Google Git
Sign in
cue / cue / 052837627c6e4524ad18c96d60636a28e7621b61 / . / doc / tutorial / kubernetes / testdata / quick.out
blob: cffb467b6e2c250a89f9d2c6b6ce912a94f9da9e [file] [log] [blame]
service: {}
deployment: {}
#Component: string
daemonSet: {}
statefulSet: {}
configMap: {}
service: {}
deployment: {}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
bartender: {
spec: {
ports: [{
port: *7080 | int32
targetPort: *7080 | int32 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "bartender"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "bartender"
labels: {
app: "bartender"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
bartender: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "bartender"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
containers: [{
name: "bartender"
image: "gcr.io/myproj/bartender:v0.1.34"
args: []
ports: [{
containerPort: *7080 | int32
}]
}]
}
}
}
metadata: {
name: "bartender"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
breaddispatcher: {
spec: {
ports: [{
port: *7080 | int32
targetPort: *7080 | int32 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "breaddispatcher"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "breaddispatcher"
labels: {
app: "breaddispatcher"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
breaddispatcher: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "breaddispatcher"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
containers: [{
name: "breaddispatcher"
image: "gcr.io/myproj/breaddispatcher:v0.3.24"
args: ["-etcd=etcd:2379", "-event-server=events:7788"]
ports: [{
containerPort: *7080 | int32
}]
}]
}
}
}
metadata: {
name: "breaddispatcher"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
host: {
spec: {
ports: [{
port: *7080 | int32
targetPort: *7080 | int32 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "host"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "host"
labels: {
app: "host"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
host: {
spec: {
replicas: 2
selector: {}
template: {
metadata: {
labels: {
app: "host"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
containers: [{
name: "host"
image: "gcr.io/myproj/host:v0.1.10"
args: []
ports: [{
containerPort: *7080 | int32
}]
}]
}
}
}
metadata: {
name: "host"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
maitred: {
spec: {
ports: [{
port: *7080 | int32
targetPort: *7080 | int32 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "maitred"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "maitred"
labels: {
app: "maitred"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
maitred: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "maitred"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
containers: [{
name: "maitred"
image: "gcr.io/myproj/maitred:v0.0.4"
args: []
ports: [{
containerPort: *7080 | int32
}]
}]
}
}
}
metadata: {
name: "maitred"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
valeter: {
spec: {
ports: [{
name: "http"
port: *8080 | int32
protocol: *"TCP" | "UDP"
targetPort: *8080 | int
}]
selector: {
app: "valeter"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "valeter"
labels: {
app: "valeter"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
valeter: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "valeter"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "8080"
}
}
spec: {
containers: [{
name: "valeter"
image: "gcr.io/myproj/valeter:v0.0.4"
ports: [{
containerPort: 8080
}]
args: ["-http=:8080", "-etcd=etcd:2379"]
}]
}
}
}
metadata: {
name: "valeter"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
waiter: {
spec: {
ports: [{
port: *7080 | int32
targetPort: *7080 | int32 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "waiter"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "waiter"
labels: {
app: "waiter"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
waiter: {
spec: {
replicas: 5
selector: {}
template: {
metadata: {
labels: {
app: "waiter"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
containers: [{
name: "waiter"
image: "gcr.io/myproj/waiter:v0.3.0"
ports: [{
containerPort: *7080 | int32
}]
}]
}
}
}
metadata: {
name: "waiter"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
waterdispatcher: {
spec: {
ports: [{
name: "http"
port: *7080 | int32
protocol: *"TCP" | "UDP"
targetPort: *7080 | int32 | int
}]
selector: {
app: "waterdispatcher"
domain: "prod"
component: "frontend"
}
}
metadata: {
name: "waterdispatcher"
labels: {
app: "waterdispatcher"
domain: "prod"
component: "frontend"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
waterdispatcher: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "waterdispatcher"
domain: "prod"
component: "frontend"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
containers: [{
name: "waterdispatcher"
image: "gcr.io/myproj/waterdispatcher:v0.0.48"
args: ["-http=:8080", "-etcd=etcd:2379"]
ports: [{
containerPort: *7080 | int32
}]
}]
}
}
}
metadata: {
name: "waterdispatcher"
labels: {
component: "frontend"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "frontend"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {}
deployment: {}
#Component: "infra"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
download: {
spec: {
ports: [{
port: *7080 | int32
targetPort: *7080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "download"
domain: "prod"
component: "infra"
}
}
metadata: {
name: "download"
labels: {
app: "download"
domain: "prod"
component: "infra"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
download: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "download"
domain: "prod"
component: "infra"
}
}
spec: {
containers: [{
name: "download"
image: "gcr.io/myproj/download:v0.0.2"
ports: [{
containerPort: 7080
}]
}]
}
}
}
metadata: {
name: "download"
labels: {
component: "infra"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "infra"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
etcd: {
spec: {
clusterIP: "None"
ports: [{
port: *2379 | int32
targetPort: *2379 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}, {
name: "peer"
port: *2380 | int32
protocol: *"TCP" | "UDP"
targetPort: *2380 | int
}]
selector: {
app: "etcd"
domain: "prod"
component: "infra"
}
}
metadata: {
name: "etcd"
labels: {
app: "etcd"
domain: "prod"
component: "infra"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {}
#Component: "infra"
daemonSet: {}
statefulSet: {
etcd: {
spec: {
serviceName: "etcd"
replicas: 3
selector: {}
template: {
metadata: {
labels: {
app: "etcd"
component: "infra"
domain: "prod"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "2379"
}
}
spec: {
affinity: {
podAntiAffinity: {
requiredDuringSchedulingIgnoredDuringExecution: [{
labelSelector: {
matchExpressions: [{
key: "app"
operator: "In"
values: ["etcd"]
}]
}
topologyKey: "kubernetes.io/hostname"
}]
}
}
terminationGracePeriodSeconds: 10
containers: [{
name: "etcd"
image: "quay.io/coreos/etcd:v3.3.10"
ports: [{
name: "client"
containerPort: 2379
}, {
name: "peer"
containerPort: 2380
}]
livenessProbe: {
httpGet: {
path: "/health"
port: "client"
}
initialDelaySeconds: 30
}
volumeMounts: [{
name: "etcd3"
mountPath: "/data"
}]
env: [{
name: "ETCDCTL_API"
value: "3"
}, {
name: "ETCD_AUTO_COMPACTION_RETENTION"
value: "4"
}, {
name: "NAME"
valueFrom: {
fieldRef: {
fieldPath: "metadata.name"
}
}
}, {
name: "IP"
valueFrom: {
fieldRef: {
fieldPath: "status.podIP"
}
}
}]
command: ["/usr/local/bin/etcd"]
args: ["-name", "$(NAME)", "-data-dir", "/data/etcd3", "-initial-advertise-peer-urls", "http://$(IP):2380", "-listen-peer-urls", "http://$(IP):2380", "-listen-client-urls", "http://$(IP):2379,http://127.0.0.1:2379", "-advertise-client-urls", "http://$(IP):2379", "-discovery", "https://discovery.etcd.io/xxxxxx"]
}]
}
}
volumeClaimTemplates: [{
metadata: {
name: "etcd3"
annotations: {
"volume.alpha.kubernetes.io/storage-class": "default"
}
}
spec: {
accessModes: ["ReadWriteOnce"]
resources: {
requests: {
storage: "10Gi"
}
}
}
}]
}
metadata: {
name: "etcd"
labels: {
component: "infra"
}
}
kind: "StatefulSet"
apiVersion: "apps/v1"
}
}
configMap: {}
service: {
events: {
spec: {
ports: [{
name: "grpc"
port: *7788 | int32
protocol: *"TCP" | "UDP"
targetPort: *7788 | int
}]
selector: {
app: "events"
domain: "prod"
component: "infra"
}
}
metadata: {
name: "events"
labels: {
app: "events"
domain: "prod"
component: "infra"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
events: {
spec: {
replicas: 2
selector: {}
template: {
metadata: {
labels: {
app: "events"
domain: "prod"
component: "infra"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
affinity: {
podAntiAffinity: {
requiredDuringSchedulingIgnoredDuringExecution: [{
labelSelector: {
matchExpressions: [{
key: "app"
operator: "In"
values: ["events"]
}]
}
topologyKey: "kubernetes.io/hostname"
}]
}
}
volumes: [{
name: "secret-volume"
secret: {
secretName: "biz-secrets"
}
}]
containers: [{
name: "events"
image: "gcr.io/myproj/events:v0.1.31"
ports: [{
containerPort: 7080
}, {
containerPort: 7788
}]
args: ["-cert=/etc/ssl/server.pem", "-key=/etc/ssl/server.key", "-grpc=:7788"]
volumeMounts: [{
mountPath: "/etc/ssl"
name: "secret-volume"
}]
}]
}
}
}
metadata: {
name: "events"
labels: {
component: "infra"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "infra"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
tasks: {
spec: {
type: "LoadBalancer"
loadBalancerIP: "1.2.3.4"
ports: [{
port: 443
name: "http"
protocol: *"TCP" | "UDP"
targetPort: *7443 | int
}]
selector: {
app: "tasks"
domain: "prod"
component: "infra"
}
}
metadata: {
name: "tasks"
labels: {
app: "tasks"
domain: "prod"
component: "infra"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
tasks: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "tasks"
domain: "prod"
component: "infra"
}
annotations: {
"prometheus.io.scrape": "true"
"prometheus.io.port": "7080"
}
}
spec: {
volumes: [{
name: "secret-volume"
secret: {
secretName: "star-example-com-secrets"
}
}]
containers: [{
name: "tasks"
image: "gcr.io/myproj/tasks:v0.2.6"
ports: [{
containerPort: 7080
}, {
containerPort: 7443
}]
volumeMounts: [{
mountPath: "/etc/ssl"
name: "secret-volume"
}]
}]
}
}
}
metadata: {
name: "tasks"
labels: {
component: "infra"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "infra"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
updater: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "updater"
domain: "prod"
component: "infra"
}
}
metadata: {
name: "updater"
labels: {
app: "updater"
domain: "prod"
component: "infra"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
updater: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "updater"
domain: "prod"
component: "infra"
}
}
spec: {
volumes: [{
name: "secret-updater"
secret: {
secretName: "updater-secrets"
}
}]
containers: [{
name: "updater"
image: "gcr.io/myproj/updater:v0.1.0"
volumeMounts: [{
mountPath: "/etc/certs"
name: "secret-updater"
}]
ports: [{
containerPort: 8080
}]
args: ["-key=/etc/certs/updater.pem"]
}]
}
}
}
metadata: {
name: "updater"
labels: {
component: "infra"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "infra"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
watcher: {
spec: {
type: "LoadBalancer"
loadBalancerIP: "1.2.3.4."
ports: [{
name: "http"
port: *7788 | int32
protocol: *"TCP" | "UDP"
targetPort: *7788 | int
}]
selector: {
app: "watcher"
domain: "prod"
component: "infra"
}
}
metadata: {
name: "watcher"
labels: {
app: "watcher"
domain: "prod"
component: "infra"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
watcher: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "watcher"
domain: "prod"
component: "infra"
}
}
spec: {
volumes: [{
name: "secret-volume"
secret: {
secretName: "star-example-com-secrets"
}
}]
containers: [{
name: "watcher"
image: "gcr.io/myproj/watcher:v0.1.0"
ports: [{
containerPort: 7080
}, {
containerPort: 7788
}]
volumeMounts: [{
mountPath: "/etc/ssl"
name: "secret-volume"
}]
}]
}
}
}
metadata: {
name: "watcher"
labels: {
component: "infra"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "infra"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {}
deployment: {}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
caller: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "caller"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "caller"
labels: {
app: "caller"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
caller: {
spec: {
replicas: 3
selector: {}
template: {
metadata: {
labels: {
app: "caller"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
volumes: [{
name: "ssd-caller"
gcePersistentDisk: {
pdName: "ssd-caller"
fsType: "ext4"
}
}, {
name: *"secret-caller" | string
secret: {
secretName: *"caller-secrets" | string
}
}, {
name: "secret-ssh-key"
secret: {
secretName: "secrets"
}
}]
containers: [{
name: "caller"
image: "gcr.io/myproj/caller:v0.20.14"
volumeMounts: [{
name: "ssd-caller"
mountPath: *"/logs" | string
}, {
mountPath: *"/etc/certs" | string
name: *"secret-caller" | string
readOnly: true
}, {
mountPath: "/sslcerts"
name: "secret-ssh-key"
readOnly: true
}]
args: ["-env=prod", "-key=/etc/certs/client.key", "-cert=/etc/certs/client.pem", "-ca=/etc/certs/servfx.ca", "-ssh-tunnel-key=/sslcerts/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"]
ports: [{
containerPort: 8080
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "caller"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
dishwasher: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "dishwasher"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "dishwasher"
labels: {
app: "dishwasher"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
dishwasher: {
spec: {
replicas: 5
selector: {}
template: {
metadata: {
labels: {
app: "dishwasher"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
volumes: [{
name: *"dishwasher-disk" | string
gcePersistentDisk: {
pdName: *"dishwasher-disk" | string
fsType: "ext4"
}
}, {
name: *"secret-dishwasher" | string
secret: {
secretName: *"dishwasher-secrets" | string
}
}, {
name: "secret-ssh-key"
secret: {
secretName: "dishwasher-secrets"
}
}]
containers: [{
name: "dishwasher"
image: "gcr.io/myproj/dishwasher:v0.2.13"
volumeMounts: [{
name: *"dishwasher-disk" | string
mountPath: *"/logs" | string
}, {
mountPath: "/sslcerts"
name: *"secret-dishwasher" | string
readOnly: true
}, {
mountPath: "/etc/certs"
name: "secret-ssh-key"
readOnly: true
}]
args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"]
ports: [{
containerPort: 8080
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "dishwasher"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
expiditer: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "expiditer"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "expiditer"
labels: {
app: "expiditer"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
expiditer: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "expiditer"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
volumes: [{
name: *"expiditer-disk" | string
gcePersistentDisk: {
pdName: *"expiditer-disk" | string
fsType: "ext4"
}
}, {
name: *"secret-expiditer" | string
secret: {
secretName: *"expiditer-secrets" | string
}
}]
containers: [{
name: "expiditer"
image: "gcr.io/myproj/expiditer:v0.5.34"
args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"]
ports: [{
containerPort: 8080
}]
volumeMounts: [{
name: *"expiditer-disk" | string
mountPath: *"/logs" | string
}, {
mountPath: *"/etc/certs" | string
name: *"secret-expiditer" | string
readOnly: true
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "expiditer"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
headchef: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "headchef"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "headchef"
labels: {
app: "headchef"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
headchef: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "headchef"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
volumes: [{
name: *"headchef-disk" | string
gcePersistentDisk: {
pdName: *"headchef-disk" | string
fsType: "ext4"
}
}, {
name: *"secret-headchef" | string
secret: {
secretName: *"headchef-secrets" | string
}
}]
containers: [{
name: "headchef"
image: "gcr.io/myproj/headchef:v0.2.16"
volumeMounts: [{
name: *"headchef-disk" | string
mountPath: *"/logs" | string
}, {
mountPath: "/sslcerts"
name: *"secret-headchef" | string
readOnly: true
}]
args: ["-env=prod", "-logdir=/logs", "-event-server=events:7788"]
ports: [{
containerPort: 8080
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "headchef"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
linecook: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "linecook"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "linecook"
labels: {
app: "linecook"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
linecook: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "linecook"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
volumes: [{
name: *"linecook-disk" | string
gcePersistentDisk: {
pdName: *"linecook-disk" | string
fsType: "ext4"
}
}, {
name: "secret-kitchen"
secret: {
secretName: "secrets"
}
}]
containers: [{
name: "linecook"
image: "gcr.io/myproj/linecook:v0.1.42"
volumeMounts: [{
name: *"linecook-disk" | string
mountPath: *"/logs" | string
}, {
name: "secret-kitchen"
mountPath: *"/etc/certs" | string
readOnly: true
}]
args: ["-name=linecook", "-env=prod", "-logdir=/logs", "-event-server=events:7788", "-etcd", "etcd:2379", "-reconnect-delay", "1h", "-recovery-overlap", "100000"]
ports: [{
containerPort: 8080
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "linecook"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
pastrychef: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "pastrychef"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "pastrychef"
labels: {
app: "pastrychef"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
pastrychef: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "pastrychef"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
volumes: [{
name: *"pastrychef-disk" | string
gcePersistentDisk: {
pdName: *"pastrychef-disk" | string
fsType: "ext4"
}
}, {
name: "secret-ssh-key"
secret: {
secretName: "secrets"
}
}]
containers: [{
name: "pastrychef"
image: "gcr.io/myproj/pastrychef:v0.1.15"
volumeMounts: [{
name: *"pastrychef-disk" | string
mountPath: *"/logs" | string
}, {
name: "secret-ssh-key"
mountPath: *"/etc/certs" | string
readOnly: true
}]
args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788", "-reconnect-delay=1m", "-etcd=etcd:2379", "-recovery-overlap=10000"]
ports: [{
containerPort: 8080
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "pastrychef"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
souschef: {
spec: {
ports: [{
port: *8080 | int32
targetPort: *8080 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "souschef"
domain: "prod"
component: "kitchen"
}
}
metadata: {
name: "souschef"
labels: {
app: "souschef"
domain: "prod"
component: "kitchen"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
souschef: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "souschef"
domain: "prod"
component: "kitchen"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
containers: [{
name: "souschef"
image: "gcr.io/myproj/souschef:v0.5.3"
ports: [{
containerPort: 8080
}]
livenessProbe: {
httpGet: {
path: "/debug/health"
port: 8080
}
initialDelaySeconds: 40
periodSeconds: 3
}
}]
}
}
}
metadata: {
name: "souschef"
labels: {
component: "kitchen"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "kitchen"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {}
deployment: {}
#Component: "mon"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
alertmanager: {
metadata: {
name: "alertmanager"
annotations: {
"prometheus.io/scrape": "true"
"prometheus.io/path": "/metrics"
}
labels: {
name: "alertmanager"
app: "alertmanager"
domain: "prod"
component: "mon"
}
}
spec: {
ports: [{
name: "main"
port: *9093 | int32
protocol: *"TCP" | "UDP"
targetPort: *9093 | int
}]
selector: {
name: "alertmanager"
app: "alertmanager"
domain: "prod"
component: "mon"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
alertmanager: {
spec: {
replicas: *1 | int32
selector: {
matchLabels: {
app: "alertmanager"
}
}
template: {
metadata: {
name: "alertmanager"
labels: {
app: "alertmanager"
domain: "prod"
component: "mon"
}
}
spec: {
containers: [{
name: "alertmanager"
image: "prom/alertmanager:v0.15.2"
args: ["--config.file=/etc/alertmanager/alerts.yaml", "--storage.path=/alertmanager", "--web.external-url=https://alertmanager.example.com"]
ports: [{
name: "alertmanager"
containerPort: 9093
}]
volumeMounts: [{
name: "config-volume"
mountPath: "/etc/alertmanager"
}, {
name: "alertmanager"
mountPath: "/alertmanager"
}]
}]
volumes: [{
name: "config-volume"
configMap: {
name: "alertmanager"
}
}, {
name: "alertmanager"
emptyDir: {}
}]
}
}
}
metadata: {
name: "alertmanager"
labels: {
component: "mon"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "mon"
daemonSet: {}
statefulSet: {}
configMap: {
alertmanager: {
apiVersion: "v1"
kind: "ConfigMap"
data: {
"alerts.yaml": """
receivers:
- name: pager
slack_configs:
- channel: '#cloudmon'
text: |-
{{ range .Alerts }}{{ .Annotations.description }}
{{ end }}
send_resolved: true
route:
receiver: pager
group_by:
- alertname
- cluster
"""
}
metadata: {
name: "alertmanager"
labels: {
component: "mon"
}
}
}
}
service: {
grafana: {
spec: {
ports: [{
name: "grafana"
port: 3000
protocol: *"TCP" | "UDP"
targetPort: 3000
}]
selector: {
app: "grafana"
domain: "prod"
component: "mon"
}
}
metadata: {
name: "grafana"
labels: {
app: "grafana"
domain: "prod"
component: "mon"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
grafana: {
metadata: {
name: "grafana"
labels: {
app: "grafana"
component: "mon"
}
}
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "grafana"
domain: "prod"
component: "mon"
}
}
spec: {
volumes: [{
name: "grafana-volume"
gcePersistentDisk: {
pdName: "grafana-volume"
fsType: "ext4"
}
}]
containers: [{
name: "grafana"
image: "grafana/grafana:4.5.2"
ports: [{
containerPort: 8080
}]
resources: {
limits: {
cpu: "100m"
memory: "100Mi"
}
requests: {
cpu: "100m"
memory: "100Mi"
}
}
env: [{
name: "GF_AUTH_BASIC_ENABLED"
value: "false"
}, {
name: "GF_AUTH_ANONYMOUS_ENABLED"
value: "true"
}, {
name: "GF_AUTH_ANONYMOUS_ORG_ROLE"
value: "admin"
}]
volumeMounts: [{
name: "grafana-volume"
mountPath: "/var/lib/grafana"
}]
}]
}
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "mon"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
"node-exporter": {
metadata: {
name: "node-exporter"
annotations: {
"prometheus.io/scrape": "true"
}
labels: {
app: "node-exporter"
domain: "prod"
component: "mon"
}
}
spec: {
type: "ClusterIP"
clusterIP: "None"
ports: [{
name: "metrics"
port: *9100 | int32
protocol: *"TCP" | "UDP"
targetPort: *9100 | int
}]
selector: {
app: "node-exporter"
domain: "prod"
component: "mon"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {}
#Component: "mon"
daemonSet: {
"node-exporter": {
spec: {
selector: {}
template: {
metadata: {
name: "node-exporter"
labels: {
app: "node-exporter"
component: "mon"
domain: "prod"
}
}
spec: {
hostNetwork: true
hostPID: true
containers: [{
name: "node-exporter"
image: "quay.io/prometheus/node-exporter:v0.16.0"
args: ["--path.procfs=/host/proc", "--path.sysfs=/host/sys"]
ports: [{
containerPort: 9100
hostPort: 9100
name: "scrape"
}]
resources: {
requests: {
memory: "30Mi"
cpu: "100m"
}
limits: {
memory: "50Mi"
cpu: "200m"
}
}
volumeMounts: [{
name: "proc"
readOnly: true
mountPath: "/host/proc"
}, {
name: "sys"
readOnly: true
mountPath: "/host/sys"
}]
}]
volumes: [{
name: "proc"
hostPath: {
path: "/proc"
}
}, {
name: "sys"
hostPath: {
path: "/sys"
}
}]
}
}
}
metadata: {
name: "node-exporter"
labels: {
component: "mon"
}
}
kind: "DaemonSet"
apiVersion: "apps/v1"
}
}
statefulSet: {}
configMap: {}
service: {
prometheus: {
metadata: {
name: "prometheus"
annotations: {
"prometheus.io/scrape": "true"
}
labels: {
name: "prometheus"
app: "prometheus"
domain: "prod"
component: "mon"
}
}
spec: {
type: "NodePort"
ports: [{
name: "main"
nodePort: 30900
port: *9090 | int32
protocol: *"TCP" | "UDP"
targetPort: *9090 | int
}]
selector: {
name: "prometheus"
app: "prometheus"
domain: "prod"
component: "mon"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
prometheus: {
spec: {
replicas: *1 | int32
strategy: {
rollingUpdate: {
maxSurge: 0
maxUnavailable: 1
}
type: "RollingUpdate"
}
selector: {
matchLabels: {
app: "prometheus"
}
}
template: {
metadata: {
name: "prometheus"
labels: {
app: "prometheus"
domain: "prod"
component: "mon"
}
annotations: {
"prometheus.io.scrape": "true"
}
}
spec: {
containers: [{
name: "prometheus"
image: "prom/prometheus:v2.4.3"
args: ["--config.file=/etc/prometheus/prometheus.yml", "--web.external-url=https://prometheus.example.com"]
ports: [{
name: "web"
containerPort: 9090
}]
volumeMounts: [{
name: "config-volume"
mountPath: "/etc/prometheus"
}]
}]
volumes: [{
name: "config-volume"
configMap: {
name: "prometheus"
}
}]
}
}
}
metadata: {
name: "prometheus"
labels: {
component: "mon"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "mon"
daemonSet: {}
statefulSet: {}
configMap: {
prometheus: {
apiVersion: "v1"
kind: "ConfigMap"
data: {
"alert.rules": """
groups:
- name: rules.yaml
rules:
- alert: InstanceDown
expr: up == 0
for: 30s
labels:
severity: page
annotations:
description: '{{$labels.app}} of job {{ $labels.job }} has been down for more
than 30 seconds.'
summary: Instance {{$labels.app}} down
- alert: InsufficientPeers
expr: count(up{job=\"etcd\"} == 0) > (count(up{job=\"etcd\"}) / 2 - 1)
for: 3m
labels:
severity: page
annotations:
description: If one more etcd peer goes down the cluster will be unavailable
summary: etcd cluster small
- alert: EtcdNoMaster
expr: sum(etcd_server_has_leader{app=\"etcd\"}) == 0
for: 1s
labels:
severity: page
annotations:
summary: No ETCD master elected.
- alert: PodRestart
expr: (max_over_time(pod_container_status_restarts_total[5m]) - min_over_time(pod_container_status_restarts_total[5m]))
> 2
for: 1m
labels:
severity: page
annotations:
description: '{{$labels.app}} {{ $labels.container }} resturted {{ $value }}
times in 5m.'
summary: Pod for {{$labels.container}} restarts too often
"""
"prometheus.yml": """
global:
scrape_interval: 15s
rule_files:
- /etc/prometheus/alert.rules
alerting:
alertmanagers:
- scheme: http
static_configs:
- targets:
- alertmanager:9093
scrape_configs:
- job_name: kubernetes-apiservers
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
- __meta_kubernetes_namespace
- __meta_kubernetes_service_name
- __meta_kubernetes_endpoint_port_name
action: keep
regex: default;kubernetes;https
- job_name: kubernetes-nodes
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels:
- __meta_kubernetes_node_name
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
- job_name: kubernetes-cadvisor
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels:
- __meta_kubernetes_node_name
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
- job_name: kubernetes-service-endpoints
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels:
- __meta_kubernetes_service_annotation_prometheus_io_scrape
action: keep
regex: true
- source_labels:
- __meta_kubernetes_service_annotation_prometheus_io_scheme
action: replace
target_label: __scheme__
regex: (https?)
- source_labels:
- __meta_kubernetes_service_annotation_prometheus_io_path
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels:
- __address__
- __meta_kubernetes_service_annotation_prometheus_io_port
action: replace
target_label: __address__
regex: ([^:]+)(?::\\d+)?;(\\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels:
- __meta_kubernetes_namespace
action: replace
target_label: kubernetes_namespace
- source_labels:
- __meta_kubernetes_service_name
action: replace
target_label: kubernetes_name
- job_name: kubernetes-services
metrics_path: /probe
params:
module:
- http_2xx
kubernetes_sd_configs:
- role: service
relabel_configs:
- source_labels:
- __meta_kubernetes_service_annotation_prometheus_io_probe
action: keep
regex: true
- source_labels:
- __address__
target_label: __param_target
- target_label: __address__
replacement: blackbox-exporter.example.com:9115
- source_labels:
- __param_target
target_label: app
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels:
- __meta_kubernetes_namespace
target_label: kubernetes_namespace
- source_labels:
- __meta_kubernetes_service_name
target_label: kubernetes_name
- job_name: kubernetes-ingresses
metrics_path: /probe
params:
module:
- http_2xx
kubernetes_sd_configs:
- role: ingress
relabel_configs:
- source_labels:
- __meta_kubernetes_ingress_annotation_prometheus_io_probe
action: keep
regex: true
- source_labels:
- __meta_kubernetes_ingress_scheme
- __address__
- __meta_kubernetes_ingress_path
regex: (.+);(.+);(.+)
replacement: ${1}://${2}${3}
target_label: __param_target
- target_label: __address__
replacement: blackbox-exporter.example.com:9115
- source_labels:
- __param_target
target_label: app
- action: labelmap
regex: __meta_kubernetes_ingress_label_(.+)
- source_labels:
- __meta_kubernetes_namespace
target_label: kubernetes_namespace
- source_labels:
- __meta_kubernetes_ingress_name
target_label: kubernetes_name
- job_name: kubernetes-pods
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_annotation_prometheus_io_scrape
action: keep
regex: true
- source_labels:
- __meta_kubernetes_pod_annotation_prometheus_io_path
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels:
- __address__
- __meta_kubernetes_pod_annotation_prometheus_io_port
action: replace
regex: ([^:]+)(?::\\d+)?;(\\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels:
- __meta_kubernetes_namespace
action: replace
target_label: kubernetes_namespace
- source_labels:
- __meta_kubernetes_pod_name
action: replace
target_label: kubernetes_pod_name
"""
}
metadata: {
name: "prometheus"
labels: {
component: "mon"
}
}
}
}
service: {}
deployment: {}
#Component: "proxy"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
authproxy: {
spec: {
ports: [{
port: *4180 | int32
targetPort: *4180 | int
name: *"client" | string
protocol: *"TCP" | "UDP"
}]
selector: {
app: "authproxy"
domain: "prod"
component: "proxy"
}
}
metadata: {
name: "authproxy"
labels: {
app: "authproxy"
domain: "prod"
component: "proxy"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
authproxy: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "authproxy"
domain: "prod"
component: "proxy"
}
}
spec: {
containers: [{
name: "authproxy"
image: "skippy/oauth2_proxy:2.0.1"
ports: [{
containerPort: 4180
}]
args: ["--config=/etc/authproxy/authproxy.cfg"]
volumeMounts: [{
name: "config-volume"
mountPath: "/etc/authproxy"
}]
}]
volumes: [{
name: "config-volume"
configMap: {
name: "authproxy"
}
}]
}
}
}
metadata: {
name: "authproxy"
labels: {
component: "proxy"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "proxy"
daemonSet: {}
statefulSet: {}
configMap: {
authproxy: {
apiVersion: "v1"
kind: "ConfigMap"
data: {
"authproxy.cfg": """
# Google Auth Proxy Config File
## https://github.com/bitly/google_auth_proxy
## <addr>:<port> to listen on for HTTP clients
http_address = \"0.0.0.0:4180\"
## the OAuth Redirect URL.
redirect_url = \"https://auth.example.com/oauth2/callback\"
## the http url(s) of the upstream endpoint. If multiple, routing is based on path
upstreams = [
# frontend
\"http://frontend-waiter:7080/dpr/\",
\"http://frontend-maitred:7080/ui/\",
\"http://frontend-maitred:7080/ui\",
\"http://frontend-maitred:7080/report/\",
\"http://frontend-maitred:7080/report\",
\"http://frontend-maitred:7080/static/\",
# kitchen
\"http://kitchen-chef:8080/visit\",
# infrastructure
\"http://download:7080/file/\",
\"http://download:7080/archive\",
\"http://tasks:7080/tasks\",
\"http://tasks:7080/tasks/\",
]
## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
pass_basic_auth = true
request_logging = true
## Google Apps Domains to allow authentication for
google_apps_domains = [
\"example.com\",
]
email_domains = [
\"example.com\",
]
## The Google OAuth Client ID, Secret
client_id = \"---\"
client_secret = \"---\"
## Cookie Settings
## Secret - the seed string for secure cookies
## Domain - optional cookie domain to force cookies to (ie: .yourcompany.com)
## Expire - expire timeframe for cookie
cookie_secret = \"won't tell you\"
cookie_domain = \".example.com\"
cookie_https_only = true
"""
}
metadata: {
name: "authproxy"
labels: {
component: "proxy"
}
}
}
}
service: {
goget: {
spec: {
type: "LoadBalancer"
loadBalancerIP: "1.3.5.7"
ports: [{
port: 443
name: "https"
protocol: *"TCP" | "UDP"
targetPort: *7443 | int
}]
selector: {
app: "goget"
domain: "prod"
component: "proxy"
}
}
metadata: {
name: "goget"
labels: {
app: "goget"
domain: "prod"
component: "proxy"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
goget: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "goget"
domain: "prod"
component: "proxy"
}
}
spec: {
volumes: [{
name: "secret-volume"
secret: {
secretName: "goget-secrets"
}
}]
containers: [{
name: "goget"
image: "gcr.io/myproj/goget:v0.5.1"
ports: [{
containerPort: 7443
}]
volumeMounts: [{
mountPath: "/etc/ssl"
name: "secret-volume"
}]
}]
}
}
}
metadata: {
name: "goget"
labels: {
component: "proxy"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "proxy"
daemonSet: {}
statefulSet: {}
configMap: {}
service: {
nginx: {
spec: {
type: "LoadBalancer"
loadBalancerIP: "1.3.4.5"
ports: [{
name: "http"
port: *80 | int32
protocol: *"TCP" | "UDP"
targetPort: *80 | int
}, {
name: "https"
port: *443 | int32
protocol: *"TCP" | "UDP"
targetPort: *443 | int
}]
selector: {
app: "nginx"
domain: "prod"
component: "proxy"
}
}
metadata: {
name: "nginx"
labels: {
app: "nginx"
domain: "prod"
component: "proxy"
}
}
kind: "Service"
apiVersion: "v1"
}
}
deployment: {
nginx: {
spec: {
replicas: *1 | int32
selector: {}
template: {
metadata: {
labels: {
app: "nginx"
domain: "prod"
component: "proxy"
}
}
spec: {
volumes: [{
name: "secret-volume"
secret: {
secretName: "proxy-secrets"
}
}, {
name: "config-volume"
configMap: {
name: "nginx"
}
}]
containers: [{
name: "nginx"
image: "nginx:1.11.10-alpine"
ports: [{
containerPort: 80
}, {
containerPort: 443
}]
volumeMounts: [{
mountPath: "/etc/ssl"
name: "secret-volume"
}, {
name: "config-volume"
mountPath: "/etc/nginx/nginx.conf"
subPath: "nginx.conf"
}]
}]
}
}
}
metadata: {
name: "nginx"
labels: {
component: "proxy"
}
}
kind: "Deployment"
apiVersion: "apps/v1"
}
}
#Component: "proxy"
daemonSet: {}
statefulSet: {}
configMap: {
nginx: {
apiVersion: "v1"
kind: "ConfigMap"
data: {
"nginx.conf": """
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# needs to be high for some download jobs.
keepalive_timeout 400;
# proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
error_log /dev/stdout;
# Disable POST body size constraints. We often deal with large
# files. Especially docker containers may be large.
client_max_body_size 0;
upstream goget {
server localhost:7070;
}
# Redirect incoming Google Cloud Storage notifications:
server {
listen 443 ssl;
server_name notify.example.com notify2.example.com;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
# Security enhancements to deal with poodles and the like.
# See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
# We don't like poodles.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
# Enable Forward secrecy.
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
# Enable HTST.
add_header Strict-Transport-Security max-age=1209600;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
proxy_pass http://tasks:7080;
proxy_connect_timeout 1;
}
}
server {
listen 80;
listen 443 ssl;
server_name x.example.com example.io;
location ~ \"(/[^/]+)(/.*)?\" {
set $myhost $host;
if ($arg_go-get = \"1\") {
set $myhost \"goget\";
}
proxy_pass http://$myhost$1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
}
location / {
set $myhost $host;
if ($arg_go-get = \"1\") {
set $myhost \"goget\";
}
proxy_pass http://$myhost;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
}
}
server {
listen 80;
server_name www.example.com w.example.com;
resolver 8.8.8.8;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://$host.default.example.appspot.com/$request_uri;
proxy_redirect http://$host.default.example.appspot.com/ /;
}
}
server {
# We could add the following line and the connection would still be SSL,
# but it doesn't appear to be necessary. Seems saver this way.
listen 80;
listen 443 default ssl;
server_name ~^(?<sub>.*)\\.example\\.com$;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
# Security enhancements to deal with poodles and the like.
# See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
# We don't like poodles.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
# Enable Forward secrecy.
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
# Enable HTST.
add_header Strict-Transport-Security max-age=1209600;
if ($ssl_protocol = \"\") {
rewrite ^ https://$host$request_uri? permanent;
}
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
proxy_pass http://authproxy:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
}
}
}
"""
}
metadata: {
name: "nginx"
labels: {
component: "proxy"
}
}
}
}