Skip to content

Instantly share code, notes, and snippets.

@so0k
Created January 22, 2019 17:05
Show Gist options
  • Save so0k/37740c16bf44f28ba3508e389e838e9c to your computer and use it in GitHub Desktop.
Save so0k/37740c16bf44f28ba3508e389e838e9c to your computer and use it in GitHub Desktop.
Dual contour ingress without host network
apiVersion: v1
kind: Namespace
metadata:
name: heptio-contour
---
apiVersion: v1
kind: Service
metadata:
name: envoy-external
namespace: heptio-contour
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
externalTrafficPolicy: Local
ports:
- port: 80
name: http
protocol: TCP
targetPort: 8080
- port: 443
name: https
protocol: TCP
targetPort: 8443
selector:
app: envoy-external
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: contour-external
namespace: heptio-contour
spec:
ports:
- port: 8001
name: xds
protocol: TCP
targetPort: 8001
selector:
app: contour-external
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: contour-external
namespace: heptio-contour
labels:
app: contour-external
spec:
replicas: 2
selector:
matchLabels:
app: contour-external
template:
metadata:
annotations:
ad.datadoghq.com/contour.check_names: |
[
"contour"
]
ad.datadoghq.com/contour.init_configs: |
[
{}
]
ad.datadoghq.com/contour.instances: |
[
{
"stats_url": "http://%%host%%:8000/stats"
}
]
ad.datadoghq.com/contour.logs: |
[
{
"source":"contour", # used for pipeline filter
"service":"ingress" # used for log exploration
}
]
labels:
app: contour-external
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: contour-external
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- serve
- --incluster
- --xds-address
- 0.0.0.0
- --xds-port
- $(CONTOUR_EXTERNAL_SERVICE_PORT)
- --ingress-class-name=contour-external # only manage ingress.class=contour-external
command: ["contour"]
image: gcr.io/heptio-images/contour:v0.8.1
imagePullPolicy: Always
name: contour
ports:
- containerPort: 8001
name: xds
protocol: TCP
- containerPort: 8000
name: debug
protocol: TCP
dnsPolicy: ClusterFirst
serviceAccountName: contour
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
app: envoy-external
name: envoy-external
namespace: heptio-contour
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
app: envoy-external
template:
metadata:
annotations:
ad.datadoghq.com/envoy.check_names: |
[
"envoy"
]
ad.datadoghq.com/envoy.init_configs: |
[
{}
]
ad.datadoghq.com/envoy.instances: |
[
{
"stats_url": "http://%%host%%:8002/stats" # Ensure internal and external statsports differ
}
]
ad.datadoghq.com/envoy.logs: |
[
{
"source":"envoy", # used for pipeline filter
"service":"ingress" # used for log exploration
}
]
labels:
app: envoy-external
spec:
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
args:
- -c
- /config/contour.yaml
- --service-cluster
- envoy-external-cluster
- --service-node
- $(NODE_NAME)
command:
- envoy
image: docker.io/envoyproxy/envoy-alpine:v1.7.0
imagePullPolicy: IfNotPresent
name: envoy
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 8002
initialDelaySeconds: 3
periodSeconds: 3
volumeMounts:
- name: contour-config
mountPath: /config
lifecycle:
preStop:
exec:
command: ["wget", "-qO-", "http://localhost:9001/healthcheck/fail"]
dnsPolicy: ClusterFirst
initContainers:
- args:
- bootstrap
- /config/contour.yaml
- --xds-address
- $(CONTOUR_EXTERNAL_SERVICE_HOST)
- --xds-port
- $(CONTOUR_EXTERNAL_SERVICE_PORT)
command:
- contour
image: gcr.io/heptio-images/contour:v0.8.1
imagePullPolicy: Always
name: envoy-initconfig
volumeMounts:
- name: contour-config
mountPath: /config
automountServiceAccountToken: false
volumes:
- name: contour-config
emptyDir: {}
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: envoy-internal
namespace: heptio-contour
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
externalTrafficPolicy: Local
ports:
- port: 80
name: http
protocol: TCP
targetPort: 8080
- port: 443
name: https
protocol: TCP
targetPort: 8443
selector:
app: envoy-internal
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: contour-internal
namespace: heptio-contour
spec:
ports:
- port: 8001
name: xds
protocol: TCP
targetPort: 8001
selector:
app: contour-internal
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: contour-internal
namespace: heptio-contour
labels:
app: contour-internal
spec:
replicas: 2
selector:
matchLabels:
app: contour-internal
template:
metadata:
annotations:
ad.datadoghq.com/contour.check_names: |
[
"contour"
]
ad.datadoghq.com/contour.init_configs: |
[
{}
]
ad.datadoghq.com/contour.instances: |
[
{
"stats_url": "http://%%host%%:8000/stats"
}
]
ad.datadoghq.com/contour.logs: |
[
{
"source":"contour", # used for pipeline filter
"service":"ingress" # used for log exploration
}
]
labels:
app: contour-internal
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: contour-internal
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- serve
- --incluster
- --xds-address
- 0.0.0.0
- --xds-port
- $(CONTOUR_INTERNAL_SERVICE_PORT)
- --ingress-class-name=contour-internal # only manage ingress.class=contour-internal
command: ["contour"]
image: gcr.io/heptio-images/contour:v0.8.1
imagePullPolicy: Always
name: contour
ports:
- containerPort: 8001
name: xds
protocol: TCP
- containerPort: 8000
name: debug
protocol: TCP
dnsPolicy: ClusterFirst
serviceAccountName: contour
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
app: envoy-internal
name: envoy-internal
namespace: heptio-contour
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
app: envoy-internal
template:
metadata:
annotations:
ad.datadoghq.com/envoy.check_names: |
[
"envoy"
]
ad.datadoghq.com/envoy.init_configs: |
[
{}
]
ad.datadoghq.com/envoy.instances: |
[
{
"stats_url": "http://%%host%%:8002/stats" # Ensure internal and external statsports differ
}
]
ad.datadoghq.com/envoy.logs: |
[
{
"source":"envoy", # used for pipeline filter
"service":"ingress" # used for log exploration
}
]
labels:
app: envoy-internal
spec:
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
args:
- -c
- /config/contour.yaml
- --service-cluster
- envoy-internal-cluster
- --service-node
- $(NODE_NAME)
command:
- envoy
image: docker.io/envoyproxy/envoy-alpine:v1.7.0
imagePullPolicy: IfNotPresent
name: envoy
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 8002
initialDelaySeconds: 3
periodSeconds: 3
volumeMounts:
- name: contour-config
mountPath: /config
lifecycle:
preStop:
exec:
command: ["wget", "-qO-", "http://localhost:9001/healthcheck/fail"]
dnsPolicy: ClusterFirst
initContainers:
- args:
- bootstrap
- /config/contour.yaml
- --xds-address
- $(CONTOUR_INTERNAL_SERVICE_HOST)
- --xds-port
- $(CONTOUR_INTERNAL_SERVICE_PORT)
command:
- contour
image: gcr.io/heptio-images/contour:v0.8.1
imagePullPolicy: Always
name: envoy-initconfig
volumeMounts:
- name: contour-config
mountPath: /config
automountServiceAccountToken: false
volumes:
- name: contour-config
emptyDir: {}
restartPolicy: Always
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour
namespace: heptio-contour
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.contour.heptio.com
labels:
component: ingressroute
spec:
group: contour.heptio.com
version: v1beta1
scope: Namespaced
names:
plural: ingressroutes
kind: IngressRoute
additionalPrinterColumns:
- name: FQDN
type: string
description: Fully qualified domain name
JSONPath: .spec.virtualhost.fqdn
- name: TLS Secret
type: string
description: Secret with TLS credentials
JSONPath: .spec.virtualhost.tls.secretName
- name: First route
type: string
description: First routes defined
JSONPath: .spec.routes[0].match
- name: Status
type: string
description: The current status of the IngressRoute
JSONPath: .status.currentStatus
- name: Status Description
type: string
description: Description of the current status
JSONPath: .status.description
validation:
openAPIV3Schema:
properties:
spec:
properties:
virtualhost:
properties:
fqdn:
type: string
pattern: ^([a-zA-Z0-9]+(-[a-zA-Z0-9]+)*\.)+[a-z]{2,}$
tls:
properties:
secretName:
type: string
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
minimumProtocolVersion:
type: string
enum:
- "1.3"
- "1.2"
- "1.1"
strategy:
type: string
enum:
- RoundRobin
- WeightedLeastRequest
- Random
- RingHash
- Maglev
healthCheck:
type: object
required:
- path
properties:
path:
type: string
pattern: ^\/.*$
intervalSeconds:
type: integer
timeoutSeconds:
type: integer
unhealthyThresholdCount:
type: integer
healthyThresholdCount:
type: integer
routes:
type: array
items:
required:
- match
properties:
match:
type: string
pattern: ^\/.*$
delegate:
type: object
required:
- name
properties:
name:
type: string
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ # DNS-1123 subdomain
namespace:
type: string
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ # DNS-1123 label
services:
type: array
items:
type: object
required:
- name
- port
properties:
name:
type: string
pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ # DNS-1035 label
port:
type: integer
weight:
type: integer
strategy:
type: string
enum:
- RoundRobin
- WeightedLeastRequest
- Random
- RingHash
- Maglev
healthCheck:
type: object
required:
- path
properties:
path:
type: string
pattern: ^\/.*$
intervalSeconds:
type: integer
timeoutSeconds:
type: integer
unhealthyThresholdCount:
type: integer
healthyThresholdCount:
type: integer
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: contour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: contour
subjects:
- kind: ServiceAccount
name: contour
namespace: heptio-contour
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: contour
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups: ["contour.heptio.com"]
resources: ["ingressroutes"]
verbs:
- get
- list
- watch
- put
- post
- patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment