github.com/looshlee/beatles@v0.0.0-20220727174639-742810ab631c/test/k8sT/manifests/bookinfo-v2-istio.yaml (about) 1 # Copyright 2017 Istio Authors 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 ################################################################################################## 16 # Ratings service 17 ################################################################################################## 18 apiVersion: v1 19 kind: Service 20 metadata: 21 name: ratings 22 labels: 23 app: ratings 24 spec: 25 ports: 26 - port: 9080 27 name: http 28 selector: 29 app: ratings 30 --- 31 apiVersion: apps/v1 32 kind: Deployment 33 metadata: 34 creationTimestamp: null 35 name: ratings-v1 36 spec: 37 replicas: 1 38 selector: 39 matchLabels: 40 app: ratings 41 version: v1 42 zgroup: bookinfo 43 strategy: {} 44 template: 45 metadata: 46 annotations: 47 sidecar.istio.io/interceptionMode: TPROXY 48 sidecar.istio.io/status: '{"version":"45fd8869cfbf8375ea44be15a0156f5850b1789428501a78c16a8490fd325b06","initContainers":["sleep","istio-init"],"containers":["istio-proxy"],"volumes":["cilium-unix-sock-dir","istio-envoy","istio-certs"],"imagePullSecrets":null}' 49 traffic.sidecar.istio.io/excludeInboundPorts: "15020" 50 traffic.sidecar.istio.io/includeInboundPorts: "9080" 51 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' 52 creationTimestamp: null 53 labels: 54 app: ratings 55 security.istio.io/tlsMode: istio 56 version: v1 57 zgroup: bookinfo 58 spec: 59 containers: 60 - image: docker.io/istio/examples-bookinfo-ratings-v1:1.6.0 61 imagePullPolicy: IfNotPresent 62 name: ratings 63 ports: 64 - containerPort: 9080 65 resources: {} 66 - args: 67 - proxy 68 - sidecar 69 - --domain 70 - $(POD_NAMESPACE).svc.cluster.local 71 - --configPath 72 - /etc/istio/proxy 73 - --binaryPath 74 - /usr/local/bin/envoy 75 - --serviceCluster 76 - ratings.$(POD_NAMESPACE) 77 - --drainDuration 78 - 45s 79 - --parentShutdownDuration 80 - 1m0s 81 - --discoveryAddress 82 - istio-pilot.istio-system:15011 83 - --zipkinAddress 84 - zipkin.istio-system:9411 85 - --dnsRefreshRate 86 - 300s 87 - --connectTimeout 88 - 10s 89 - --proxyAdminPort 90 - "15000" 91 - --concurrency 92 - "2" 93 - --controlPlaneAuthPolicy 94 - MUTUAL_TLS 95 - --statusPort 96 - "15020" 97 - --applicationPorts 98 - "9080" 99 env: 100 - name: POD_NAME 101 valueFrom: 102 fieldRef: 103 fieldPath: metadata.name 104 - name: ISTIO_META_POD_PORTS 105 value: |- 106 [ 107 {"containerPort":9080} 108 ] 109 - name: ISTIO_META_CLUSTER_ID 110 value: Kubernetes 111 - name: POD_NAMESPACE 112 valueFrom: 113 fieldRef: 114 fieldPath: metadata.namespace 115 - name: INSTANCE_IP 116 valueFrom: 117 fieldRef: 118 fieldPath: status.podIP 119 - name: SERVICE_ACCOUNT 120 valueFrom: 121 fieldRef: 122 fieldPath: spec.serviceAccountName 123 - name: ISTIO_META_POD_NAME 124 valueFrom: 125 fieldRef: 126 fieldPath: metadata.name 127 - name: ISTIO_META_CONFIG_NAMESPACE 128 valueFrom: 129 fieldRef: 130 fieldPath: metadata.namespace 131 - name: SDS_ENABLED 132 value: "false" 133 - name: ISTIO_META_INTERCEPTION_MODE 134 value: TPROXY 135 - name: ISTIO_META_INCLUDE_INBOUND_PORTS 136 value: "9080" 137 - name: ISTIO_METAJSON_LABELS 138 value: | 139 {"app":"ratings","version":"v1","zgroup":"bookinfo"} 140 - name: ISTIO_META_WORKLOAD_NAME 141 value: ratings-v1 142 - name: ISTIO_META_OWNER 143 value: kubernetes://apis/apps/v1/namespaces/default/deployments/ratings-v1 144 image: docker.io/cilium/istio_proxy:1.4.6 145 imagePullPolicy: IfNotPresent 146 name: istio-proxy 147 ports: 148 - containerPort: 15090 149 name: http-envoy-prom 150 protocol: TCP 151 readinessProbe: 152 failureThreshold: 30 153 httpGet: 154 path: /healthz/ready 155 port: 15020 156 initialDelaySeconds: 1 157 periodSeconds: 2 158 resources: 159 limits: 160 cpu: "2" 161 memory: 1Gi 162 requests: 163 cpu: 100m 164 memory: 128Mi 165 securityContext: 166 allowPrivilegeEscalation: false 167 capabilities: 168 add: 169 - NET_ADMIN 170 drop: 171 - ALL 172 privileged: false 173 readOnlyRootFilesystem: true 174 runAsGroup: 1337 175 runAsNonRoot: false 176 runAsUser: 0 177 volumeMounts: 178 - mountPath: /var/run/cilium 179 name: cilium-unix-sock-dir 180 - mountPath: /etc/istio/proxy 181 name: istio-envoy 182 - mountPath: /etc/certs/ 183 name: istio-certs 184 readOnly: true 185 initContainers: 186 - command: 187 - sh 188 - -c 189 - 'max=120; i=0; until nslookup kube-dns.kube-system.svc.cluster.local; do 190 i=$((i + 1)); if [ $i -eq $max ]; then echo timed-out; exit 1; else sleep 191 1; fi done ' 192 image: busybox:1.28.4 193 imagePullPolicy: IfNotPresent 194 name: sleep 195 resources: {} 196 - command: 197 - istio-iptables 198 - -p 199 - "15001" 200 - -z 201 - "15006" 202 - -u 203 - "1337" 204 - -m 205 - TPROXY 206 - -i 207 - '*' 208 - -x 209 - "" 210 - -b 211 - '*' 212 - -d 213 - "15020" 214 image: docker.io/cilium/istio_proxy:1.4.6 215 imagePullPolicy: IfNotPresent 216 name: istio-init 217 resources: 218 limits: 219 cpu: 100m 220 memory: 50Mi 221 requests: 222 cpu: 10m 223 memory: 10Mi 224 securityContext: 225 allowPrivilegeEscalation: false 226 capabilities: 227 add: 228 - NET_ADMIN 229 - NET_RAW 230 drop: 231 - ALL 232 privileged: false 233 readOnlyRootFilesystem: false 234 runAsGroup: 0 235 runAsNonRoot: false 236 runAsUser: 0 237 terminationGracePeriodSeconds: 0 238 volumes: 239 - hostPath: 240 path: /var/run/cilium 241 name: cilium-unix-sock-dir 242 - emptyDir: 243 medium: Memory 244 name: istio-envoy 245 - name: istio-certs 246 secret: 247 optional: true 248 secretName: istio.default 249 status: {} 250 --- 251 apiVersion: apps/v1 252 kind: Deployment 253 metadata: 254 creationTimestamp: null 255 name: reviews-v2 256 spec: 257 replicas: 1 258 selector: 259 matchLabels: 260 app: reviews 261 version: v2 262 zgroup: bookinfo 263 strategy: {} 264 template: 265 metadata: 266 annotations: 267 sidecar.istio.io/interceptionMode: TPROXY 268 sidecar.istio.io/status: '{"version":"45fd8869cfbf8375ea44be15a0156f5850b1789428501a78c16a8490fd325b06","initContainers":["sleep","istio-init"],"containers":["istio-proxy"],"volumes":["cilium-unix-sock-dir","istio-envoy","istio-certs"],"imagePullSecrets":null}' 269 traffic.sidecar.istio.io/excludeInboundPorts: "15020" 270 traffic.sidecar.istio.io/includeInboundPorts: "9080" 271 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' 272 creationTimestamp: null 273 labels: 274 app: reviews 275 security.istio.io/tlsMode: istio 276 version: v2 277 zgroup: bookinfo 278 spec: 279 containers: 280 - image: docker.io/istio/examples-bookinfo-reviews-v2:1.6.0 281 imagePullPolicy: IfNotPresent 282 name: reviews 283 ports: 284 - containerPort: 9080 285 resources: {} 286 - args: 287 - proxy 288 - sidecar 289 - --domain 290 - $(POD_NAMESPACE).svc.cluster.local 291 - --configPath 292 - /etc/istio/proxy 293 - --binaryPath 294 - /usr/local/bin/envoy 295 - --serviceCluster 296 - reviews.$(POD_NAMESPACE) 297 - --drainDuration 298 - 45s 299 - --parentShutdownDuration 300 - 1m0s 301 - --discoveryAddress 302 - istio-pilot.istio-system:15011 303 - --zipkinAddress 304 - zipkin.istio-system:9411 305 - --dnsRefreshRate 306 - 300s 307 - --connectTimeout 308 - 10s 309 - --proxyAdminPort 310 - "15000" 311 - --concurrency 312 - "2" 313 - --controlPlaneAuthPolicy 314 - MUTUAL_TLS 315 - --statusPort 316 - "15020" 317 - --applicationPorts 318 - "9080" 319 env: 320 - name: POD_NAME 321 valueFrom: 322 fieldRef: 323 fieldPath: metadata.name 324 - name: ISTIO_META_POD_PORTS 325 value: |- 326 [ 327 {"containerPort":9080} 328 ] 329 - name: ISTIO_META_CLUSTER_ID 330 value: Kubernetes 331 - name: POD_NAMESPACE 332 valueFrom: 333 fieldRef: 334 fieldPath: metadata.namespace 335 - name: INSTANCE_IP 336 valueFrom: 337 fieldRef: 338 fieldPath: status.podIP 339 - name: SERVICE_ACCOUNT 340 valueFrom: 341 fieldRef: 342 fieldPath: spec.serviceAccountName 343 - name: ISTIO_META_POD_NAME 344 valueFrom: 345 fieldRef: 346 fieldPath: metadata.name 347 - name: ISTIO_META_CONFIG_NAMESPACE 348 valueFrom: 349 fieldRef: 350 fieldPath: metadata.namespace 351 - name: SDS_ENABLED 352 value: "false" 353 - name: ISTIO_META_INTERCEPTION_MODE 354 value: TPROXY 355 - name: ISTIO_META_INCLUDE_INBOUND_PORTS 356 value: "9080" 357 - name: ISTIO_METAJSON_LABELS 358 value: | 359 {"app":"reviews","version":"v2","zgroup":"bookinfo"} 360 - name: ISTIO_META_WORKLOAD_NAME 361 value: reviews-v2 362 - name: ISTIO_META_OWNER 363 value: kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v2 364 image: docker.io/cilium/istio_proxy:1.4.6 365 imagePullPolicy: IfNotPresent 366 name: istio-proxy 367 ports: 368 - containerPort: 15090 369 name: http-envoy-prom 370 protocol: TCP 371 readinessProbe: 372 failureThreshold: 30 373 httpGet: 374 path: /healthz/ready 375 port: 15020 376 initialDelaySeconds: 1 377 periodSeconds: 2 378 resources: 379 limits: 380 cpu: "2" 381 memory: 1Gi 382 requests: 383 cpu: 100m 384 memory: 128Mi 385 securityContext: 386 allowPrivilegeEscalation: false 387 capabilities: 388 add: 389 - NET_ADMIN 390 drop: 391 - ALL 392 privileged: false 393 readOnlyRootFilesystem: true 394 runAsGroup: 1337 395 runAsNonRoot: false 396 runAsUser: 0 397 volumeMounts: 398 - mountPath: /var/run/cilium 399 name: cilium-unix-sock-dir 400 - mountPath: /etc/istio/proxy 401 name: istio-envoy 402 - mountPath: /etc/certs/ 403 name: istio-certs 404 readOnly: true 405 initContainers: 406 - command: 407 - sh 408 - -c 409 - 'max=120; i=0; until nslookup kube-dns.kube-system.svc.cluster.local; do 410 i=$((i + 1)); if [ $i -eq $max ]; then echo timed-out; exit 1; else sleep 411 1; fi done ' 412 image: busybox:1.28.4 413 imagePullPolicy: IfNotPresent 414 name: sleep 415 resources: {} 416 - command: 417 - istio-iptables 418 - -p 419 - "15001" 420 - -z 421 - "15006" 422 - -u 423 - "1337" 424 - -m 425 - TPROXY 426 - -i 427 - '*' 428 - -x 429 - "" 430 - -b 431 - '*' 432 - -d 433 - "15020" 434 image: docker.io/cilium/istio_proxy:1.4.6 435 imagePullPolicy: IfNotPresent 436 name: istio-init 437 resources: 438 limits: 439 cpu: 100m 440 memory: 50Mi 441 requests: 442 cpu: 10m 443 memory: 10Mi 444 securityContext: 445 allowPrivilegeEscalation: false 446 capabilities: 447 add: 448 - NET_ADMIN 449 - NET_RAW 450 drop: 451 - ALL 452 privileged: false 453 readOnlyRootFilesystem: false 454 runAsGroup: 0 455 runAsNonRoot: false 456 runAsUser: 0 457 terminationGracePeriodSeconds: 0 458 volumes: 459 - hostPath: 460 path: /var/run/cilium 461 name: cilium-unix-sock-dir 462 - emptyDir: 463 medium: Memory 464 name: istio-envoy 465 - name: istio-certs 466 secret: 467 optional: true 468 secretName: istio.default 469 status: {} 470 ---