector:
expose: "true" expose: "true"
istio: ingressgateway
servers: servers:
- port: - port:
number: 6000 number: 6000
name: http name: http
protocol: HTTP protocol: HTTP
hosts: hosts:
- "*" - "*"
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: server-check name: server-check
namespace: istio-project-1
spec: spec:
selector: selector:
expose: "true" expose: "true"
version: v1
version: v2
ports: ports:
- name: http - name: http
protocol: TCP protocol: TCP
@@ -157,6 +178,7 @@ apiVersion: networking.istio.io/v1alpha3
kind: VirtualService kind: VirtualService
metadata: metadata:
name: server-check-service name: server-check-service
namespace: istio-project-1
spec: spec:
hosts: hosts:
- "*" - "*"