Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GKE Autopilot ASM and Ingress Gateway Manifests
apiVersion: v1
kind: Namespace
metadata:
name: asm-gateway
annotations:
mesh.cloud.google.com/proxy: '{"managed":"true"}'
labels:
istio.io/rev: asm-managed-rapid
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: asm-managed-rapid
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: asm-gateway
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: asm-managed-rapid
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: asm-gateway
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
inject.istio.io/templates: gateway
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: asm-managed-rapid
operator.istio.io/component: IngressGateways
service.istio.io/canonical-name: istio-ingressgateway
service.istio.io/canonical-revision: asm-managed-rapid
sidecar.istio.io/inject: "true"
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
containers:
- image: auto
name: istio-proxy
securityContext:
fsGroup: 1337
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
serviceAccountName: istio-ingressgateway-service-account
volumes:
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
name: podinfo
- emptyDir: {}
name: istio-envoy
- emptyDir: {}
name: istio-data
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio-asm-managed-rapid
optional: true
name: config-volume
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-ce
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-ingressgateway
namespace: asm-gateway
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
istio.io/rev: asm-managed-rapid
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istio-ingressgateway-sds
namespace: asm-gateway
labels:
release: istio
istio.io/rev: asm-managed-rapid
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istio-ingressgateway-sds
namespace: asm-gateway
labels:
release: istio
istio.io/rev: asm-managed-rapid
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-ingressgateway-sds
subjects:
- kind: ServiceAccount
name: istio-ingressgateway-service-account
---
apiVersion: v1
kind: Service
metadata:
annotations:
networking.gke.io/internal-load-balancer-allow-global-access: "true"
networking.gke.io/load-balancer-type: Internal
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: asm-managed-rapid
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: asm-gateway
spec:
loadBalancerIP: 10.222.15.213
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
- name: tcp-istiod
port: 15012
protocol: TCP
targetPort: 15012
- name: tls
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
type: LoadBalancer
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-ingressgateway-service-account
namespace: asm-gateway
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
istio.io/rev: asm-managed-rapid
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: whereami-gateway
namespace: asm-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- whereami/sourdough.bread
tls:
mode: SIMPLE
credentialName: sourdough-bread-cert-tls
- port:
number: 80
name: http
protocol: HTTP
hosts:
- whereami/sourdough.bread
tls:
httpsRedirect: true
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: whereami-backend
name: whereami-ksa-backend
namespace: whereami
---
apiVersion: v1
data:
BACKEND_ENABLED: "False"
BACKEND_SERVICE: http://whereami-backend
ECHO_HEADERS: "False"
GRPC_ENABLED: "False"
METADATA: backend
kind: ConfigMap
metadata:
labels:
app: whereami-backend
name: whereami-configmap-backend
namespace: whereami
---
apiVersion: v1
kind: Service
metadata:
labels:
app: whereami-backend
name: whereami-backend
namespace: whereami
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: whereami-backend
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: whereami-backend
name: whereami-backend
namespace: whereami
spec:
replicas: 3
selector:
matchLabels:
app: whereami-backend
template:
metadata:
labels:
app: whereami-backend
version: v1
spec:
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: BACKEND_ENABLED
valueFrom:
configMapKeyRef:
key: BACKEND_ENABLED
name: whereami-configmap-backend
- name: BACKEND_SERVICE
valueFrom:
configMapKeyRef:
key: BACKEND_SERVICE
name: whereami-configmap-backend
- name: METADATA
valueFrom:
configMapKeyRef:
key: METADATA
name: whereami-configmap-backend
- name: ECHO_HEADERS
valueFrom:
configMapKeyRef:
key: ECHO_HEADERS
name: whereami-configmap-backend
- name: GRPC_ENABLED
valueFrom:
configMapKeyRef:
key: GRPC_ENABLED
name: whereami-configmap-backend
image: gcr.io/google-samples/whereami:v1.2.4
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 15
timeoutSeconds: 5
name: whereami
ports:
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
serviceAccountName: whereami-ksa-backend
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: whereami-frontend
name: whereami-ksa-frontend
namespace: whereami
---
apiVersion: v1
data:
BACKEND_ENABLED: "True"
BACKEND_SERVICE: http://whereami-backend
ECHO_HEADERS: "False"
GRPC_ENABLED: "False"
METADATA: frontend
kind: ConfigMap
metadata:
labels:
app: whereami-frontend
name: whereami-configmap-frontend
namespace: whereami
---
apiVersion: v1
kind: Service
metadata:
labels:
app: whereami-frontend
name: whereami-frontend
namespace: whereami
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: whereami-frontend
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: whereami-frontend
name: whereami-frontend
namespace: whereami
spec:
replicas: 3
selector:
matchLabels:
app: whereami-frontend
template:
metadata:
labels:
app: whereami-frontend
version: v1
spec:
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: BACKEND_ENABLED
valueFrom:
configMapKeyRef:
key: BACKEND_ENABLED
name: whereami-configmap-frontend
- name: BACKEND_SERVICE
valueFrom:
configMapKeyRef:
key: BACKEND_SERVICE
name: whereami-configmap-frontend
- name: METADATA
valueFrom:
configMapKeyRef:
key: METADATA
name: whereami-configmap-frontend
- name: ECHO_HEADERS
valueFrom:
configMapKeyRef:
key: ECHO_HEADERS
name: whereami-configmap-frontend
- name: GRPC_ENABLED
valueFrom:
configMapKeyRef:
key: GRPC_ENABLED
name: whereami-configmap-frontend
image: gcr.io/google-samples/whereami:v1.2.4
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 15
timeoutSeconds: 5
name: whereami
ports:
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
serviceAccountName: whereami-ksa-frontend
apiVersion: v1
kind: Namespace
metadata:
name: whereami
annotations:
mesh.cloud.google.com/proxy: '{"managed":"true"}'
labels:
istio.io/rev: asm-managed-rapid
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: whereami-frontend
namespace: whereami
spec:
hosts:
- sourdough.bread
gateways:
- asm-gateway/whereami-gateway
http:
- route:
- destination:
host: whereami-frontend
port:
number: 80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment