| service: {} |
| deployment: {} |
| #Component: string |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: {} |
| deployment: {} |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| bartender: { |
| spec: { |
| ports: [{ |
| port: 7080 |
| targetPort: 7080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "bartender" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "bartender" |
| labels: { |
| app: "bartender" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| bartender: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "bartender" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "bartender" |
| image: "gcr.io/myproj/bartender:v0.1.34" |
| args: [] |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "bartender" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| breaddispatcher: { |
| spec: { |
| ports: [{ |
| port: 7080 |
| targetPort: 7080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "breaddispatcher" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "breaddispatcher" |
| labels: { |
| app: "breaddispatcher" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| breaddispatcher: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "breaddispatcher" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "breaddispatcher" |
| image: "gcr.io/myproj/breaddispatcher:v0.3.24" |
| args: ["-etcd=etcd:2379", "-event-server=events:7788"] |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "breaddispatcher" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| host: { |
| spec: { |
| ports: [{ |
| port: 7080 |
| targetPort: 7080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "host" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "host" |
| labels: { |
| app: "host" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| host: { |
| spec: { |
| replicas: 2 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "host" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "host" |
| image: "gcr.io/myproj/host:v0.1.10" |
| args: [] |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "host" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| maitred: { |
| spec: { |
| ports: [{ |
| port: 7080 |
| targetPort: 7080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "maitred" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "maitred" |
| labels: { |
| app: "maitred" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| maitred: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "maitred" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "maitred" |
| image: "gcr.io/myproj/maitred:v0.0.4" |
| args: [] |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "maitred" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| valeter: { |
| spec: { |
| ports: [{ |
| name: "http" |
| port: 8080 |
| protocol: "TCP" |
| targetPort: 8080 |
| }] |
| selector: { |
| app: "valeter" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "valeter" |
| labels: { |
| app: "valeter" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| valeter: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "valeter" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "8080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "valeter" |
| image: "gcr.io/myproj/valeter:v0.0.4" |
| ports: [{ |
| containerPort: 8080 |
| }] |
| args: ["-http=:8080", "-etcd=etcd:2379"] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "valeter" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| waiter: { |
| spec: { |
| ports: [{ |
| port: 7080 |
| targetPort: 7080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "waiter" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "waiter" |
| labels: { |
| app: "waiter" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| waiter: { |
| spec: { |
| replicas: 5 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "waiter" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "waiter" |
| image: "gcr.io/myproj/waiter:v0.3.0" |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "waiter" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| waterdispatcher: { |
| spec: { |
| ports: [{ |
| name: "http" |
| port: 7080 |
| protocol: "TCP" |
| targetPort: 7080 |
| }] |
| selector: { |
| app: "waterdispatcher" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| metadata: { |
| name: "waterdispatcher" |
| labels: { |
| app: "waterdispatcher" |
| domain: "prod" |
| component: "frontend" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| waterdispatcher: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "waterdispatcher" |
| domain: "prod" |
| component: "frontend" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "waterdispatcher" |
| image: "gcr.io/myproj/waterdispatcher:v0.0.48" |
| args: ["-http=:8080", "-etcd=etcd:2379"] |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "waterdispatcher" |
| labels: { |
| component: "frontend" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "frontend" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: {} |
| deployment: {} |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| download: { |
| spec: { |
| ports: [{ |
| port: 7080 |
| targetPort: 7080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "download" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| metadata: { |
| name: "download" |
| labels: { |
| app: "download" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| download: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "download" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "download" |
| image: "gcr.io/myproj/download:v0.0.2" |
| ports: [{ |
| containerPort: 7080 |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "download" |
| labels: { |
| component: "infra" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| etcd: { |
| spec: { |
| clusterIP: "None" |
| ports: [{ |
| port: 2379 |
| targetPort: 2379 |
| name: "client" |
| protocol: "TCP" |
| }, { |
| name: "peer" |
| port: 2380 |
| protocol: "TCP" |
| targetPort: 2380 |
| }] |
| selector: { |
| app: "etcd" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| metadata: { |
| name: "etcd" |
| labels: { |
| app: "etcd" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: {} |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: { |
| etcd: { |
| spec: { |
| serviceName: "etcd" |
| replicas: 3 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "etcd" |
| component: "infra" |
| domain: "prod" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "2379" |
| } |
| } |
| spec: { |
| affinity: { |
| podAntiAffinity: { |
| requiredDuringSchedulingIgnoredDuringExecution: [{ |
| labelSelector: { |
| matchExpressions: [{ |
| key: "app" |
| operator: "In" |
| values: ["etcd"] |
| }] |
| } |
| topologyKey: "kubernetes.io/hostname" |
| }] |
| } |
| } |
| terminationGracePeriodSeconds: 10 |
| containers: [{ |
| name: "etcd" |
| image: "quay.io/coreos/etcd:v3.3.10" |
| ports: [{ |
| name: "client" |
| containerPort: 2379 |
| }, { |
| name: "peer" |
| containerPort: 2380 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/health" |
| port: "client" |
| } |
| initialDelaySeconds: 30 |
| } |
| volumeMounts: [{ |
| name: "etcd3" |
| mountPath: "/data" |
| }] |
| env: [{ |
| name: "ETCDCTL_API" |
| value: "3" |
| }, { |
| name: "ETCD_AUTO_COMPACTION_RETENTION" |
| value: "4" |
| }, { |
| name: "NAME" |
| valueFrom: { |
| fieldRef: { |
| fieldPath: "metadata.name" |
| } |
| } |
| }, { |
| name: "IP" |
| valueFrom: { |
| fieldRef: { |
| fieldPath: "status.podIP" |
| } |
| } |
| }] |
| command: ["/usr/local/bin/etcd"] |
| args: ["-name", "$(NAME)", "-data-dir", "/data/etcd3", "-initial-advertise-peer-urls", "http://$(IP):2380", "-listen-peer-urls", "http://$(IP):2380", "-listen-client-urls", "http://$(IP):2379,http://127.0.0.1:2379", "-advertise-client-urls", "http://$(IP):2379", "-discovery", "https://discovery.etcd.io/xxxxxx"] |
| }] |
| } |
| } |
| volumeClaimTemplates: [{ |
| metadata: { |
| name: "etcd3" |
| annotations: { |
| "volume.alpha.kubernetes.io/storage-class": "default" |
| } |
| } |
| spec: { |
| accessModes: ["ReadWriteOnce"] |
| resources: { |
| requests: { |
| storage: "10Gi" |
| } |
| } |
| } |
| }] |
| } |
| metadata: { |
| name: "etcd" |
| labels: { |
| component: "infra" |
| } |
| } |
| kind: "StatefulSet" |
| apiVersion: "apps/v1" |
| } |
| } |
| configMap: {} |
| service: { |
| events: { |
| spec: { |
| ports: [{ |
| name: "grpc" |
| port: 7788 |
| protocol: "TCP" |
| targetPort: 7788 |
| }] |
| selector: { |
| app: "events" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| metadata: { |
| name: "events" |
| labels: { |
| app: "events" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| events: { |
| spec: { |
| replicas: 2 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "events" |
| domain: "prod" |
| component: "infra" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| affinity: { |
| podAntiAffinity: { |
| requiredDuringSchedulingIgnoredDuringExecution: [{ |
| labelSelector: { |
| matchExpressions: [{ |
| key: "app" |
| operator: "In" |
| values: ["events"] |
| }] |
| } |
| topologyKey: "kubernetes.io/hostname" |
| }] |
| } |
| } |
| volumes: [{ |
| name: "secret-volume" |
| secret: { |
| secretName: "biz-secrets" |
| } |
| }] |
| containers: [{ |
| name: "events" |
| image: "gcr.io/myproj/events:v0.1.31" |
| ports: [{ |
| containerPort: 7080 |
| }, { |
| containerPort: 7788 |
| }] |
| args: ["-cert=/etc/ssl/server.pem", "-key=/etc/ssl/server.key", "-grpc=:7788"] |
| volumeMounts: [{ |
| mountPath: "/etc/ssl" |
| name: "secret-volume" |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "events" |
| labels: { |
| component: "infra" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| tasks: { |
| spec: { |
| type: "LoadBalancer" |
| loadBalancerIP: "1.2.3.4" |
| ports: [{ |
| port: 443 |
| name: "http" |
| protocol: "TCP" |
| targetPort: 7443 |
| }] |
| selector: { |
| app: "tasks" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| metadata: { |
| name: "tasks" |
| labels: { |
| app: "tasks" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| tasks: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "tasks" |
| domain: "prod" |
| component: "infra" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| "prometheus.io.port": "7080" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "secret-volume" |
| secret: { |
| secretName: "star-example-com-secrets" |
| } |
| }] |
| containers: [{ |
| name: "tasks" |
| image: "gcr.io/myproj/tasks:v0.2.6" |
| ports: [{ |
| containerPort: 7080 |
| }, { |
| containerPort: 7443 |
| }] |
| volumeMounts: [{ |
| mountPath: "/etc/ssl" |
| name: "secret-volume" |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "tasks" |
| labels: { |
| component: "infra" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| updater: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "updater" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| metadata: { |
| name: "updater" |
| labels: { |
| app: "updater" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| updater: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "updater" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "secret-updater" |
| secret: { |
| secretName: "updater-secrets" |
| } |
| }] |
| containers: [{ |
| name: "updater" |
| image: "gcr.io/myproj/updater:v0.1.0" |
| volumeMounts: [{ |
| mountPath: "/etc/certs" |
| name: "secret-updater" |
| }] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| args: ["-key=/etc/certs/updater.pem"] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "updater" |
| labels: { |
| component: "infra" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| watcher: { |
| spec: { |
| type: "LoadBalancer" |
| loadBalancerIP: "1.2.3.4." |
| ports: [{ |
| name: "http" |
| port: 7788 |
| protocol: "TCP" |
| targetPort: 7788 |
| }] |
| selector: { |
| app: "watcher" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| metadata: { |
| name: "watcher" |
| labels: { |
| app: "watcher" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| watcher: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "watcher" |
| domain: "prod" |
| component: "infra" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "secret-volume" |
| secret: { |
| secretName: "star-example-com-secrets" |
| } |
| }] |
| containers: [{ |
| name: "watcher" |
| image: "gcr.io/myproj/watcher:v0.1.0" |
| ports: [{ |
| containerPort: 7080 |
| }, { |
| containerPort: 7788 |
| }] |
| volumeMounts: [{ |
| mountPath: "/etc/ssl" |
| name: "secret-volume" |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "watcher" |
| labels: { |
| component: "infra" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "infra" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: {} |
| deployment: {} |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| caller: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "caller" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "caller" |
| labels: { |
| app: "caller" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| caller: { |
| spec: { |
| replicas: 3 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "caller" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "ssd-caller" |
| gcePersistentDisk: { |
| pdName: "ssd-caller" |
| fsType: "ext4" |
| } |
| }, { |
| name: "secret-caller" |
| secret: { |
| secretName: "caller-secrets" |
| } |
| }, { |
| name: "secret-ssh-key" |
| secret: { |
| secretName: "secrets" |
| } |
| }] |
| containers: [{ |
| name: "caller" |
| image: "gcr.io/myproj/caller:v0.20.14" |
| volumeMounts: [{ |
| name: "ssd-caller" |
| mountPath: "/logs" |
| }, { |
| mountPath: "/etc/certs" |
| name: "secret-caller" |
| readOnly: true |
| }, { |
| mountPath: "/sslcerts" |
| name: "secret-ssh-key" |
| readOnly: true |
| }] |
| args: ["-env=prod", "-key=/etc/certs/client.key", "-cert=/etc/certs/client.pem", "-ca=/etc/certs/servfx.ca", "-ssh-tunnel-key=/sslcerts/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "caller" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| dishwasher: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "dishwasher" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "dishwasher" |
| labels: { |
| app: "dishwasher" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| dishwasher: { |
| spec: { |
| replicas: 5 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "dishwasher" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "dishwasher-disk" |
| gcePersistentDisk: { |
| pdName: "dishwasher-disk" |
| fsType: "ext4" |
| } |
| }, { |
| name: "secret-dishwasher" |
| secret: { |
| secretName: "dishwasher-secrets" |
| } |
| }, { |
| name: "secret-ssh-key" |
| secret: { |
| secretName: "dishwasher-secrets" |
| } |
| }] |
| containers: [{ |
| name: "dishwasher" |
| image: "gcr.io/myproj/dishwasher:v0.2.13" |
| volumeMounts: [{ |
| name: "dishwasher-disk" |
| mountPath: "/logs" |
| }, { |
| mountPath: "/sslcerts" |
| name: "secret-dishwasher" |
| readOnly: true |
| }, { |
| mountPath: "/etc/certs" |
| name: "secret-ssh-key" |
| readOnly: true |
| }] |
| args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "dishwasher" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| expiditer: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "expiditer" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "expiditer" |
| labels: { |
| app: "expiditer" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| expiditer: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "expiditer" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "expiditer-disk" |
| gcePersistentDisk: { |
| pdName: "expiditer-disk" |
| fsType: "ext4" |
| } |
| }, { |
| name: "secret-expiditer" |
| secret: { |
| secretName: "expiditer-secrets" |
| } |
| }] |
| containers: [{ |
| name: "expiditer" |
| image: "gcr.io/myproj/expiditer:v0.5.34" |
| args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| volumeMounts: [{ |
| name: "expiditer-disk" |
| mountPath: "/logs" |
| }, { |
| mountPath: "/etc/certs" |
| name: "secret-expiditer" |
| readOnly: true |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "expiditer" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| headchef: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "headchef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "headchef" |
| labels: { |
| app: "headchef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| headchef: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "headchef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "headchef-disk" |
| gcePersistentDisk: { |
| pdName: "headchef-disk" |
| fsType: "ext4" |
| } |
| }, { |
| name: "secret-headchef" |
| secret: { |
| secretName: "headchef-secrets" |
| } |
| }] |
| containers: [{ |
| name: "headchef" |
| image: "gcr.io/myproj/headchef:v0.2.16" |
| volumeMounts: [{ |
| name: "headchef-disk" |
| mountPath: "/logs" |
| }, { |
| mountPath: "/sslcerts" |
| name: "secret-headchef" |
| readOnly: true |
| }] |
| args: ["-env=prod", "-logdir=/logs", "-event-server=events:7788"] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "headchef" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| linecook: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "linecook" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "linecook" |
| labels: { |
| app: "linecook" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| linecook: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "linecook" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "linecook-disk" |
| gcePersistentDisk: { |
| pdName: "linecook-disk" |
| fsType: "ext4" |
| } |
| }, { |
| name: "secret-kitchen" |
| secret: { |
| secretName: "secrets" |
| } |
| }] |
| containers: [{ |
| name: "linecook" |
| image: "gcr.io/myproj/linecook:v0.1.42" |
| volumeMounts: [{ |
| name: "linecook-disk" |
| mountPath: "/logs" |
| }, { |
| name: "secret-kitchen" |
| mountPath: "/etc/certs" |
| readOnly: true |
| }] |
| args: ["-name=linecook", "-env=prod", "-logdir=/logs", "-event-server=events:7788", "-etcd", "etcd:2379", "-reconnect-delay", "1h", "-recovery-overlap", "100000"] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "linecook" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| pastrychef: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "pastrychef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "pastrychef" |
| labels: { |
| app: "pastrychef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| pastrychef: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "pastrychef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "pastrychef-disk" |
| gcePersistentDisk: { |
| pdName: "pastrychef-disk" |
| fsType: "ext4" |
| } |
| }, { |
| name: "secret-ssh-key" |
| secret: { |
| secretName: "secrets" |
| } |
| }] |
| containers: [{ |
| name: "pastrychef" |
| image: "gcr.io/myproj/pastrychef:v0.1.15" |
| volumeMounts: [{ |
| name: "pastrychef-disk" |
| mountPath: "/logs" |
| }, { |
| name: "secret-ssh-key" |
| mountPath: "/etc/certs" |
| readOnly: true |
| }] |
| args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788", "-reconnect-delay=1m", "-etcd=etcd:2379", "-recovery-overlap=10000"] |
| ports: [{ |
| containerPort: 8080 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "pastrychef" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| souschef: { |
| spec: { |
| ports: [{ |
| port: 8080 |
| targetPort: 8080 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "souschef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| metadata: { |
| name: "souschef" |
| labels: { |
| app: "souschef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| souschef: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "souschef" |
| domain: "prod" |
| component: "kitchen" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "souschef" |
| image: "gcr.io/myproj/souschef:v0.5.3" |
| ports: [{ |
| containerPort: 8080 |
| }] |
| livenessProbe: { |
| httpGet: { |
| path: "/debug/health" |
| port: 8080 |
| } |
| initialDelaySeconds: 40 |
| periodSeconds: 3 |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "souschef" |
| labels: { |
| component: "kitchen" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "kitchen" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: {} |
| deployment: {} |
| #Component: "mon" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| alertmanager: { |
| metadata: { |
| name: "alertmanager" |
| annotations: { |
| "prometheus.io/scrape": "true" |
| "prometheus.io/path": "/metrics" |
| } |
| labels: { |
| name: "alertmanager" |
| app: "alertmanager" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| spec: { |
| ports: [{ |
| name: "main" |
| port: 9093 |
| protocol: "TCP" |
| targetPort: 9093 |
| }] |
| selector: { |
| name: "alertmanager" |
| app: "alertmanager" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| alertmanager: { |
| spec: { |
| replicas: 1 |
| selector: { |
| matchLabels: { |
| app: "alertmanager" |
| } |
| } |
| template: { |
| metadata: { |
| name: "alertmanager" |
| labels: { |
| app: "alertmanager" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "alertmanager" |
| image: "prom/alertmanager:v0.15.2" |
| args: ["--config.file=/etc/alertmanager/alerts.yaml", "--storage.path=/alertmanager", "--web.external-url=https://alertmanager.example.com"] |
| ports: [{ |
| name: "alertmanager" |
| containerPort: 9093 |
| }] |
| volumeMounts: [{ |
| name: "config-volume" |
| mountPath: "/etc/alertmanager" |
| }, { |
| name: "alertmanager" |
| mountPath: "/alertmanager" |
| }] |
| }] |
| volumes: [{ |
| name: "config-volume" |
| configMap: { |
| name: "alertmanager" |
| } |
| }, { |
| name: "alertmanager" |
| emptyDir: {} |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "alertmanager" |
| labels: { |
| component: "mon" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "mon" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: { |
| alertmanager: { |
| apiVersion: "v1" |
| kind: "ConfigMap" |
| data: { |
| "alerts.yaml": """ |
| receivers: |
| - name: pager |
| slack_configs: |
| - channel: '#cloudmon' |
| text: |- |
| {{ range .Alerts }}{{ .Annotations.description }} |
| {{ end }} |
| send_resolved: true |
| route: |
| receiver: pager |
| group_by: |
| - alertname |
| - cluster |
| |
| """ |
| } |
| metadata: { |
| name: "alertmanager" |
| labels: { |
| component: "mon" |
| } |
| } |
| } |
| } |
| service: { |
| grafana: { |
| spec: { |
| ports: [{ |
| name: "grafana" |
| port: 3000 |
| protocol: "TCP" |
| targetPort: 3000 |
| }] |
| selector: { |
| app: "grafana" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| metadata: { |
| name: "grafana" |
| labels: { |
| app: "grafana" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| grafana: { |
| metadata: { |
| name: "grafana" |
| labels: { |
| app: "grafana" |
| component: "mon" |
| } |
| } |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "grafana" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "grafana-volume" |
| gcePersistentDisk: { |
| pdName: "grafana-volume" |
| fsType: "ext4" |
| } |
| }] |
| containers: [{ |
| name: "grafana" |
| image: "grafana/grafana:4.5.2" |
| ports: [{ |
| containerPort: 8080 |
| }] |
| resources: { |
| limits: { |
| cpu: "100m" |
| memory: "100Mi" |
| } |
| requests: { |
| cpu: "100m" |
| memory: "100Mi" |
| } |
| } |
| env: [{ |
| name: "GF_AUTH_BASIC_ENABLED" |
| value: "false" |
| }, { |
| name: "GF_AUTH_ANONYMOUS_ENABLED" |
| value: "true" |
| }, { |
| name: "GF_AUTH_ANONYMOUS_ORG_ROLE" |
| value: "admin" |
| }] |
| volumeMounts: [{ |
| name: "grafana-volume" |
| mountPath: "/var/lib/grafana" |
| }] |
| }] |
| } |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "mon" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| "node-exporter": { |
| metadata: { |
| name: "node-exporter" |
| annotations: { |
| "prometheus.io/scrape": "true" |
| } |
| labels: { |
| app: "node-exporter" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| spec: { |
| type: "ClusterIP" |
| clusterIP: "None" |
| ports: [{ |
| name: "metrics" |
| port: 9100 |
| protocol: "TCP" |
| targetPort: 9100 |
| }] |
| selector: { |
| app: "node-exporter" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: {} |
| #Component: "mon" |
| daemonSet: { |
| "node-exporter": { |
| spec: { |
| selector: {} |
| template: { |
| metadata: { |
| name: "node-exporter" |
| labels: { |
| app: "node-exporter" |
| component: "mon" |
| domain: "prod" |
| } |
| } |
| spec: { |
| hostNetwork: true |
| hostPID: true |
| containers: [{ |
| name: "node-exporter" |
| image: "quay.io/prometheus/node-exporter:v0.16.0" |
| args: ["--path.procfs=/host/proc", "--path.sysfs=/host/sys"] |
| ports: [{ |
| containerPort: 9100 |
| hostPort: 9100 |
| name: "scrape" |
| }] |
| resources: { |
| requests: { |
| memory: "30Mi" |
| cpu: "100m" |
| } |
| limits: { |
| memory: "50Mi" |
| cpu: "200m" |
| } |
| } |
| volumeMounts: [{ |
| name: "proc" |
| readOnly: true |
| mountPath: "/host/proc" |
| }, { |
| name: "sys" |
| readOnly: true |
| mountPath: "/host/sys" |
| }] |
| }] |
| volumes: [{ |
| name: "proc" |
| hostPath: { |
| path: "/proc" |
| } |
| }, { |
| name: "sys" |
| hostPath: { |
| path: "/sys" |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "node-exporter" |
| labels: { |
| component: "mon" |
| } |
| } |
| kind: "DaemonSet" |
| apiVersion: "apps/v1" |
| } |
| } |
| statefulSet: {} |
| configMap: {} |
| service: { |
| prometheus: { |
| metadata: { |
| name: "prometheus" |
| annotations: { |
| "prometheus.io/scrape": "true" |
| } |
| labels: { |
| name: "prometheus" |
| app: "prometheus" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| spec: { |
| type: "NodePort" |
| ports: [{ |
| name: "main" |
| nodePort: 30900 |
| port: 9090 |
| protocol: "TCP" |
| targetPort: 9090 |
| }] |
| selector: { |
| name: "prometheus" |
| app: "prometheus" |
| domain: "prod" |
| component: "mon" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| prometheus: { |
| spec: { |
| replicas: 1 |
| strategy: { |
| rollingUpdate: { |
| maxSurge: 0 |
| maxUnavailable: 1 |
| } |
| type: "RollingUpdate" |
| } |
| selector: { |
| matchLabels: { |
| app: "prometheus" |
| } |
| } |
| template: { |
| metadata: { |
| name: "prometheus" |
| labels: { |
| app: "prometheus" |
| domain: "prod" |
| component: "mon" |
| } |
| annotations: { |
| "prometheus.io.scrape": "true" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "prometheus" |
| image: "prom/prometheus:v2.4.3" |
| args: ["--config.file=/etc/prometheus/prometheus.yml", "--web.external-url=https://prometheus.example.com"] |
| ports: [{ |
| name: "web" |
| containerPort: 9090 |
| }] |
| volumeMounts: [{ |
| name: "config-volume" |
| mountPath: "/etc/prometheus" |
| }] |
| }] |
| volumes: [{ |
| name: "config-volume" |
| configMap: { |
| name: "prometheus" |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "prometheus" |
| labels: { |
| component: "mon" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "mon" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: { |
| prometheus: { |
| apiVersion: "v1" |
| kind: "ConfigMap" |
| data: { |
| "alert.rules": """ |
| groups: |
| - name: rules.yaml |
| rules: |
| - alert: InstanceDown |
| expr: up == 0 |
| for: 30s |
| labels: |
| severity: page |
| annotations: |
| description: '{{$labels.app}} of job {{ $labels.job }} has been down for more |
| than 30 seconds.' |
| summary: Instance {{$labels.app}} down |
| - alert: InsufficientPeers |
| expr: count(up{job="etcd"} == 0) > (count(up{job="etcd"}) / 2 - 1) |
| for: 3m |
| labels: |
| severity: page |
| annotations: |
| description: If one more etcd peer goes down the cluster will be unavailable |
| summary: etcd cluster small |
| - alert: EtcdNoMaster |
| expr: sum(etcd_server_has_leader{app="etcd"}) == 0 |
| for: 1s |
| labels: |
| severity: page |
| annotations: |
| summary: No ETCD master elected. |
| - alert: PodRestart |
| expr: (max_over_time(pod_container_status_restarts_total[5m]) - min_over_time(pod_container_status_restarts_total[5m])) |
| > 2 |
| for: 1m |
| labels: |
| severity: page |
| annotations: |
| description: '{{$labels.app}} {{ $labels.container }} resturted {{ $value }} |
| times in 5m.' |
| summary: Pod for {{$labels.container}} restarts too often |
| |
| """ |
| "prometheus.yml": """ |
| global: |
| scrape_interval: 15s |
| rule_files: |
| - /etc/prometheus/alert.rules |
| alerting: |
| alertmanagers: |
| - scheme: http |
| static_configs: |
| - targets: |
| - alertmanager:9093 |
| scrape_configs: |
| - job_name: kubernetes-apiservers |
| kubernetes_sd_configs: |
| - role: endpoints |
| scheme: https |
| tls_config: |
| ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt |
| bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token |
| relabel_configs: |
| - source_labels: |
| - __meta_kubernetes_namespace |
| - __meta_kubernetes_service_name |
| - __meta_kubernetes_endpoint_port_name |
| action: keep |
| regex: default;kubernetes;https |
| - job_name: kubernetes-nodes |
| scheme: https |
| tls_config: |
| ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt |
| bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token |
| kubernetes_sd_configs: |
| - role: node |
| relabel_configs: |
| - action: labelmap |
| regex: __meta_kubernetes_node_label_(.+) |
| - target_label: __address__ |
| replacement: kubernetes.default.svc:443 |
| - source_labels: |
| - __meta_kubernetes_node_name |
| regex: (.+) |
| target_label: __metrics_path__ |
| replacement: /api/v1/nodes/${1}/proxy/metrics |
| - job_name: kubernetes-cadvisor |
| scheme: https |
| tls_config: |
| ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt |
| bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token |
| kubernetes_sd_configs: |
| - role: node |
| relabel_configs: |
| - action: labelmap |
| regex: __meta_kubernetes_node_label_(.+) |
| - target_label: __address__ |
| replacement: kubernetes.default.svc:443 |
| - source_labels: |
| - __meta_kubernetes_node_name |
| regex: (.+) |
| target_label: __metrics_path__ |
| replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor |
| - job_name: kubernetes-service-endpoints |
| kubernetes_sd_configs: |
| - role: endpoints |
| relabel_configs: |
| - source_labels: |
| - __meta_kubernetes_service_annotation_prometheus_io_scrape |
| action: keep |
| regex: true |
| - source_labels: |
| - __meta_kubernetes_service_annotation_prometheus_io_scheme |
| action: replace |
| target_label: __scheme__ |
| regex: (https?) |
| - source_labels: |
| - __meta_kubernetes_service_annotation_prometheus_io_path |
| action: replace |
| target_label: __metrics_path__ |
| regex: (.+) |
| - source_labels: |
| - __address__ |
| - __meta_kubernetes_service_annotation_prometheus_io_port |
| action: replace |
| target_label: __address__ |
| regex: ([^:]+)(?::\\d+)?;(\\d+) |
| replacement: $1:$2 |
| - action: labelmap |
| regex: __meta_kubernetes_service_label_(.+) |
| - source_labels: |
| - __meta_kubernetes_namespace |
| action: replace |
| target_label: kubernetes_namespace |
| - source_labels: |
| - __meta_kubernetes_service_name |
| action: replace |
| target_label: kubernetes_name |
| - job_name: kubernetes-services |
| metrics_path: /probe |
| params: |
| module: |
| - http_2xx |
| kubernetes_sd_configs: |
| - role: service |
| relabel_configs: |
| - source_labels: |
| - __meta_kubernetes_service_annotation_prometheus_io_probe |
| action: keep |
| regex: true |
| - source_labels: |
| - __address__ |
| target_label: __param_target |
| - target_label: __address__ |
| replacement: blackbox-exporter.example.com:9115 |
| - source_labels: |
| - __param_target |
| target_label: app |
| - action: labelmap |
| regex: __meta_kubernetes_service_label_(.+) |
| - source_labels: |
| - __meta_kubernetes_namespace |
| target_label: kubernetes_namespace |
| - source_labels: |
| - __meta_kubernetes_service_name |
| target_label: kubernetes_name |
| - job_name: kubernetes-ingresses |
| metrics_path: /probe |
| params: |
| module: |
| - http_2xx |
| kubernetes_sd_configs: |
| - role: ingress |
| relabel_configs: |
| - source_labels: |
| - __meta_kubernetes_ingress_annotation_prometheus_io_probe |
| action: keep |
| regex: true |
| - source_labels: |
| - __meta_kubernetes_ingress_scheme |
| - __address__ |
| - __meta_kubernetes_ingress_path |
| regex: (.+);(.+);(.+) |
| replacement: ${1}://${2}${3} |
| target_label: __param_target |
| - target_label: __address__ |
| replacement: blackbox-exporter.example.com:9115 |
| - source_labels: |
| - __param_target |
| target_label: app |
| - action: labelmap |
| regex: __meta_kubernetes_ingress_label_(.+) |
| - source_labels: |
| - __meta_kubernetes_namespace |
| target_label: kubernetes_namespace |
| - source_labels: |
| - __meta_kubernetes_ingress_name |
| target_label: kubernetes_name |
| - job_name: kubernetes-pods |
| kubernetes_sd_configs: |
| - role: pod |
| relabel_configs: |
| - source_labels: |
| - __meta_kubernetes_pod_annotation_prometheus_io_scrape |
| action: keep |
| regex: true |
| - source_labels: |
| - __meta_kubernetes_pod_annotation_prometheus_io_path |
| action: replace |
| target_label: __metrics_path__ |
| regex: (.+) |
| - source_labels: |
| - __address__ |
| - __meta_kubernetes_pod_annotation_prometheus_io_port |
| action: replace |
| regex: ([^:]+)(?::\\d+)?;(\\d+) |
| replacement: $1:$2 |
| target_label: __address__ |
| - action: labelmap |
| regex: __meta_kubernetes_pod_label_(.+) |
| - source_labels: |
| - __meta_kubernetes_namespace |
| action: replace |
| target_label: kubernetes_namespace |
| - source_labels: |
| - __meta_kubernetes_pod_name |
| action: replace |
| target_label: kubernetes_pod_name |
| |
| """ |
| } |
| metadata: { |
| name: "prometheus" |
| labels: { |
| component: "mon" |
| } |
| } |
| } |
| } |
| service: {} |
| deployment: {} |
| #Component: "proxy" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| authproxy: { |
| spec: { |
| ports: [{ |
| port: 4180 |
| targetPort: 4180 |
| name: "client" |
| protocol: "TCP" |
| }] |
| selector: { |
| app: "authproxy" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| metadata: { |
| name: "authproxy" |
| labels: { |
| app: "authproxy" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| authproxy: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "authproxy" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| spec: { |
| containers: [{ |
| name: "authproxy" |
| image: "skippy/oauth2_proxy:2.0.1" |
| ports: [{ |
| containerPort: 4180 |
| }] |
| args: ["--config=/etc/authproxy/authproxy.cfg"] |
| volumeMounts: [{ |
| name: "config-volume" |
| mountPath: "/etc/authproxy" |
| }] |
| }] |
| volumes: [{ |
| name: "config-volume" |
| configMap: { |
| name: "authproxy" |
| } |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "authproxy" |
| labels: { |
| component: "proxy" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "proxy" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: { |
| authproxy: { |
| apiVersion: "v1" |
| kind: "ConfigMap" |
| data: { |
| "authproxy.cfg": """ |
| # Google Auth Proxy Config File |
| ## https://github.com/bitly/google_auth_proxy |
| |
| ## <addr>:<port> to listen on for HTTP clients |
| http_address = "0.0.0.0:4180" |
| |
| ## the OAuth Redirect URL. |
| redirect_url = "https://auth.example.com/oauth2/callback" |
| |
| ## the http url(s) of the upstream endpoint. If multiple, routing is based on path |
| upstreams = [ |
| # frontend |
| "http://frontend-waiter:7080/dpr/", |
| "http://frontend-maitred:7080/ui/", |
| "http://frontend-maitred:7080/ui", |
| "http://frontend-maitred:7080/report/", |
| "http://frontend-maitred:7080/report", |
| "http://frontend-maitred:7080/static/", |
| # kitchen |
| "http://kitchen-chef:8080/visit", |
| # infrastructure |
| "http://download:7080/file/", |
| "http://download:7080/archive", |
| "http://tasks:7080/tasks", |
| "http://tasks:7080/tasks/", |
| ] |
| |
| ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream |
| pass_basic_auth = true |
| request_logging = true |
| |
| ## Google Apps Domains to allow authentication for |
| google_apps_domains = [ |
| "example.com", |
| ] |
| |
| email_domains = [ |
| "example.com", |
| ] |
| |
| ## The Google OAuth Client ID, Secret |
| client_id = "---" |
| client_secret = "---" |
| |
| ## Cookie Settings |
| ## Secret - the seed string for secure cookies |
| ## Domain - optional cookie domain to force cookies to (ie: .yourcompany.com) |
| ## Expire - expire timeframe for cookie |
| cookie_secret = "won't tell you" |
| cookie_domain = ".example.com" |
| cookie_https_only = true |
| """ |
| } |
| metadata: { |
| name: "authproxy" |
| labels: { |
| component: "proxy" |
| } |
| } |
| } |
| } |
| service: { |
| goget: { |
| spec: { |
| type: "LoadBalancer" |
| loadBalancerIP: "1.3.5.7" |
| ports: [{ |
| port: 443 |
| name: "https" |
| protocol: "TCP" |
| targetPort: 7443 |
| }] |
| selector: { |
| app: "goget" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| metadata: { |
| name: "goget" |
| labels: { |
| app: "goget" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| goget: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "goget" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "secret-volume" |
| secret: { |
| secretName: "goget-secrets" |
| } |
| }] |
| containers: [{ |
| name: "goget" |
| image: "gcr.io/myproj/goget:v0.5.1" |
| ports: [{ |
| containerPort: 7443 |
| }] |
| volumeMounts: [{ |
| mountPath: "/etc/ssl" |
| name: "secret-volume" |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "goget" |
| labels: { |
| component: "proxy" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "proxy" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: {} |
| service: { |
| nginx: { |
| spec: { |
| type: "LoadBalancer" |
| loadBalancerIP: "1.3.4.5" |
| ports: [{ |
| name: "http" |
| port: 80 |
| protocol: "TCP" |
| targetPort: 80 |
| }, { |
| name: "https" |
| port: 443 |
| protocol: "TCP" |
| targetPort: 443 |
| }] |
| selector: { |
| app: "nginx" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| metadata: { |
| name: "nginx" |
| labels: { |
| app: "nginx" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| kind: "Service" |
| apiVersion: "v1" |
| } |
| } |
| deployment: { |
| nginx: { |
| spec: { |
| replicas: 1 |
| selector: {} |
| template: { |
| metadata: { |
| labels: { |
| app: "nginx" |
| domain: "prod" |
| component: "proxy" |
| } |
| } |
| spec: { |
| volumes: [{ |
| name: "secret-volume" |
| secret: { |
| secretName: "proxy-secrets" |
| } |
| }, { |
| name: "config-volume" |
| configMap: { |
| name: "nginx" |
| } |
| }] |
| containers: [{ |
| name: "nginx" |
| image: "nginx:1.11.10-alpine" |
| ports: [{ |
| containerPort: 80 |
| }, { |
| containerPort: 443 |
| }] |
| volumeMounts: [{ |
| mountPath: "/etc/ssl" |
| name: "secret-volume" |
| }, { |
| name: "config-volume" |
| mountPath: "/etc/nginx/nginx.conf" |
| subPath: "nginx.conf" |
| }] |
| }] |
| } |
| } |
| } |
| metadata: { |
| name: "nginx" |
| labels: { |
| component: "proxy" |
| } |
| } |
| kind: "Deployment" |
| apiVersion: "apps/v1" |
| } |
| } |
| #Component: "proxy" |
| daemonSet: {} |
| statefulSet: {} |
| configMap: { |
| nginx: { |
| apiVersion: "v1" |
| kind: "ConfigMap" |
| data: { |
| "nginx.conf": """ |
| events { |
| worker_connections 768; |
| } |
| http { |
| sendfile on; |
| tcp_nopush on; |
| tcp_nodelay on; |
| # needs to be high for some download jobs. |
| keepalive_timeout 400; |
| # proxy_connect_timeout 300; |
| proxy_send_timeout 300; |
| proxy_read_timeout 300; |
| send_timeout 300; |
| |
| types_hash_max_size 2048; |
| |
| include /etc/nginx/mime.types; |
| default_type application/octet-stream; |
| |
| access_log /dev/stdout; |
| error_log /dev/stdout; |
| |
| # Disable POST body size constraints. We often deal with large |
| # files. Especially docker containers may be large. |
| client_max_body_size 0; |
| |
| upstream goget { |
| server localhost:7070; |
| } |
| |
| # Redirect incoming Google Cloud Storage notifications: |
| server { |
| listen 443 ssl; |
| server_name notify.example.com notify2.example.com; |
| |
| ssl_certificate /etc/ssl/server.crt; |
| ssl_certificate_key /etc/ssl/server.key; |
| |
| # Security enhancements to deal with poodles and the like. |
| # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html |
| # ssl_ciphers 'AES256+EECDH:AES256+EDH'; |
| ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; |
| |
| # We don't like poodles. |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| ssl_session_cache shared:SSL:10m; |
| |
| # Enable Forward secrecy. |
| ssl_dhparam /etc/ssl/dhparam.pem; |
| ssl_prefer_server_ciphers on; |
| |
| # Enable HTST. |
| add_header Strict-Transport-Security max-age=1209600; |
| |
| # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) |
| chunked_transfer_encoding on; |
| |
| location / { |
| proxy_pass http://tasks:7080; |
| proxy_connect_timeout 1; |
| } |
| } |
| |
| server { |
| listen 80; |
| listen 443 ssl; |
| server_name x.example.com example.io; |
| |
| location ~ "(/[^/]+)(/.*)?" { |
| set $myhost $host; |
| if ($arg_go-get = "1") { |
| set $myhost "goget"; |
| } |
| proxy_pass http://$myhost$1; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Scheme $scheme; |
| proxy_connect_timeout 1; |
| } |
| |
| location / { |
| set $myhost $host; |
| if ($arg_go-get = "1") { |
| set $myhost "goget"; |
| } |
| proxy_pass http://$myhost; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Scheme $scheme; |
| proxy_connect_timeout 1; |
| } |
| } |
| |
| server { |
| listen 80; |
| server_name www.example.com w.example.com; |
| |
| resolver 8.8.8.8; |
| |
| location / { |
| proxy_set_header X-Forwarded-Host $host; |
| proxy_set_header X-Forwarded-Server $host; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Real-IP $remote_addr; |
| |
| proxy_pass http://$host.default.example.appspot.com/$request_uri; |
| proxy_redirect http://$host.default.example.appspot.com/ /; |
| } |
| } |
| |
| server { |
| # We could add the following line and the connection would still be SSL, |
| # but it doesn't appear to be necessary. Seems saver this way. |
| listen 80; |
| listen 443 default ssl; |
| server_name ~^(?<sub>.*)\\.example\\.com$; |
| |
| ssl_certificate /etc/ssl/server.crt; |
| ssl_certificate_key /etc/ssl/server.key; |
| |
| # Security enhancements to deal with poodles and the like. |
| # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html |
| # ssl_ciphers 'AES256+EECDH:AES256+EDH'; |
| ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; |
| |
| # We don't like poodles. |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| ssl_session_cache shared:SSL:10m; |
| |
| # Enable Forward secrecy. |
| ssl_dhparam /etc/ssl/dhparam.pem; |
| ssl_prefer_server_ciphers on; |
| |
| # Enable HTST. |
| add_header Strict-Transport-Security max-age=1209600; |
| |
| if ($ssl_protocol = "") { |
| rewrite ^ https://$host$request_uri? permanent; |
| } |
| |
| # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) |
| chunked_transfer_encoding on; |
| |
| location / { |
| proxy_pass http://authproxy:4180; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Scheme $scheme; |
| proxy_connect_timeout 1; |
| } |
| } |
| } |
| """ |
| } |
| metadata: { |
| name: "nginx" |
| labels: { |
| component: "proxy" |
| } |
| } |
| } |
| } |