service: {} deployment: {} #Component: string daemonSet: {} statefulSet: {} configMap: {} service: {} deployment: {} #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { bartender: { spec: { ports: [{ port: 7080 targetPort: 7080 name: "client" protocol: "TCP" }] selector: { app: "bartender" domain: "prod" component: "frontend" } } metadata: { name: "bartender" labels: { app: "bartender" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { bartender: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "bartender" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { containers: [{ name: "bartender" image: "gcr.io/myproj/bartender:v0.1.34" args: [] ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "bartender" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { breaddispatcher: { spec: { ports: [{ port: 7080 targetPort: 7080 name: "client" protocol: "TCP" }] selector: { app: "breaddispatcher" domain: "prod" component: "frontend" } } metadata: { name: "breaddispatcher" labels: { app: "breaddispatcher" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { breaddispatcher: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "breaddispatcher" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { containers: [{ name: "breaddispatcher" image: "gcr.io/myproj/breaddispatcher:v0.3.24" args: ["-etcd=etcd:2379", "-event-server=events:7788"] ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "breaddispatcher" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { host: { spec: { ports: [{ port: 7080 targetPort: 7080 name: "client" protocol: "TCP" }] selector: { app: "host" domain: "prod" component: "frontend" } } metadata: { name: "host" labels: { app: "host" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { host: { spec: { replicas: 2 selector: {} template: { metadata: { labels: { app: "host" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { containers: [{ name: "host" image: "gcr.io/myproj/host:v0.1.10" args: [] ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "host" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { maitred: { spec: { ports: [{ port: 7080 targetPort: 7080 name: "client" protocol: "TCP" }] selector: { app: "maitred" domain: "prod" component: "frontend" } } metadata: { name: "maitred" labels: { app: "maitred" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { maitred: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "maitred" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { containers: [{ name: "maitred" image: "gcr.io/myproj/maitred:v0.0.4" args: [] ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "maitred" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { valeter: { spec: { ports: [{ name: "http" port: 8080 protocol: "TCP" targetPort: 8080 }] selector: { app: "valeter" domain: "prod" component: "frontend" } } metadata: { name: "valeter" labels: { app: "valeter" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { valeter: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "valeter" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "8080" } } spec: { containers: [{ name: "valeter" image: "gcr.io/myproj/valeter:v0.0.4" ports: [{ containerPort: 8080 }] args: ["-http=:8080", "-etcd=etcd:2379"] }] } } } metadata: { name: "valeter" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { waiter: { spec: { ports: [{ port: 7080 targetPort: 7080 name: "client" protocol: "TCP" }] selector: { app: "waiter" domain: "prod" component: "frontend" } } metadata: { name: "waiter" labels: { app: "waiter" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { waiter: { spec: { replicas: 5 selector: {} template: { metadata: { labels: { app: "waiter" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { containers: [{ name: "waiter" image: "gcr.io/myproj/waiter:v0.3.0" ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "waiter" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: { waterdispatcher: { spec: { ports: [{ name: "http" port: 7080 protocol: "TCP" targetPort: 7080 }] selector: { app: "waterdispatcher" domain: "prod" component: "frontend" } } metadata: { name: "waterdispatcher" labels: { app: "waterdispatcher" domain: "prod" component: "frontend" } } kind: "Service" apiVersion: "v1" } } deployment: { waterdispatcher: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "waterdispatcher" domain: "prod" component: "frontend" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { containers: [{ name: "waterdispatcher" image: "gcr.io/myproj/waterdispatcher:v0.0.48" args: ["-http=:8080", "-etcd=etcd:2379"] ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "waterdispatcher" labels: { component: "frontend" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "frontend" daemonSet: {} statefulSet: {} configMap: {} service: {} deployment: {} #Component: "infra" daemonSet: {} statefulSet: {} configMap: {} service: { download: { spec: { ports: [{ port: 7080 targetPort: 7080 name: "client" protocol: "TCP" }] selector: { app: "download" domain: "prod" component: "infra" } } metadata: { name: "download" labels: { app: "download" domain: "prod" component: "infra" } } kind: "Service" apiVersion: "v1" } } deployment: { download: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "download" domain: "prod" component: "infra" } } spec: { containers: [{ name: "download" image: "gcr.io/myproj/download:v0.0.2" ports: [{ containerPort: 7080 }] }] } } } metadata: { name: "download" labels: { component: "infra" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "infra" daemonSet: {} statefulSet: {} configMap: {} service: { etcd: { spec: { clusterIP: "None" ports: [{ port: 2379 targetPort: 2379 name: "client" protocol: "TCP" }, { name: "peer" port: 2380 protocol: "TCP" targetPort: 2380 }] selector: { app: "etcd" component: "infra" domain: "prod" } } metadata: { name: "etcd" labels: { app: "etcd" domain: "prod" component: "infra" } } kind: "Service" apiVersion: "v1" } } deployment: {} #Component: "infra" daemonSet: {} statefulSet: { etcd: { spec: { serviceName: "etcd" replicas: 3 selector: {} template: { metadata: { labels: { app: "etcd" component: "infra" domain: "prod" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "2379" } } spec: { affinity: { podAntiAffinity: { requiredDuringSchedulingIgnoredDuringExecution: [{ labelSelector: { matchExpressions: [{ key: "app" operator: "In" values: ["etcd"] }] } topologyKey: "kubernetes.io/hostname" }] } } terminationGracePeriodSeconds: 10 containers: [{ name: "etcd" image: "quay.io/coreos/etcd:v3.3.10" ports: [{ name: "client" containerPort: 2379 }, { name: "peer" containerPort: 2380 }] livenessProbe: { httpGet: { path: "/health" port: "client" } initialDelaySeconds: 30 } volumeMounts: [{ name: "etcd3" mountPath: "/data" }] env: [{ name: "ETCDCTL_API" value: "3" }, { name: "ETCD_AUTO_COMPACTION_RETENTION" value: "4" }, { name: "NAME" valueFrom: { fieldRef: { fieldPath: "metadata.name" } } }, { name: "IP" valueFrom: { fieldRef: { fieldPath: "status.podIP" } } }] command: ["/usr/local/bin/etcd"] args: ["-name", "$(NAME)", "-data-dir", "/data/etcd3", "-initial-advertise-peer-urls", "http://$(IP):2380", "-listen-peer-urls", "http://$(IP):2380", "-listen-client-urls", "http://$(IP):2379,http://127.0.0.1:2379", "-advertise-client-urls", "http://$(IP):2379", "-discovery", "https://discovery.etcd.io/xxxxxx"] }] } } volumeClaimTemplates: [{ metadata: { name: "etcd3" annotations: { "volume.alpha.kubernetes.io/storage-class": "default" } } spec: { accessModes: ["ReadWriteOnce"] resources: { requests: { storage: "10Gi" } } } }] } metadata: { name: "etcd" labels: { component: "infra" } } kind: "StatefulSet" apiVersion: "apps/v1" } } configMap: {} service: { events: { spec: { ports: [{ name: "grpc" port: 7788 protocol: "TCP" targetPort: 7788 }] selector: { app: "events" domain: "prod" component: "infra" } } metadata: { name: "events" labels: { app: "events" domain: "prod" component: "infra" } } kind: "Service" apiVersion: "v1" } } deployment: { events: { spec: { replicas: 2 selector: {} template: { metadata: { labels: { app: "events" domain: "prod" component: "infra" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { affinity: { podAntiAffinity: { requiredDuringSchedulingIgnoredDuringExecution: [{ labelSelector: { matchExpressions: [{ key: "app" operator: "In" values: ["events"] }] } topologyKey: "kubernetes.io/hostname" }] } } volumes: [{ name: "secret-volume" secret: { secretName: "biz-secrets" } }] containers: [{ name: "events" image: "gcr.io/myproj/events:v0.1.31" ports: [{ containerPort: 7080 }, { containerPort: 7788 }] args: ["-cert=/etc/ssl/server.pem", "-key=/etc/ssl/server.key", "-grpc=:7788"] volumeMounts: [{ mountPath: "/etc/ssl" name: "secret-volume" }] }] } } } metadata: { name: "events" labels: { component: "infra" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "infra" daemonSet: {} statefulSet: {} configMap: {} service: { tasks: { spec: { type: "LoadBalancer" loadBalancerIP: "1.2.3.4" ports: [{ port: 443 name: "http" protocol: "TCP" targetPort: 7443 }] selector: { app: "tasks" domain: "prod" component: "infra" } } metadata: { name: "tasks" labels: { app: "tasks" domain: "prod" component: "infra" } } kind: "Service" apiVersion: "v1" } } deployment: { tasks: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "tasks" domain: "prod" component: "infra" } annotations: { "prometheus.io.scrape": "true" "prometheus.io.port": "7080" } } spec: { volumes: [{ name: "secret-volume" secret: { secretName: "star-example-com-secrets" } }] containers: [{ name: "tasks" image: "gcr.io/myproj/tasks:v0.2.6" ports: [{ containerPort: 7080 }, { containerPort: 7443 }] volumeMounts: [{ mountPath: "/etc/ssl" name: "secret-volume" }] }] } } } metadata: { name: "tasks" labels: { component: "infra" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "infra" daemonSet: {} statefulSet: {} configMap: {} service: { updater: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "updater" domain: "prod" component: "infra" } } metadata: { name: "updater" labels: { app: "updater" domain: "prod" component: "infra" } } kind: "Service" apiVersion: "v1" } } deployment: { updater: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "updater" domain: "prod" component: "infra" } } spec: { volumes: [{ name: "secret-updater" secret: { secretName: "updater-secrets" } }] containers: [{ name: "updater" image: "gcr.io/myproj/updater:v0.1.0" volumeMounts: [{ mountPath: "/etc/certs" name: "secret-updater" }] ports: [{ containerPort: 8080 }] args: ["-key=/etc/certs/updater.pem"] }] } } } metadata: { name: "updater" labels: { component: "infra" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "infra" daemonSet: {} statefulSet: {} configMap: {} service: { watcher: { spec: { type: "LoadBalancer" loadBalancerIP: "1.2.3.4." ports: [{ name: "http" port: 7788 protocol: "TCP" targetPort: 7788 }] selector: { app: "watcher" domain: "prod" component: "infra" } } metadata: { name: "watcher" labels: { app: "watcher" domain: "prod" component: "infra" } } kind: "Service" apiVersion: "v1" } } deployment: { watcher: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "watcher" domain: "prod" component: "infra" } } spec: { volumes: [{ name: "secret-volume" secret: { secretName: "star-example-com-secrets" } }] containers: [{ name: "watcher" image: "gcr.io/myproj/watcher:v0.1.0" ports: [{ containerPort: 7080 }, { containerPort: 7788 }] volumeMounts: [{ mountPath: "/etc/ssl" name: "secret-volume" }] }] } } } metadata: { name: "watcher" labels: { component: "infra" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "infra" daemonSet: {} statefulSet: {} configMap: {} service: {} deployment: {} #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { caller: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "caller" domain: "prod" component: "kitchen" } } metadata: { name: "caller" labels: { app: "caller" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { caller: { spec: { replicas: 3 selector: {} template: { metadata: { labels: { app: "caller" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { volumes: [{ name: "ssd-caller" gcePersistentDisk: { pdName: "ssd-caller" fsType: "ext4" } }, { name: "secret-caller" secret: { secretName: "caller-secrets" } }, { name: "secret-ssh-key" secret: { secretName: "secrets" } }] containers: [{ name: "caller" image: "gcr.io/myproj/caller:v0.20.14" volumeMounts: [{ name: "ssd-caller" mountPath: "/logs" }, { mountPath: "/etc/certs" name: "secret-caller" readOnly: true }, { mountPath: "/sslcerts" name: "secret-ssh-key" readOnly: true }] args: ["-env=prod", "-key=/etc/certs/client.key", "-cert=/etc/certs/client.pem", "-ca=/etc/certs/servfx.ca", "-ssh-tunnel-key=/sslcerts/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"] ports: [{ containerPort: 8080 }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "caller" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { dishwasher: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "dishwasher" domain: "prod" component: "kitchen" } } metadata: { name: "dishwasher" labels: { app: "dishwasher" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { dishwasher: { spec: { replicas: 5 selector: {} template: { metadata: { labels: { app: "dishwasher" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { volumes: [{ name: "dishwasher-disk" gcePersistentDisk: { pdName: "dishwasher-disk" fsType: "ext4" } }, { name: "secret-dishwasher" secret: { secretName: "dishwasher-secrets" } }, { name: "secret-ssh-key" secret: { secretName: "dishwasher-secrets" } }] containers: [{ name: "dishwasher" image: "gcr.io/myproj/dishwasher:v0.2.13" volumeMounts: [{ name: "dishwasher-disk" mountPath: "/logs" }, { mountPath: "/sslcerts" name: "secret-dishwasher" readOnly: true }, { mountPath: "/etc/certs" name: "secret-ssh-key" readOnly: true }] args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"] ports: [{ containerPort: 8080 }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "dishwasher" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { expiditer: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "expiditer" domain: "prod" component: "kitchen" } } metadata: { name: "expiditer" labels: { app: "expiditer" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { expiditer: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "expiditer" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { volumes: [{ name: "expiditer-disk" gcePersistentDisk: { pdName: "expiditer-disk" fsType: "ext4" } }, { name: "secret-expiditer" secret: { secretName: "expiditer-secrets" } }] containers: [{ name: "expiditer" image: "gcr.io/myproj/expiditer:v0.5.34" args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788"] ports: [{ containerPort: 8080 }] volumeMounts: [{ name: "expiditer-disk" mountPath: "/logs" }, { mountPath: "/etc/certs" name: "secret-expiditer" readOnly: true }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "expiditer" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { headchef: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "headchef" domain: "prod" component: "kitchen" } } metadata: { name: "headchef" labels: { app: "headchef" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { headchef: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "headchef" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { volumes: [{ name: "headchef-disk" gcePersistentDisk: { pdName: "headchef-disk" fsType: "ext4" } }, { name: "secret-headchef" secret: { secretName: "headchef-secrets" } }] containers: [{ name: "headchef" image: "gcr.io/myproj/headchef:v0.2.16" volumeMounts: [{ name: "headchef-disk" mountPath: "/logs" }, { mountPath: "/sslcerts" name: "secret-headchef" readOnly: true }] args: ["-env=prod", "-logdir=/logs", "-event-server=events:7788"] ports: [{ containerPort: 8080 }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "headchef" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { linecook: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "linecook" domain: "prod" component: "kitchen" } } metadata: { name: "linecook" labels: { app: "linecook" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { linecook: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "linecook" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { volumes: [{ name: "linecook-disk" gcePersistentDisk: { pdName: "linecook-disk" fsType: "ext4" } }, { name: "secret-kitchen" secret: { secretName: "secrets" } }] containers: [{ name: "linecook" image: "gcr.io/myproj/linecook:v0.1.42" volumeMounts: [{ name: "linecook-disk" mountPath: "/logs" }, { name: "secret-kitchen" mountPath: "/etc/certs" readOnly: true }] args: ["-name=linecook", "-env=prod", "-logdir=/logs", "-event-server=events:7788", "-etcd", "etcd:2379", "-reconnect-delay", "1h", "-recovery-overlap", "100000"] ports: [{ containerPort: 8080 }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "linecook" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { pastrychef: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "pastrychef" domain: "prod" component: "kitchen" } } metadata: { name: "pastrychef" labels: { app: "pastrychef" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { pastrychef: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "pastrychef" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { volumes: [{ name: "pastrychef-disk" gcePersistentDisk: { pdName: "pastrychef-disk" fsType: "ext4" } }, { name: "secret-ssh-key" secret: { secretName: "secrets" } }] containers: [{ name: "pastrychef" image: "gcr.io/myproj/pastrychef:v0.1.15" volumeMounts: [{ name: "pastrychef-disk" mountPath: "/logs" }, { name: "secret-ssh-key" mountPath: "/etc/certs" readOnly: true }] args: ["-env=prod", "-ssh-tunnel-key=/etc/certs/tunnel-private.pem", "-logdir=/logs", "-event-server=events:7788", "-reconnect-delay=1m", "-etcd=etcd:2379", "-recovery-overlap=10000"] ports: [{ containerPort: 8080 }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "pastrychef" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: { souschef: { spec: { ports: [{ port: 8080 targetPort: 8080 name: "client" protocol: "TCP" }] selector: { app: "souschef" domain: "prod" component: "kitchen" } } metadata: { name: "souschef" labels: { app: "souschef" domain: "prod" component: "kitchen" } } kind: "Service" apiVersion: "v1" } } deployment: { souschef: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "souschef" domain: "prod" component: "kitchen" } annotations: { "prometheus.io.scrape": "true" } } spec: { containers: [{ name: "souschef" image: "gcr.io/myproj/souschef:v0.5.3" ports: [{ containerPort: 8080 }] livenessProbe: { httpGet: { path: "/debug/health" port: 8080 } initialDelaySeconds: 40 periodSeconds: 3 } }] } } } metadata: { name: "souschef" labels: { component: "kitchen" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "kitchen" daemonSet: {} statefulSet: {} configMap: {} service: {} deployment: {} #Component: "mon" daemonSet: {} statefulSet: {} configMap: {} service: { alertmanager: { metadata: { name: "alertmanager" annotations: { "prometheus.io/scrape": "true" "prometheus.io/path": "/metrics" } labels: { app: "alertmanager" domain: "prod" component: "mon" } } spec: { ports: [{ name: "main" port: 9093 protocol: "TCP" targetPort: 9093 }] selector: { app: "alertmanager" domain: "prod" component: "mon" } } kind: "Service" apiVersion: "v1" } } deployment: { alertmanager: { spec: { replicas: 1 selector: { matchLabels: { app: "alertmanager" } } template: { metadata: { name: "alertmanager" labels: { app: "alertmanager" domain: "prod" component: "mon" } } spec: { containers: [{ name: "alertmanager" image: "prom/alertmanager:v0.15.2" args: ["--config.file=/etc/alertmanager/alerts.yaml", "--storage.path=/alertmanager", "--web.external-url=https://alertmanager.example.com"] ports: [{ name: "alertmanager" containerPort: 9093 }] volumeMounts: [{ name: "config-volume" mountPath: "/etc/alertmanager" }, { name: "alertmanager" mountPath: "/alertmanager" }] }] volumes: [{ name: "config-volume" configMap: { name: "alertmanager" } }, { name: "alertmanager" emptyDir: {} }] } } } metadata: { name: "alertmanager" labels: { component: "mon" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "mon" daemonSet: {} statefulSet: {} configMap: { alertmanager: { apiVersion: "v1" kind: "ConfigMap" data: { "alerts.yaml": """ receivers: - name: pager slack_configs: - channel: '#cloudmon' text: |- {{ range .Alerts }}{{ .Annotations.description }} {{ end }} send_resolved: true route: receiver: pager group_by: - alertname - cluster """ } metadata: { name: "alertmanager" labels: { component: "mon" } } } } service: { grafana: { spec: { ports: [{ name: "grafana" port: 3000 protocol: "TCP" targetPort: 3000 }] selector: { app: "grafana" domain: "prod" component: "mon" } } metadata: { name: "grafana" labels: { app: "grafana" domain: "prod" component: "mon" } } kind: "Service" apiVersion: "v1" } } deployment: { grafana: { metadata: { name: "grafana" labels: { app: "grafana" component: "mon" } } spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "grafana" domain: "prod" component: "mon" } } spec: { volumes: [{ name: "grafana-volume" gcePersistentDisk: { pdName: "grafana-volume" fsType: "ext4" } }] containers: [{ name: "grafana" image: "grafana/grafana:4.5.2" ports: [{ containerPort: 8080 }] resources: { limits: { cpu: "100m" memory: "100Mi" } requests: { cpu: "100m" memory: "100Mi" } } env: [{ name: "GF_AUTH_BASIC_ENABLED" value: "false" }, { name: "GF_AUTH_ANONYMOUS_ENABLED" value: "true" }, { name: "GF_AUTH_ANONYMOUS_ORG_ROLE" value: "admin" }] volumeMounts: [{ name: "grafana-volume" mountPath: "/var/lib/grafana" }] }] } } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "mon" daemonSet: {} statefulSet: {} configMap: {} service: { "node-exporter": { metadata: { name: "node-exporter" annotations: { "prometheus.io/scrape": "true" } labels: { app: "node-exporter" domain: "prod" component: "mon" } } spec: { type: "ClusterIP" clusterIP: "None" ports: [{ name: "metrics" port: 9100 protocol: "TCP" targetPort: 9100 }] selector: { app: "node-exporter" component: "mon" domain: "prod" } } kind: "Service" apiVersion: "v1" } } deployment: {} #Component: "mon" daemonSet: { "node-exporter": { spec: { selector: {} template: { metadata: { name: "node-exporter" labels: { app: "node-exporter" component: "mon" domain: "prod" } } spec: { hostNetwork: true hostPID: true containers: [{ name: "node-exporter" image: "quay.io/prometheus/node-exporter:v0.16.0" args: ["--path.procfs=/host/proc", "--path.sysfs=/host/sys"] ports: [{ containerPort: 9100 hostPort: 9100 name: "scrape" }] resources: { requests: { memory: "30Mi" cpu: "100m" } limits: { memory: "50Mi" cpu: "200m" } } volumeMounts: [{ name: "proc" readOnly: true mountPath: "/host/proc" }, { name: "sys" readOnly: true mountPath: "/host/sys" }] }] volumes: [{ name: "proc" hostPath: { path: "/proc" } }, { name: "sys" hostPath: { path: "/sys" } }] } } } metadata: { name: "node-exporter" labels: { component: "mon" } } kind: "DaemonSet" apiVersion: "apps/v1" } } statefulSet: {} configMap: {} service: { prometheus: { metadata: { name: "prometheus" annotations: { "prometheus.io/scrape": "true" } labels: { app: "prometheus" domain: "prod" component: "mon" } } spec: { type: "NodePort" ports: [{ name: "main" nodePort: 30900 port: 9090 protocol: "TCP" targetPort: 9090 }] selector: { app: "prometheus" domain: "prod" component: "mon" } } kind: "Service" apiVersion: "v1" } } deployment: { prometheus: { spec: { replicas: 1 strategy: { rollingUpdate: { maxSurge: 0 maxUnavailable: 1 } type: "RollingUpdate" } selector: { matchLabels: { app: "prometheus" } } template: { metadata: { name: "prometheus" labels: { app: "prometheus" domain: "prod" component: "mon" } annotations: { "prometheus.io.scrape": "true" } } spec: { containers: [{ name: "prometheus" image: "prom/prometheus:v2.4.3" args: ["--config.file=/etc/prometheus/prometheus.yml", "--web.external-url=https://prometheus.example.com"] ports: [{ name: "web" containerPort: 9090 }] volumeMounts: [{ name: "config-volume" mountPath: "/etc/prometheus" }] }] volumes: [{ name: "config-volume" configMap: { name: "prometheus" } }] } } } metadata: { name: "prometheus" labels: { component: "mon" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "mon" daemonSet: {} statefulSet: {} configMap: { prometheus: { apiVersion: "v1" kind: "ConfigMap" data: { "alert.rules": """ groups: - name: rules.yaml rules: - alert: InstanceDown expr: up == 0 for: 30s labels: severity: page annotations: description: '{{$labels.app}} of job {{ $labels.job }} has been down for more than 30 seconds.' summary: Instance {{$labels.app}} down - alert: InsufficientPeers expr: count(up{job="etcd"} == 0) > (count(up{job="etcd"}) / 2 - 1) for: 3m labels: severity: page annotations: description: If one more etcd peer goes down the cluster will be unavailable summary: etcd cluster small - alert: EtcdNoMaster expr: sum(etcd_server_has_leader{app="etcd"}) == 0 for: 1s labels: severity: page annotations: summary: No ETCD master elected. - alert: PodRestart expr: (max_over_time(pod_container_status_restarts_total[5m]) - min_over_time(pod_container_status_restarts_total[5m])) > 2 for: 1m labels: severity: page annotations: description: '{{$labels.app}} {{ $labels.container }} resturted {{ $value }} times in 5m.' summary: Pod for {{$labels.container}} restarts too often """ "prometheus.yml": """ global: scrape_interval: 15s rule_files: - /etc/prometheus/alert.rules alerting: alertmanagers: - scheme: http static_configs: - targets: - alertmanager:9093 scrape_configs: - job_name: kubernetes-apiservers kubernetes_sd_configs: - role: endpoints scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token relabel_configs: - source_labels: - __meta_kubernetes_namespace - __meta_kubernetes_service_name - __meta_kubernetes_endpoint_port_name action: keep regex: default;kubernetes;https - job_name: kubernetes-nodes scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: - __meta_kubernetes_node_name regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/${1}/proxy/metrics - job_name: kubernetes-cadvisor scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: - __meta_kubernetes_node_name regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor - job_name: kubernetes-service-endpoints kubernetes_sd_configs: - role: endpoints relabel_configs: - source_labels: - __meta_kubernetes_service_annotation_prometheus_io_scrape action: keep regex: true - source_labels: - __meta_kubernetes_service_annotation_prometheus_io_scheme action: replace target_label: __scheme__ regex: (https?) - source_labels: - __meta_kubernetes_service_annotation_prometheus_io_path action: replace target_label: __metrics_path__ regex: (.+) - source_labels: - __address__ - __meta_kubernetes_service_annotation_prometheus_io_port action: replace target_label: __address__ regex: ([^:]+)(?::\\d+)?;(\\d+) replacement: $1:$2 - action: labelmap regex: __meta_kubernetes_service_label_(.+) - source_labels: - __meta_kubernetes_namespace action: replace target_label: kubernetes_namespace - source_labels: - __meta_kubernetes_service_name action: replace target_label: kubernetes_name - job_name: kubernetes-services metrics_path: /probe params: module: - http_2xx kubernetes_sd_configs: - role: service relabel_configs: - source_labels: - __meta_kubernetes_service_annotation_prometheus_io_probe action: keep regex: true - source_labels: - __address__ target_label: __param_target - target_label: __address__ replacement: blackbox-exporter.example.com:9115 - source_labels: - __param_target target_label: app - action: labelmap regex: __meta_kubernetes_service_label_(.+) - source_labels: - __meta_kubernetes_namespace target_label: kubernetes_namespace - source_labels: - __meta_kubernetes_service_name target_label: kubernetes_name - job_name: kubernetes-ingresses metrics_path: /probe params: module: - http_2xx kubernetes_sd_configs: - role: ingress relabel_configs: - source_labels: - __meta_kubernetes_ingress_annotation_prometheus_io_probe action: keep regex: true - source_labels: - __meta_kubernetes_ingress_scheme - __address__ - __meta_kubernetes_ingress_path regex: (.+);(.+);(.+) replacement: ${1}://${2}${3} target_label: __param_target - target_label: __address__ replacement: blackbox-exporter.example.com:9115 - source_labels: - __param_target target_label: app - action: labelmap regex: __meta_kubernetes_ingress_label_(.+) - source_labels: - __meta_kubernetes_namespace target_label: kubernetes_namespace - source_labels: - __meta_kubernetes_ingress_name target_label: kubernetes_name - job_name: kubernetes-pods kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: - __meta_kubernetes_pod_annotation_prometheus_io_scrape action: keep regex: true - source_labels: - __meta_kubernetes_pod_annotation_prometheus_io_path action: replace target_label: __metrics_path__ regex: (.+) - source_labels: - __address__ - __meta_kubernetes_pod_annotation_prometheus_io_port action: replace regex: ([^:]+)(?::\\d+)?;(\\d+) replacement: $1:$2 target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - source_labels: - __meta_kubernetes_namespace action: replace target_label: kubernetes_namespace - source_labels: - __meta_kubernetes_pod_name action: replace target_label: kubernetes_pod_name """ } metadata: { name: "prometheus" labels: { component: "mon" } } } } service: {} deployment: {} #Component: "proxy" daemonSet: {} statefulSet: {} configMap: {} service: { authproxy: { spec: { ports: [{ port: 4180 targetPort: 4180 name: "client" protocol: "TCP" }] selector: { app: "authproxy" domain: "prod" component: "proxy" } } metadata: { name: "authproxy" labels: { app: "authproxy" domain: "prod" component: "proxy" } } kind: "Service" apiVersion: "v1" } } deployment: { authproxy: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "authproxy" domain: "prod" component: "proxy" } } spec: { containers: [{ name: "authproxy" image: "skippy/oauth2_proxy:2.0.1" ports: [{ containerPort: 4180 }] args: ["--config=/etc/authproxy/authproxy.cfg"] volumeMounts: [{ name: "config-volume" mountPath: "/etc/authproxy" }] }] volumes: [{ name: "config-volume" configMap: { name: "authproxy" } }] } } } metadata: { name: "authproxy" labels: { component: "proxy" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "proxy" daemonSet: {} statefulSet: {} configMap: { authproxy: { apiVersion: "v1" kind: "ConfigMap" data: { "authproxy.cfg": """ # Google Auth Proxy Config File ## https://github.com/bitly/google_auth_proxy ## : to listen on for HTTP clients http_address = "0.0.0.0:4180" ## the OAuth Redirect URL. redirect_url = "https://auth.example.com/oauth2/callback" ## the http url(s) of the upstream endpoint. If multiple, routing is based on path upstreams = [ # frontend "http://frontend-waiter:7080/dpr/", "http://frontend-maitred:7080/ui/", "http://frontend-maitred:7080/ui", "http://frontend-maitred:7080/report/", "http://frontend-maitred:7080/report", "http://frontend-maitred:7080/static/", # kitchen "http://kitchen-chef:8080/visit", # infrastructure "http://download:7080/file/", "http://download:7080/archive", "http://tasks:7080/tasks", "http://tasks:7080/tasks/", ] ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream pass_basic_auth = true request_logging = true ## Google Apps Domains to allow authentication for google_apps_domains = [ "mod.test", ] email_domains = [ "mod.test", ] ## The Google OAuth Client ID, Secret client_id = "---" client_secret = "---" ## Cookie Settings ## Secret - the seed string for secure cookies ## Domain - optional cookie domain to force cookies to (ie: .yourcompany.com) ## Expire - expire timeframe for cookie cookie_secret = "won't tell you" cookie_domain = ".example.com" cookie_https_only = true """ } metadata: { name: "authproxy" labels: { component: "proxy" } } } } service: { goget: { spec: { type: "LoadBalancer" loadBalancerIP: "1.3.5.7" ports: [{ port: 443 name: "https" protocol: "TCP" targetPort: 7443 }] selector: { app: "goget" domain: "prod" component: "proxy" } } metadata: { name: "goget" labels: { app: "goget" domain: "prod" component: "proxy" } } kind: "Service" apiVersion: "v1" } } deployment: { goget: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "goget" domain: "prod" component: "proxy" } } spec: { volumes: [{ name: "secret-volume" secret: { secretName: "goget-secrets" } }] containers: [{ name: "goget" image: "gcr.io/myproj/goget:v0.5.1" ports: [{ containerPort: 7443 }] volumeMounts: [{ mountPath: "/etc/ssl" name: "secret-volume" }] }] } } } metadata: { name: "goget" labels: { component: "proxy" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "proxy" daemonSet: {} statefulSet: {} configMap: {} service: { nginx: { spec: { type: "LoadBalancer" loadBalancerIP: "1.3.4.5" ports: [{ name: "http" port: 80 protocol: "TCP" targetPort: 80 }, { name: "https" port: 443 protocol: "TCP" targetPort: 443 }] selector: { app: "nginx" domain: "prod" component: "proxy" } } metadata: { name: "nginx" labels: { app: "nginx" domain: "prod" component: "proxy" } } kind: "Service" apiVersion: "v1" } } deployment: { nginx: { spec: { replicas: 1 selector: {} template: { metadata: { labels: { app: "nginx" domain: "prod" component: "proxy" } } spec: { volumes: [{ name: "secret-volume" secret: { secretName: "proxy-secrets" } }, { name: "config-volume" configMap: { name: "nginx" } }] containers: [{ name: "nginx" image: "nginx:1.11.10-alpine" ports: [{ containerPort: 80 }, { containerPort: 443 }] volumeMounts: [{ mountPath: "/etc/ssl" name: "secret-volume" }, { name: "config-volume" mountPath: "/etc/nginx/nginx.conf" subPath: "nginx.conf" }] }] } } } metadata: { name: "nginx" labels: { component: "proxy" } } kind: "Deployment" apiVersion: "apps/v1" } } #Component: "proxy" daemonSet: {} statefulSet: {} configMap: { nginx: { apiVersion: "v1" kind: "ConfigMap" data: { "nginx.conf": """ events { worker_connections 768; } http { sendfile on; tcp_nopush on; tcp_nodelay on; # needs to be high for some download jobs. keepalive_timeout 400; # proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /dev/stdout; error_log /dev/stdout; # Disable POST body size constraints. We often deal with large # files. Especially docker containers may be large. client_max_body_size 0; upstream goget { server localhost:7070; } # Redirect incoming Google Cloud Storage notifications: server { listen 443 ssl; server_name notify.example.com notify2.example.com; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; # Security enhancements to deal with poodles and the like. # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # ssl_ciphers 'AES256+EECDH:AES256+EDH'; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # We don't like poodles. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; # Enable Forward secrecy. ssl_dhparam /etc/ssl/dhparam.pem; ssl_prefer_server_ciphers on; # Enable HTST. add_header Strict-Transport-Security max-age=1209600; # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) chunked_transfer_encoding on; location / { proxy_pass http://tasks:7080; proxy_connect_timeout 1; } } server { listen 80; listen 443 ssl; server_name x.example.com example.io; location ~ "(/[^/]+)(/.*)?" { set $myhost $host; if ($arg_go-get = "1") { set $myhost "goget"; } proxy_pass http://$myhost$1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_connect_timeout 1; } location / { set $myhost $host; if ($arg_go-get = "1") { set $myhost "goget"; } proxy_pass http://$myhost; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_connect_timeout 1; } } server { listen 80; server_name www.example.com w.example.com; resolver 8.8.8.8; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://$host.default.example.appspot.com/$request_uri; proxy_redirect http://$host.default.example.appspot.com/ /; } } server { # We could add the following line and the connection would still be SSL, # but it doesn't appear to be necessary. Seems saver this way. listen 80; listen 443 default ssl; server_name ~^(?.*)\\.example\\.com$; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; # Security enhancements to deal with poodles and the like. # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # ssl_ciphers 'AES256+EECDH:AES256+EDH'; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # We don't like poodles. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; # Enable Forward secrecy. ssl_dhparam /etc/ssl/dhparam.pem; ssl_prefer_server_ciphers on; # Enable HTST. add_header Strict-Transport-Security max-age=1209600; if ($ssl_protocol = "") { rewrite ^ https://$host$request_uri? permanent; } # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) chunked_transfer_encoding on; location / { proxy_pass http://authproxy:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_connect_timeout 1; } } } """ } metadata: { name: "nginx" labels: { component: "proxy" } } } }