Created
November 30, 2021 17:18
-
-
Save JasonMorgan/1cbffc92b5b0acafccc7a62a52274410 to your computer and use it in GitHub Desktop.
BCloud Manifest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # | |
| # Buoyant Cloud Agent manifest for NYC1 | |
| # | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: buoyant-cloud | |
| annotations: | |
| linkerd.io/inject: enabled | |
| labels: | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| linkerd.io/extension: buoyant | |
| --- | |
| # | |
| # Secrets to identify and authenticate this agent | |
| # | |
| --- | |
| kind: Secret | |
| apiVersion: v1 | |
| metadata: | |
| name: buoyant-cloud-id | |
| namespace: buoyant-cloud | |
| labels: | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| type: Opaque | |
| data: | |
| id: someid | |
| key: somestring | |
| downloadKey: someotherstring | |
| name: somename | |
| --- | |
| # | |
| # RBAC | |
| # | |
| --- | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| metadata: | |
| name: buoyant-cloud-agent | |
| namespace: buoyant-cloud | |
| labels: | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: buoyant-cloud-agent | |
| labels: | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["services", "pods", "events", "nodes", "nodes/proxy", "pods/log"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["policy.linkerd.io"] | |
| resources: ["servers", "serverauthorizations"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["linkerd.io"] | |
| resources: ["serviceprofiles"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["split.smi-spec.io"] | |
| resources: ["trafficsplits"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["multicluster.linkerd.io"] | |
| resources: ["links"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: [""] | |
| resources: ["configmaps"] | |
| resourceNames: ["linkerd-config", "linkerd-identity-trust-roots"] | |
| verbs: ["get"] | |
| - apiGroups: ["apps"] | |
| resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["metrics.k8s.io"] | |
| resources: ["pods"] | |
| verbs: ["list", "get"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: buoyant-cloud-agent | |
| labels: | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: buoyant-cloud-agent | |
| subjects: | |
| - kind: ServiceAccount | |
| name: buoyant-cloud-agent | |
| namespace: buoyant-cloud | |
| --- | |
| # | |
| # Buoyant Cloud Agent | |
| # | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: buoyant-cloud-agent | |
| namespace: buoyant-cloud | |
| annotations: | |
| buoyant.cloud/is-agent: "true" | |
| buoyant.cloud/version: v0.5.1 | |
| buoyant.cloud/service-name: agent | |
| labels: | |
| app.kubernetes.io/name: agent | |
| app.kubernetes.io/version: v0.5.1 | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| linkerd.io/extension: buoyant | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: buoyant-cloud-agent | |
| template: | |
| metadata: | |
| labels: | |
| app: buoyant-cloud-agent | |
| annotations: | |
| config.linkerd.io/skip-outbound-ports: "4191" | |
| spec: | |
| securityContext: | |
| fsGroup: 1000 | |
| serviceAccount: buoyant-cloud-agent | |
| containers: | |
| - name: buoyant-cloud-agent | |
| image: ghcr.io/buoyantio/linkerd-buoyant:v0.5.1 | |
| imagePullPolicy: Always | |
| args: | |
| - "-grpc-addr=api.buoyant.cloud:443" | |
| - "-log-level=info" | |
| env: | |
| - name: BUOYANT_CLOUD_ID | |
| valueFrom: | |
| secretKeyRef: | |
| key: id | |
| name: buoyant-cloud-id | |
| - name: BUOYANT_CLOUD_KEY | |
| valueFrom: | |
| secretKeyRef: | |
| key: key | |
| name: buoyant-cloud-id | |
| ports: | |
| - name: admin | |
| containerPort: 9990 | |
| livenessProbe: | |
| httpGet: | |
| path: /ping | |
| port: 9990 | |
| readinessProbe: | |
| httpGet: | |
| path: /ready | |
| port: 9990 | |
| resources: | |
| requests: | |
| cpu: 10m | |
| memory: 10Mi | |
| limits: | |
| cpu: "2" | |
| memory: 5000Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| privileged: false | |
| readOnlyRootFilesystem: true | |
| runAsGroup: 1000 | |
| runAsNonRoot: true | |
| runAsUser: 1000 | |
| --- | |
| # | |
| # Metrics Agent | |
| # | |
| --- | |
| kind: ConfigMap | |
| metadata: | |
| name: buoyant-cloud-metrics | |
| namespace: buoyant-cloud | |
| labels: | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| apiVersion: v1 | |
| data: | |
| agent.yml: | | |
| server: | |
| log_level: info | |
| http_listen_port: 9991 | |
| metrics: | |
| wal_directory: /tmp/wal | |
| global: | |
| scrape_interval: 10s | |
| external_labels: | |
| cluster_id: ${BUOYANT_CLOUD_ID} | |
| cluster_name: ${BUOYANT_CLOUD_NAME} | |
| configs: | |
| - host_filter: true | |
| name: buoyant-cloud-metrics | |
| wal_truncate_frequency: "1m" | |
| remote_write: | |
| - url: https://api.buoyant.cloud:443/remote-write | |
| basic_auth: | |
| username: ${BUOYANT_CLOUD_ID} | |
| password: ${BUOYANT_CLOUD_KEY} | |
| queue_config: | |
| capacity: 1500 | |
| max_shards: 20 | |
| max_backoff: 10s | |
| scrape_configs: | |
| - job_name: 'buoyant-cloud-agent' | |
| kubernetes_sd_configs: | |
| - role: pod | |
| namespaces: | |
| names: | |
| - 'buoyant-cloud' | |
| relabel_configs: | |
| - source_labels: [__meta_kubernetes_pod_container_port_name] | |
| regex: ^admin$ | |
| action: keep | |
| - source_labels: [__meta_kubernetes_pod_container_name] | |
| regex: ^buoyant-cloud-agent|buoyant-cloud-metrics$ | |
| action: keep | |
| - source_labels: [__meta_kubernetes_namespace] | |
| action: replace | |
| target_label: namespace | |
| - source_labels: [__meta_kubernetes_pod_name] | |
| action: replace | |
| target_label: pod | |
| - action: labelmap | |
| regex: __meta_kubernetes_pod_label_(.+) | |
| # scrape_configs copied from `linkerd install` | |
| - job_name: 'kubernetes-nodes-cadvisor' | |
| scheme: https | |
| tls_config: | |
| ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | |
| insecure_skip_verify: true | |
| bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token | |
| kubernetes_sd_configs: | |
| - role: node | |
| relabel_configs: | |
| - action: labelmap | |
| regex: __meta_kubernetes_node_label_(.+) | |
| - target_label: __address__ | |
| replacement: kubernetes.default.svc:443 | |
| - source_labels: [__meta_kubernetes_node_name] | |
| regex: (.+) | |
| target_label: __metrics_path__ | |
| replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor | |
| metric_relabel_configs: | |
| - source_labels: [__name__] | |
| regex: ^container_cpu_usage_seconds_total|container_memory_working_set_bytes|machine_cpu_cores|machine_memory_bytes$ | |
| action: keep | |
| - source_labels: [pod] | |
| target_label: workload_kind | |
| regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5,15}$ | |
| action: replace | |
| replacement: Deployment | |
| - source_labels: [pod] | |
| target_label: workload_kind | |
| regex: ^(.*)-[0-9]+$ | |
| action: replace | |
| replacement: StatefulSet | |
| - source_labels: [pod] | |
| target_label: workload_kind | |
| regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5}$ | |
| action: replace | |
| replacement: DaemonSet | |
| - source_labels: [pod] | |
| target_label: workload_kind | |
| regex: ^(.*)-[456789bcdf]{1,10}-[bcdfghjklmnpqrstvwxz2456789]{5}$ | |
| action: replace | |
| replacement: Deployment | |
| - source_labels: [pod] | |
| target_label: workload_name | |
| regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5,15}$ | |
| action: replace | |
| replacement: $1 | |
| - source_labels: [pod] | |
| target_label: workload_name | |
| regex: ^(.*)-[0-9]+$ | |
| action: replace | |
| replacement: $1 | |
| - source_labels: [pod] | |
| target_label: workload_name | |
| regex: ^(.*)-[bcdfghjklmnpqrstvwxz2456789]{5}$ | |
| action: replace | |
| replacement: $1 | |
| - source_labels: [pod] | |
| target_label: workload_name | |
| regex: ^(.*)-[456789bcdf]{1,10}-[bcdfghjklmnpqrstvwxz2456789]{5}$ | |
| action: replace | |
| replacement: $1 | |
| - job_name: 'linkerd-proxy' | |
| kubernetes_sd_configs: | |
| - role: pod | |
| relabel_configs: | |
| - source_labels: | |
| - __meta_kubernetes_pod_container_name | |
| - __meta_kubernetes_pod_container_port_name | |
| action: keep | |
| regex: ^linkerd-proxy;linkerd-admin$ | |
| - source_labels: [__meta_kubernetes_namespace] | |
| action: replace | |
| target_label: namespace | |
| - source_labels: [__meta_kubernetes_pod_name] | |
| action: replace | |
| target_label: pod | |
| # special case k8s' "job" label, to not interfere with prometheus' "job" | |
| # label | |
| # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => | |
| # k8s_job=foo | |
| - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] | |
| action: replace | |
| target_label: k8s_job | |
| # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job | |
| - action: labeldrop | |
| regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job | |
| # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => | |
| # deployment=foo | |
| - action: labelmap | |
| regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) | |
| # drop all labels that we just made copies of in the previous labelmap | |
| - action: labeldrop | |
| regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) | |
| # __meta_kubernetes_pod_label_linkerd_io_foo=bar => | |
| # foo=bar | |
| - action: labelmap | |
| regex: __meta_kubernetes_pod_label_linkerd_io_(.+) | |
| # __meta_kubernetes_pod_controller_kind=DaemonSet => workload_kind=DaemonSet | |
| # __meta_kubernetes_pod_controller_name=foo => workload_name=foo | |
| - source_labels: [__meta_kubernetes_pod_controller_kind] | |
| action: replace | |
| target_label: workload_kind | |
| - source_labels: [__meta_kubernetes_pod_controller_name] | |
| action: replace | |
| target_label: workload_name | |
| # __meta_kubernetes_pod_controller_kind=ReplicaSet => workload_kind=Deployment | |
| # __meta_kubernetes_pod_controller_name=foo-bar-123 => workload_name=foo-bar | |
| - source_labels: [__meta_kubernetes_pod_controller_kind] | |
| action: replace | |
| regex: ^ReplicaSet$ | |
| target_label: workload_kind | |
| replacement: Deployment | |
| - source_labels: | |
| - __meta_kubernetes_pod_controller_kind | |
| - __meta_kubernetes_pod_controller_name | |
| action: replace | |
| regex: ^ReplicaSet;(.*)-[^-]+$ | |
| target_label: workload_name | |
| metric_relabel_configs: | |
| # keep linkerd metrics relevant to buoyant cloud | |
| - source_labels: [__name__] | |
| regex: ^response_total|response_latency_ms_bucket|route_response_total|route_response_latency_ms_bucket|tcp_open_connections|tcp_read_bytes_total|tcp_write_bytes_total|inbound_http_authz_allow_total|inbound_http_authz_deny_total|inbound_tcp_authz_allow_total|inbound_tcp_authz_deny_total$ | |
| action: keep | |
| # drop high-cardinality outbound latency histograms | |
| - source_labels: | |
| - __name__ | |
| - direction | |
| regex: 'response_latency_ms_bucket;outbound' | |
| action: drop | |
| # drop high-cardinality outbound tcp open connections | |
| - source_labels: | |
| - __name__ | |
| - direction | |
| regex: 'tcp_open_connections;outbound' | |
| action: drop | |
| # drop high-cardinality outbound tcp read bytes | |
| - source_labels: | |
| - __name__ | |
| - direction | |
| regex: 'tcp_read_bytes_total;outbound' | |
| action: drop | |
| # drop high-cardinality outbound tcp write bytes | |
| - source_labels: | |
| - __name__ | |
| - direction | |
| regex: 'tcp_write_bytes_total;outbound' | |
| action: drop | |
| # drop linkerd workload labels (superseded by workload_kind, workload_name) | |
| - action: labeldrop | |
| regex: 'deployment' | |
| - action: labeldrop | |
| regex: 'daemonset' | |
| - action: labeldrop | |
| regex: 'statefulset' | |
| # foo{direction="outbound"} => outbound_foo{} | |
| - source_labels: | |
| - __name__ | |
| - direction | |
| regex: ^(.+);(inbound|outbound)$ | |
| action: replace | |
| target_label: __name__ | |
| replacement: $${2}_$${1} | |
| - action: labeldrop | |
| regex: direction | |
| # dst_daemonset=foo => dst_workload_name=foo | |
| # dst_daemonset=foo => dst_workload_kind=DaemonSet | |
| - source_labels: [dst_daemonset] | |
| regex: (.+) | |
| action: replace | |
| target_label: dst_workload_name | |
| - source_labels: [dst_daemonset] | |
| regex: (.+) | |
| action: replace | |
| target_label: dst_workload_kind | |
| replacement: DaemonSet | |
| - action: labeldrop | |
| regex: 'dst_daemonset' | |
| # dst_deployment=foo => dst_workload_name=foo | |
| # dst_deployment=foo => dst_workload_kind=Deployment | |
| - source_labels: [dst_deployment] | |
| regex: (.+) | |
| action: replace | |
| target_label: dst_workload_name | |
| - source_labels: [dst_deployment] | |
| regex: (.+) | |
| action: replace | |
| target_label: dst_workload_kind | |
| replacement: Deployment | |
| - action: labeldrop | |
| regex: 'dst_deployment' | |
| # dst_statefulset=foo => dst_workload_name=foo | |
| # dst_statefulset=foo => dst_workload_kind=StatefulSet | |
| - source_labels: [dst_statefulset] | |
| regex: (.+) | |
| action: replace | |
| target_label: dst_workload_name | |
| - source_labels: [dst_statefulset] | |
| regex: (.+) | |
| action: replace | |
| target_label: dst_workload_kind | |
| replacement: StatefulSet | |
| - action: labeldrop | |
| regex: 'dst_statefulset' | |
| # drop remaining high-cardinality linkerd metrics and labels | |
| - action: labeldrop | |
| regex: 'pod_template_hash' | |
| - action: labeldrop | |
| regex: 'dst_pod_template_hash' | |
| - action: labeldrop | |
| regex: 'dst_serviceaccount' | |
| - action: labeldrop | |
| regex: 'server_id' | |
| - action: labeldrop | |
| regex: 'control_plane_ns' | |
| - action: labeldrop | |
| regex: 'dst_control_plane_ns' | |
| - action: labeldrop | |
| regex: 'workload_ns' | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| name: buoyant-cloud-metrics | |
| namespace: buoyant-cloud | |
| annotations: | |
| buoyant.cloud/is-metrics: "true" | |
| buoyant.cloud/version: v0.5.1 | |
| buoyant.cloud/service-name: metrics | |
| labels: | |
| app.kubernetes.io/name: metrics | |
| app.kubernetes.io/version: v0.5.1 | |
| app.kubernetes.io/part-of: buoyant-cloud | |
| linkerd.io/extension: buoyant | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: buoyant-cloud-metrics | |
| template: | |
| metadata: | |
| labels: | |
| app: buoyant-cloud-metrics | |
| spec: | |
| securityContext: | |
| fsGroup: 1000 | |
| serviceAccount: buoyant-cloud-agent | |
| tolerations: | |
| - operator: Exists | |
| effect: NoSchedule | |
| containers: | |
| - name: buoyant-cloud-metrics | |
| image: grafana/agent:v0.20.0 | |
| args: | |
| - -config.file=/buoyant-cloud-metrics/agent.yml | |
| - -config.expand-env | |
| ports: | |
| - name: admin | |
| containerPort: 9991 | |
| livenessProbe: | |
| httpGet: | |
| path: /-/healthy | |
| port: 9991 | |
| readinessProbe: | |
| httpGet: | |
| path: /-/ready | |
| port: 9991 | |
| resources: | |
| requests: | |
| cpu: 10m | |
| memory: 10Mi | |
| limits: | |
| cpu: "2" | |
| memory: 5000Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| privileged: false | |
| readOnlyRootFilesystem: true | |
| runAsGroup: 1000 | |
| runAsNonRoot: true | |
| runAsUser: 1000 | |
| env: | |
| - name: HOSTNAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: BUOYANT_CLOUD_ID | |
| valueFrom: | |
| secretKeyRef: | |
| key: id | |
| name: buoyant-cloud-id | |
| - name: BUOYANT_CLOUD_KEY | |
| valueFrom: | |
| secretKeyRef: | |
| key: key | |
| name: buoyant-cloud-id | |
| - name: BUOYANT_CLOUD_NAME | |
| valueFrom: | |
| secretKeyRef: | |
| key: name | |
| name: buoyant-cloud-id | |
| volumeMounts: | |
| - mountPath: /buoyant-cloud-metrics | |
| name: buoyant-cloud-metrics | |
| - mountPath: /tmp | |
| name: tmp | |
| volumes: | |
| - configMap: | |
| name: buoyant-cloud-metrics | |
| name: buoyant-cloud-metrics | |
| - name: tmp | |
| emptyDir: {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment