Skip to content

Commit

Permalink
Introduce prober deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
troydai committed Apr 12, 2023
1 parent e2c7999 commit 1eeccbb
Show file tree
Hide file tree
Showing 6 changed files with 185 additions and 3 deletions.
2 changes: 1 addition & 1 deletion charts/grpcbeacon-prober/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
version: 0.1.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
104 changes: 104 additions & 0 deletions charts/grpcbeacon-prober/templates/config-map.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: prober-config
namespace: {{ .Release.Name }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
beacon_addr: "localhost:7000"
prober_interval: "10s"
envoy-config: |
node:
id: default
cluster: kind-cluster
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 7000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: beacon-service
virtual_hosts:
- name: beacon-service
domains: ["*"]
routes:
- match:
prefix: "/grpcbeacon.Beacon"
grpc: {}
route:
cluster: beacon-service
clusters:
- name: beacon-service
type: STRICT_DNS
dns_lookup_family: V4_ONLY
http2_protocol_options: {}
load_assignment:
cluster_name: beacon-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: {{ .Values.beaconAddr }}
port_value: {{ .Values.beaconPort }}
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_certificate_sds_secret_configs:
- name: "spiffe://spire-in-a-box.troydai.cc/wl/ns/{{.Release.Name}}/prober"
sds_config:
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
envoy_grpc:
cluster_name: spire_agent
combined_validation_context:
default_validation_context:
match_subject_alt_names:
exact: "spiffe://spire-in-a-box.troydai.cc/wl/beacon"
validation_context_sds_secret_config:
name: "spiffe://spire-in-a-box.troydai.cc"
sds_config:
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
envoy_grpc:
cluster_name: spire_agent
tls_params:
ecdh_curves:
- X25519:P-256:P-521:P-384
- name: spire_agent
connect_timeout: 0.25s
http2_protocol_options: {}
load_assignment:
cluster_name: spire_agent
endpoints:
- lb_endpoints:
- endpoint:
address:
pipe:
path: /opt/spire/sockets/spire-agent.sock
59 changes: 59 additions & 0 deletions charts/grpcbeacon-prober/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: prober-deployment
namespace: {{ .Release.Name }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: prober
template:
metadata:
labels:
app: prober
spec:
serviceAccountName: prober-sa
containers:
- name: envoy
image: envoyproxy/envoy:v1.25.1
volumeMounts:
- name: envoy-config
mountPath: /etc/envoy
readOnly: true
- name: spiffe-workload-api
mountPath: /opt/spire/sockets
readOnly: true
- name: prober
image: troydai/grpcprober:{{ .Values.proberVersion }}
volumeMounts:
- name: spiffe-workload-api
mountPath: /opt/spire/sockets
readOnly: true
env:
- name: SERVER_ADDRESS
valueFrom:
configMapKeyRef:
name: prober-config
key: beacon_addr
- name: CLIENT_INTERVAL
valueFrom:
configMapKeyRef:
name: prober-config
key: prober_interval

volumes:
- name: envoy-config
configMap:
name: prober-config
items:
- key: envoy-config
path: envoy.yaml
- name: spiffe-workload-api
csi:
driver: "csi.spiffe.io"
readOnly: true
10 changes: 10 additions & 0 deletions charts/grpcbeacon-prober/templates/namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# create a k8s namespace
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
8 changes: 6 additions & 2 deletions charts/grpcbeacon-prober/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-sa
namespace: {{ .Release.Namespace }}
name: prober-sa
namespace: {{ .Release.Name }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
5 changes: 5 additions & 0 deletions charts/grpcbeacon-prober/values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# Default values for grpcbeacon-prober.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1
proberVersion: v0.8.4
beaconAddr: beacon-service.workload-ns.svc.cluster.local
beaconPort: 9090

0 comments on commit 1eeccbb

Please sign in to comment.