github.com/looshlee/beatles@v0.0.0-20220727174639-742810ab631c/test/k8sT/manifests/bookinfo-v2-istio.yaml (about)

     1  # Copyright 2017 Istio Authors
     2  #
     3  #   Licensed under the Apache License, Version 2.0 (the "License");
     4  #   you may not use this file except in compliance with the License.
     5  #   You may obtain a copy of the License at
     6  #
     7  #       http://www.apache.org/licenses/LICENSE-2.0
     8  #
     9  #   Unless required by applicable law or agreed to in writing, software
    10  #   distributed under the License is distributed on an "AS IS" BASIS,
    11  #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  #   See the License for the specific language governing permissions and
    13  #   limitations under the License.
    14  
    15  ##################################################################################################
    16  # Ratings service
    17  ##################################################################################################
    18  apiVersion: v1
    19  kind: Service
    20  metadata:
    21    name: ratings
    22    labels:
    23      app: ratings
    24  spec:
    25    ports:
    26    - port: 9080
    27      name: http
    28    selector:
    29      app: ratings
    30  ---
    31  apiVersion: apps/v1
    32  kind: Deployment
    33  metadata:
    34    creationTimestamp: null
    35    name: ratings-v1
    36  spec:
    37    replicas: 1
    38    selector:
    39      matchLabels:
    40        app: ratings
    41        version: v1
    42        zgroup: bookinfo
    43    strategy: {}
    44    template:
    45      metadata:
    46        annotations:
    47          sidecar.istio.io/interceptionMode: TPROXY
    48          sidecar.istio.io/status: '{"version":"45fd8869cfbf8375ea44be15a0156f5850b1789428501a78c16a8490fd325b06","initContainers":["sleep","istio-init"],"containers":["istio-proxy"],"volumes":["cilium-unix-sock-dir","istio-envoy","istio-certs"],"imagePullSecrets":null}'
    49          traffic.sidecar.istio.io/excludeInboundPorts: "15020"
    50          traffic.sidecar.istio.io/includeInboundPorts: "9080"
    51          traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
    52        creationTimestamp: null
    53        labels:
    54          app: ratings
    55          security.istio.io/tlsMode: istio
    56          version: v1
    57          zgroup: bookinfo
    58      spec:
    59        containers:
    60        - image: docker.io/istio/examples-bookinfo-ratings-v1:1.6.0
    61          imagePullPolicy: IfNotPresent
    62          name: ratings
    63          ports:
    64          - containerPort: 9080
    65          resources: {}
    66        - args:
    67          - proxy
    68          - sidecar
    69          - --domain
    70          - $(POD_NAMESPACE).svc.cluster.local
    71          - --configPath
    72          - /etc/istio/proxy
    73          - --binaryPath
    74          - /usr/local/bin/envoy
    75          - --serviceCluster
    76          - ratings.$(POD_NAMESPACE)
    77          - --drainDuration
    78          - 45s
    79          - --parentShutdownDuration
    80          - 1m0s
    81          - --discoveryAddress
    82          - istio-pilot.istio-system:15011
    83          - --zipkinAddress
    84          - zipkin.istio-system:9411
    85          - --dnsRefreshRate
    86          - 300s
    87          - --connectTimeout
    88          - 10s
    89          - --proxyAdminPort
    90          - "15000"
    91          - --concurrency
    92          - "2"
    93          - --controlPlaneAuthPolicy
    94          - MUTUAL_TLS
    95          - --statusPort
    96          - "15020"
    97          - --applicationPorts
    98          - "9080"
    99          env:
   100          - name: POD_NAME
   101            valueFrom:
   102              fieldRef:
   103                fieldPath: metadata.name
   104          - name: ISTIO_META_POD_PORTS
   105            value: |-
   106              [
   107                  {"containerPort":9080}
   108              ]
   109          - name: ISTIO_META_CLUSTER_ID
   110            value: Kubernetes
   111          - name: POD_NAMESPACE
   112            valueFrom:
   113              fieldRef:
   114                fieldPath: metadata.namespace
   115          - name: INSTANCE_IP
   116            valueFrom:
   117              fieldRef:
   118                fieldPath: status.podIP
   119          - name: SERVICE_ACCOUNT
   120            valueFrom:
   121              fieldRef:
   122                fieldPath: spec.serviceAccountName
   123          - name: ISTIO_META_POD_NAME
   124            valueFrom:
   125              fieldRef:
   126                fieldPath: metadata.name
   127          - name: ISTIO_META_CONFIG_NAMESPACE
   128            valueFrom:
   129              fieldRef:
   130                fieldPath: metadata.namespace
   131          - name: SDS_ENABLED
   132            value: "false"
   133          - name: ISTIO_META_INTERCEPTION_MODE
   134            value: TPROXY
   135          - name: ISTIO_META_INCLUDE_INBOUND_PORTS
   136            value: "9080"
   137          - name: ISTIO_METAJSON_LABELS
   138            value: |
   139              {"app":"ratings","version":"v1","zgroup":"bookinfo"}
   140          - name: ISTIO_META_WORKLOAD_NAME
   141            value: ratings-v1
   142          - name: ISTIO_META_OWNER
   143            value: kubernetes://apis/apps/v1/namespaces/default/deployments/ratings-v1
   144          image: docker.io/cilium/istio_proxy:1.4.6
   145          imagePullPolicy: IfNotPresent
   146          name: istio-proxy
   147          ports:
   148          - containerPort: 15090
   149            name: http-envoy-prom
   150            protocol: TCP
   151          readinessProbe:
   152            failureThreshold: 30
   153            httpGet:
   154              path: /healthz/ready
   155              port: 15020
   156            initialDelaySeconds: 1
   157            periodSeconds: 2
   158          resources:
   159            limits:
   160              cpu: "2"
   161              memory: 1Gi
   162            requests:
   163              cpu: 100m
   164              memory: 128Mi
   165          securityContext:
   166            allowPrivilegeEscalation: false
   167            capabilities:
   168              add:
   169              - NET_ADMIN
   170              drop:
   171              - ALL
   172            privileged: false
   173            readOnlyRootFilesystem: true
   174            runAsGroup: 1337
   175            runAsNonRoot: false
   176            runAsUser: 0
   177          volumeMounts:
   178          - mountPath: /var/run/cilium
   179            name: cilium-unix-sock-dir
   180          - mountPath: /etc/istio/proxy
   181            name: istio-envoy
   182          - mountPath: /etc/certs/
   183            name: istio-certs
   184            readOnly: true
   185        initContainers:
   186        - command:
   187          - sh
   188          - -c
   189          - 'max=120; i=0; until nslookup kube-dns.kube-system.svc.cluster.local; do
   190            i=$((i + 1)); if [ $i -eq $max ]; then echo timed-out; exit 1; else sleep
   191            1; fi done '
   192          image: busybox:1.28.4
   193          imagePullPolicy: IfNotPresent
   194          name: sleep
   195          resources: {}
   196        - command:
   197          - istio-iptables
   198          - -p
   199          - "15001"
   200          - -z
   201          - "15006"
   202          - -u
   203          - "1337"
   204          - -m
   205          - TPROXY
   206          - -i
   207          - '*'
   208          - -x
   209          - ""
   210          - -b
   211          - '*'
   212          - -d
   213          - "15020"
   214          image: docker.io/cilium/istio_proxy:1.4.6
   215          imagePullPolicy: IfNotPresent
   216          name: istio-init
   217          resources:
   218            limits:
   219              cpu: 100m
   220              memory: 50Mi
   221            requests:
   222              cpu: 10m
   223              memory: 10Mi
   224          securityContext:
   225            allowPrivilegeEscalation: false
   226            capabilities:
   227              add:
   228              - NET_ADMIN
   229              - NET_RAW
   230              drop:
   231              - ALL
   232            privileged: false
   233            readOnlyRootFilesystem: false
   234            runAsGroup: 0
   235            runAsNonRoot: false
   236            runAsUser: 0
   237        terminationGracePeriodSeconds: 0
   238        volumes:
   239        - hostPath:
   240            path: /var/run/cilium
   241          name: cilium-unix-sock-dir
   242        - emptyDir:
   243            medium: Memory
   244          name: istio-envoy
   245        - name: istio-certs
   246          secret:
   247            optional: true
   248            secretName: istio.default
   249  status: {}
   250  ---
   251  apiVersion: apps/v1
   252  kind: Deployment
   253  metadata:
   254    creationTimestamp: null
   255    name: reviews-v2
   256  spec:
   257    replicas: 1
   258    selector:
   259      matchLabels:
   260        app: reviews
   261        version: v2
   262        zgroup: bookinfo
   263    strategy: {}
   264    template:
   265      metadata:
   266        annotations:
   267          sidecar.istio.io/interceptionMode: TPROXY
   268          sidecar.istio.io/status: '{"version":"45fd8869cfbf8375ea44be15a0156f5850b1789428501a78c16a8490fd325b06","initContainers":["sleep","istio-init"],"containers":["istio-proxy"],"volumes":["cilium-unix-sock-dir","istio-envoy","istio-certs"],"imagePullSecrets":null}'
   269          traffic.sidecar.istio.io/excludeInboundPorts: "15020"
   270          traffic.sidecar.istio.io/includeInboundPorts: "9080"
   271          traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
   272        creationTimestamp: null
   273        labels:
   274          app: reviews
   275          security.istio.io/tlsMode: istio
   276          version: v2
   277          zgroup: bookinfo
   278      spec:
   279        containers:
   280        - image: docker.io/istio/examples-bookinfo-reviews-v2:1.6.0
   281          imagePullPolicy: IfNotPresent
   282          name: reviews
   283          ports:
   284          - containerPort: 9080
   285          resources: {}
   286        - args:
   287          - proxy
   288          - sidecar
   289          - --domain
   290          - $(POD_NAMESPACE).svc.cluster.local
   291          - --configPath
   292          - /etc/istio/proxy
   293          - --binaryPath
   294          - /usr/local/bin/envoy
   295          - --serviceCluster
   296          - reviews.$(POD_NAMESPACE)
   297          - --drainDuration
   298          - 45s
   299          - --parentShutdownDuration
   300          - 1m0s
   301          - --discoveryAddress
   302          - istio-pilot.istio-system:15011
   303          - --zipkinAddress
   304          - zipkin.istio-system:9411
   305          - --dnsRefreshRate
   306          - 300s
   307          - --connectTimeout
   308          - 10s
   309          - --proxyAdminPort
   310          - "15000"
   311          - --concurrency
   312          - "2"
   313          - --controlPlaneAuthPolicy
   314          - MUTUAL_TLS
   315          - --statusPort
   316          - "15020"
   317          - --applicationPorts
   318          - "9080"
   319          env:
   320          - name: POD_NAME
   321            valueFrom:
   322              fieldRef:
   323                fieldPath: metadata.name
   324          - name: ISTIO_META_POD_PORTS
   325            value: |-
   326              [
   327                  {"containerPort":9080}
   328              ]
   329          - name: ISTIO_META_CLUSTER_ID
   330            value: Kubernetes
   331          - name: POD_NAMESPACE
   332            valueFrom:
   333              fieldRef:
   334                fieldPath: metadata.namespace
   335          - name: INSTANCE_IP
   336            valueFrom:
   337              fieldRef:
   338                fieldPath: status.podIP
   339          - name: SERVICE_ACCOUNT
   340            valueFrom:
   341              fieldRef:
   342                fieldPath: spec.serviceAccountName
   343          - name: ISTIO_META_POD_NAME
   344            valueFrom:
   345              fieldRef:
   346                fieldPath: metadata.name
   347          - name: ISTIO_META_CONFIG_NAMESPACE
   348            valueFrom:
   349              fieldRef:
   350                fieldPath: metadata.namespace
   351          - name: SDS_ENABLED
   352            value: "false"
   353          - name: ISTIO_META_INTERCEPTION_MODE
   354            value: TPROXY
   355          - name: ISTIO_META_INCLUDE_INBOUND_PORTS
   356            value: "9080"
   357          - name: ISTIO_METAJSON_LABELS
   358            value: |
   359              {"app":"reviews","version":"v2","zgroup":"bookinfo"}
   360          - name: ISTIO_META_WORKLOAD_NAME
   361            value: reviews-v2
   362          - name: ISTIO_META_OWNER
   363            value: kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v2
   364          image: docker.io/cilium/istio_proxy:1.4.6
   365          imagePullPolicy: IfNotPresent
   366          name: istio-proxy
   367          ports:
   368          - containerPort: 15090
   369            name: http-envoy-prom
   370            protocol: TCP
   371          readinessProbe:
   372            failureThreshold: 30
   373            httpGet:
   374              path: /healthz/ready
   375              port: 15020
   376            initialDelaySeconds: 1
   377            periodSeconds: 2
   378          resources:
   379            limits:
   380              cpu: "2"
   381              memory: 1Gi
   382            requests:
   383              cpu: 100m
   384              memory: 128Mi
   385          securityContext:
   386            allowPrivilegeEscalation: false
   387            capabilities:
   388              add:
   389              - NET_ADMIN
   390              drop:
   391              - ALL
   392            privileged: false
   393            readOnlyRootFilesystem: true
   394            runAsGroup: 1337
   395            runAsNonRoot: false
   396            runAsUser: 0
   397          volumeMounts:
   398          - mountPath: /var/run/cilium
   399            name: cilium-unix-sock-dir
   400          - mountPath: /etc/istio/proxy
   401            name: istio-envoy
   402          - mountPath: /etc/certs/
   403            name: istio-certs
   404            readOnly: true
   405        initContainers:
   406        - command:
   407          - sh
   408          - -c
   409          - 'max=120; i=0; until nslookup kube-dns.kube-system.svc.cluster.local; do
   410            i=$((i + 1)); if [ $i -eq $max ]; then echo timed-out; exit 1; else sleep
   411            1; fi done '
   412          image: busybox:1.28.4
   413          imagePullPolicy: IfNotPresent
   414          name: sleep
   415          resources: {}
   416        - command:
   417          - istio-iptables
   418          - -p
   419          - "15001"
   420          - -z
   421          - "15006"
   422          - -u
   423          - "1337"
   424          - -m
   425          - TPROXY
   426          - -i
   427          - '*'
   428          - -x
   429          - ""
   430          - -b
   431          - '*'
   432          - -d
   433          - "15020"
   434          image: docker.io/cilium/istio_proxy:1.4.6
   435          imagePullPolicy: IfNotPresent
   436          name: istio-init
   437          resources:
   438            limits:
   439              cpu: 100m
   440              memory: 50Mi
   441            requests:
   442              cpu: 10m
   443              memory: 10Mi
   444          securityContext:
   445            allowPrivilegeEscalation: false
   446            capabilities:
   447              add:
   448              - NET_ADMIN
   449              - NET_RAW
   450              drop:
   451              - ALL
   452            privileged: false
   453            readOnlyRootFilesystem: false
   454            runAsGroup: 0
   455            runAsNonRoot: false
   456            runAsUser: 0
   457        terminationGracePeriodSeconds: 0
   458        volumes:
   459        - hostPath:
   460            path: /var/run/cilium
   461          name: cilium-unix-sock-dir
   462        - emptyDir:
   463            medium: Memory
   464          name: istio-envoy
   465        - name: istio-certs
   466          secret:
   467            optional: true
   468            secretName: istio.default
   469  status: {}
   470  ---