mathieu-benoit · mathieu-benoit · Jul 10, 2023
diff --git a/docs/gke-advanced-asm.md b/docs/gke-advanced-asm.md
diff --git a/samples/asm-ingress-gateway/backendconfig.yaml b/samples/asm-ingress-gateway/backendconfig.yaml
@@ -0,0 +1,12 @@
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+spec:
+ healthCheck:
+ requestPath: /healthz/ready
+ port: 15021
+ type: HTTP
+ securityPolicy:
+ name: ${SECURITY_POLICY_NAME}
diff --git a/samples/asm-ingress-gateway/deployment.yaml b/samples/asm-ingress-gateway/deployment.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+spec:
+ selector:
+ matchLabels:
+ asm: ingressgateway
+ app: asm-ingressgateway
+ template:
+ metadata:
+ annotations:
+ inject.istio.io/templates: gateway
+ labels:
+ asm: ingressgateway
+ app: asm-ingressgateway
+ spec:
+ containers:
+ - name: istio-proxy
+ image: auto
+ env:
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ ports:
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ securityContext:
+ fsGroup: 1337
+ runAsGroup: 1337
+ runAsNonRoot: true
+ runAsUser: 1337
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: asm-ingressgateway
diff --git a/samples/asm-ingress-gateway/frontendconfig.yaml b/samples/asm-ingress-gateway/frontendconfig.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+spec:
+ sslPolicy: ${SSL_POLICY_NAME}
+ redirectToHttps:
+ enabled: true
+ responseCodeName: MOVED_PERMANENTLY_DEFAULT
diff --git a/samples/asm-ingress-gateway/gateway.yaml b/samples/asm-ingress-gateway/gateway.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+spec:
+ selector:
+ asm: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - '*'
diff --git a/samples/asm-ingress-gateway/hpa.yaml b/samples/asm-ingress-gateway/hpa.yaml
@@ -0,0 +1,18 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+ maxReplicas: 5
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 80
+ minReplicas: 3
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: asm-ingressgateway
diff --git a/samples/asm-ingress-gateway/ingress.yaml b/samples/asm-ingress-gateway/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+ annotations:
+ kubernetes.io/ingress.global-static-ip-name: "${INGRESS_GATEWAY_PUBLIC_IP_NAME}"
+ kubernetes.io/ingress.class: "gce"
+ networking.gke.io/v1beta1.FrontendConfig: asm-ingressgateway
+spec:
+ defaultBackend:
+ service:
+ name: asm-ingressgateway
+ port:
+ number: 80
+ rules:
+ - http:
+ paths:
+ - path: /*
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: asm-ingressgateway
+ port:
+ number: 80
diff --git a/samples/asm-ingress-gateway/namespace.yaml b/samples/asm-ingress-gateway/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ istio-injection: enabled
+ pod-security.kubernetes.io/enforce: restricted
+ name: asm-ingress
diff --git a/samples/asm-ingress-gateway/role.yaml b/samples/asm-ingress-gateway/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
diff --git a/samples/asm-ingress-gateway/rolebinding.yaml b/samples/asm-ingress-gateway/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: asm-ingressgateway
+subjects:
+- kind: ServiceAccount
+ name: asm-ingressgateway
diff --git a/samples/asm-ingress-gateway/service.yaml b/samples/asm-ingress-gateway/service.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress
+ annotations:
+ cloud.google.com/neg: '{"ingress": true}'
+ cloud.google.com/backend-config: '{"default": "asm-ingressgateway"}'
+ cloud.google.com/app-protocols: '{"http2":"HTTP"}'
+ labels:
+ asm: ingressgateway
+spec:
+ ports:
+ - name: tcp-status
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ targetPort: 8080
+ - name: https
+ port: 443
+ targetPort: 8443
+ selector:
+ asm: ingressgateway
+ type: ClusterIP
diff --git a/samples/asm-ingress-gateway/serviceaccount.yaml b/samples/asm-ingress-gateway/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: asm-ingressgateway
+ namespace: asm-ingress