Skip to content

Commit

Permalink
Added Istio injection.
Browse files Browse the repository at this point in the history
  • Loading branch information
@deepaknadig
deepaknadig committed Jul 12, 2020
1 parent 8793270 commit 2ee88f2
Show file tree
Hide file tree
Showing 4 changed files with 994 additions and 0 deletions.
263 changes: 263 additions & 0 deletions k8s/deployment/app-deployment-injected.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,263 @@
apiVersion: v1
kind: Service
metadata:
name: fa-service
labels:
app: flask-app
annotations:
metallb.universe.tf/allow-shared-ip: ergo-application
spec:
selector:
app: flask-app
tier: frontend
ports:
- name: flask-app
protocol: "TCP"
port: 5000
targetPort: 5000
type: LoadBalancer
loadBalancerIP: 10.10.10.100
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: fa-service
labels:
team: frontend
spec:
selector:
matchLabels:
app: flask-app
endpoints:
- port: flask-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: flask-app
name: flask-app
spec:
replicas: 2
selector:
matchLabels:
app: flask-app
tier: frontend
strategy:
type: Recreate
template:
metadata:
annotations:
sidecar.istio.io/interceptionMode: REDIRECT
sidecar.istio.io/status: '{"version":"e16b88389e2d0f30d103af853bdac6a41c399031fafef687a65ce53a7ee83d33","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istiod-ca-cert"],"imagePullSecrets":null}'
traffic.sidecar.istio.io/excludeInboundPorts: "15020"
traffic.sidecar.istio.io/includeInboundPorts: "5000"
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
creationTimestamp: null
labels:
app: flask-app
istio.io/rev: ""
security.istio.io/tlsMode: istio
tier: frontend
spec:
containers:
- env:
- name: REDIS_HOST
value: redis-flask-service
image: deepnadig/ergo:1.4
imagePullPolicy: Always
name: flask-app
ports:
- containerPort: 5000
name: flask-app
resources:
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- mountPath: /data/worker
name: worker-store
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- flask-app.$(POD_NAMESPACE)
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --trust-domain=cluster.local
- --concurrency
- "2"
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{"proxyMetadata":{"DNS_AGENT":""}}
- name: ISTIO_META_POD_PORTS
value: |-
[
{"name":"flask-app","containerPort":5000}
]
- name: ISTIO_META_APP_CONTAINERS
value: |-
[
flask-app
]
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_WORKLOAD_NAME
value: flask-app
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/default/deployments/flask-app
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: DNS_AGENT
- name: ISTIO_KUBE_APP_PROBERS
value: '{}'
image: docker.io/istio/proxyv2:1.6.4
imagePullPolicy: Always
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: 1
periodSeconds: 2
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio/pod
name: istio-podinfo
initContainers:
- args:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15021,15020
env:
- name: DNS_AGENT
image: docker.io/istio/proxyv2:1.6.4
imagePullPolicy: Always
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
securityContext:
fsGroup: 1337
terminationGracePeriodSeconds: 10
volumes:
- name: worker-store
persistentVolumeClaim:
claimName: celery-pv-claim
- emptyDir:
medium: Memory
name: istio-envoy
- emptyDir: {}
name: istio-data
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
name: istio-podinfo
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
status: {}
---
Loading

0 comments on commit 2ee88f2

Please sign in to comment.