--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: ambassador rules: - apiGroups: [""] resources: - configmaps - endpoints - namespaces - secrets - services verbs: ["get", "list", "watch"] --- apiVersion: v1 kind: ServiceAccount metadata: name: ambassador --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: ambassador roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ambassador subjects: - kind: ServiceAccount name: ambassador namespace: default --- apiVersion: v1 kind: Service metadata: name: ambassador spec: type: NodePort ports: - name: http protocol: TCP port: 80 targetPort: 80 - name: https protocol: TCP port: 443 targetPort: 443 selector: service: ambassador --- apiVersion: v1 kind: Service metadata: labels: service: ambassador-admin name: ambassador-admin annotations: getambassador.io/config: | --- apiVersion: getambassador.io/v2 kind: TLSContext name: server-context secret: client-cert-server-secret --- apiVersion: getambassador.io/v2 kind: TLSContext name: client-context secret: client-cert-secret spec: type: NodePort ports: - name: ambassador-admin port: 8877 targetPort: 8877 selector: service: ambassador --- apiVersion: v1 kind: Pod metadata: name: ambassador annotations: sidecar.istio.io/inject: "false" labels: service: ambassador spec: serviceAccountName: ambassador containers: - name: ambassador image: ambassador:flynn-dev-watt-3f84549f-dirty env: - name: AMBASSADOR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: AMBASSADOR_DEBUG value: "diagd" livenessProbe: httpGet: path: /ambassador/v0/check_alive port: 8877 initialDelaySeconds: 120 periodSeconds: 3 readinessProbe: httpGet: path: /ambassador/v0/check_ready port: 8877 initialDelaySeconds: 120 periodSeconds: 3 restartPolicy: Always