infra/asm/asm-gateways.yaml (115 lines of code) (raw):
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: asm-ingress-gw
labels:
istio-injection: enabled
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: asm-ingressgateway
namespace: asm-ingress-gw
annotations:
configmanagement.gke.io/cluster-selector: selector-prod-workload
spec:
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: asm-ingressgateway
namespace: asm-ingress-gw
annotations:
configmanagement.gke.io/cluster-selector: selector-prod-workload
---
apiVersion: v1
kind: Service
metadata:
name: asm-ingressgateway
namespace: asm-ingress-gw
annotations:
configmanagement.gke.io/cluster-selector: selector-prod-workload
spec:
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http
port: 80
targetPort: 8080
appProtocol: HTTP
type: ClusterIP
selector:
asm: ingressgateway
---
kind: ServiceExport
apiVersion: net.gke.io/v1
metadata:
name: asm-ingressgateway
namespace: asm-ingress-gw
annotations:
configmanagement.gke.io/cluster-selector: selector-prod-workload
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: asm-ingressgateway
namespace: asm-ingress-gw
annotations:
configmanagement.gke.io/cluster-selector: selector-prod-workload
labels:
app: asm-ingressgateway
asm: ingressgateway
spec:
replicas: 1
selector:
matchLabels:
app: asm-ingressgateway
asm: ingressgateway
template:
metadata:
annotations:
# This is required to tell Anthos Service Mesh to inject the gateway with the
# required configuration.
inject.istio.io/templates: gateway
labels:
app: asm-ingressgateway
asm: ingressgateway
spec:
containers:
- name: istio-proxy
image: auto # The image will automatically update each time the pod starts.
env:
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15021
protocol: TCP
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
securityContext:
fsGroup: 1337
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: asm-ingressgateway
# ---
# apiVersion: v1
# kind: Service
# metadata:
# name: asm-egressgateway
# namespace: asm-ingress
# labels:
# app: asm-egressgateway
# asm: egressgateway
# spec:
# type: ClusterIP
# selector:
# asm: egressgateway
# ports:
# - port: 80
# name: http
# - port: 443
# name: https
# ---
# kind: ServiceExport
# apiVersion: net.gke.io/v1
# metadata:
# name: asm-egressgateway
# namespace: asm-ingress
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: asm-egressgateway
# namespace: asm-ingress
# labels:
# app: asm-egressgateway
# asm: egressgateway
# spec:
# selector:
# matchLabels:
# app: asm-egressgateway
# asm: egressgateway
# template:
# metadata:
# annotations:
# # This is required to tell Anthos Service Mesh to inject the gateway with the
# # required configuration.
# inject.istio.io/templates: gateway
# labels:
# app: asm-egressgateway
# asm: egressgateway
# spec:
# containers:
# - name: istio-proxy
# image: auto # The image will automatically update each time the pod starts.
# ---
# apiVersion: v1
# kind: Service
# metadata:
# name: asm-eastwestgateway
# namespace: asm-ingress
# labels:
# app: asm-eastwestgateway
# asm: eastwestgateway
# topology.istio.io/network: default
# spec:
# type: ClusterIP
# selector:
# asm: eastwestgateway
# ports:
# - port: 15021
# name: status-port
# targetPort: 15021
# - port: 15443
# name: tls
# targetPort: 15443
# ---
# kind: ServiceExport
# apiVersion: net.gke.io/v1
# metadata:
# name: asm-eastwestgateway
# namespace: asm-ingress
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: asm-eastwestgateway
# namespace: asm-ingress
# labels:
# app: asm-eastwestgateway
# asm: eastwestgateway
# spec:
# selector:
# matchLabels:
# app: asm-eastwestgateway
# asm: eastwestgateway
# template:
# metadata:
# annotations:
# # This is required to tell Anthos Service Mesh to inject the gateway with the
# # required configuration.
# inject.istio.io/templates: gateway
# labels:
# app: asm-eastwestgateway
# asm: eastwestgateway
# topology.istio.io/network: default
# spec:
# containers:
# - name: istio-proxy
# image: auto # The image will automatically update each time the pod starts.
# env:
# # traffic through this gateway should be routed inside the network
# - name: ISTIO_META_REQUESTED_NETWORK_VIEW
# value: default
# - name: ISTIO_META_ROUTER_MODE
# value: sni-dnat