kubelatte-ce
Форк от sbertech/kubelatte-ce
469 строк · 15.6 Кб
1metadata:2annotations:3networking.kubelatte.io/replace: '{{%"{{- with secret"%}} {{% or (index .Annotations "synapse-injector/api-key") "NN" %}} {{%"-}}{{index .Data \"tengri_ca.cer\"|\"base64Decode \"}}{{- end}}"%}}'4networking.kubelatte.io/merge: {{% or (index .Annotations "synapse-injector/api-key") "NN" %}}5networking.kubelatte.io/new: "enabled"6helmcharts-demo/test-template/networking.kubelatte.io/annot1: "true"7spec:8initContainers:9- args:10- /bin/cp11- /etc/ssl/certs/cacerts.pem12- /etc/pki_service/ca/cacerts.pem13image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sam/madkub:12214imagePullPolicy: IfNotPresent15name: ca-populator16volumeMounts:17- mountPath: /etc/pki_service/ca18name: ca19- args:20- /sam/madkub-client21- --mode=gcpserviceaccount22- --sa-secret=/secrets/serviceaccount/key.json23- --maddog-endpoint=https://10.168.193.16:844324- --maddog-server-ca=/etc/pki_service/ca/cacerts.pem25- --cert-folders=clientcert:/etc/identity26- --cert-folders=servercert:/etc/identity27- --cert-types=clientcert:client28- --cert-types=servercert:server29- --ca-folder=/etc/pki_service/ca/30env:31- name: MADKUB_NODENAME32valueFrom:33fieldRef:34apiVersion: v135fieldPath: spec.nodeName36- name: MADKUB_NAME37valueFrom:38fieldRef:39apiVersion: v140fieldPath: metadata.name41- name: MADKUB_NAMESPACE42valueFrom:43fieldRef:44apiVersion: v145fieldPath: metadata.namespace46image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sam/madkub:12247imagePullPolicy: IfNotPresent48name: madkub-init49volumeMounts:50- mountPath: /etc/pki_service/ca51name: ca52- mountPath: /etc/identity/ca53name: ca54- mountPath: /etc/identity/client55name: clientcert56- mountPath: /etc/identity/server57name: servercert58- mountPath: /etc/identity/tokens59name: tokens60- mountPath: "/secrets/serviceaccount"61name: svcaccount62- name: init-fqdn63image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/keymaker-client:3864imagePullPolicy: Always65command: ['sh', '-c', 'mkdir -p /etc/keytabs/config; cp /etc/fqdn/fqdn /etc/keytabs/config/']66volumeMounts:67- mountPath: /etc/keytabs68name: keytabs69- mountPath: /etc/fqdn70name: fqdn71- args:72- /opt/keymaker-client/set_krb5.sh73- DEVMVP.SFDC.NET74- {{% index .Annotations "moniker.spinnaker.io/application" %}}75image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/keymaker-client:3876imagePullPolicy: Always77name: krb5-populator78ports:79- containerPort: {{% index .Annotations "port/value" %}}80protocol: TCP81volumeMounts:82- mountPath: /etc/keytabs83name: keytabs84- args:85- /opt/keymaker-client/keymaker-client86- --service-name=keymaker87- --client-cert=/etc/identity/client/certificates/client.pem88- --client-key=/etc/identity/client/keys/client-key.pem89- --keytab-owner=sfdc90image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/keymaker-client:3891imagePullPolicy: Always92name: keymaker-client93volumeMounts:94- mountPath: /etc/identity/client95name: clientcert96- mountPath: /etc/pki_service/ca97name: ca98- mountPath: /etc/keytabs99name: keytabs100- name: rsyslog-init101image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/collection-erb-config-gen:19102command: ["bash", "-c"]103env:104- name: LOG_TYPES_JSON105valueFrom:106fieldRef:107apiVersion: v1108fieldPath: metadata.annotations['rsyslog.k8s-integration.sfdc.com/log-config']109- name: CONF_TPL_ERB110value: |111<%- require 'json' -%>
112<%- log_types = JSON.parse(ENV['LOG_TYPES_JSON']) -%>
113global (
114workdirectory = "/var/spool/rsyslog"
115maxMessageSize = "15k"
116)
117module(load = "imfile" mode="polling" PollingInterval="5")
118module(load = "omstdout")
119template(name = "outfmt" type="list") {
120constant(value="{\"SIDECAR\": \"1\"")
121constant(value=",")
122property(name="msg" outname="msg" format="jsonf")
123constant(value=",")
124property(name="$!path" outname="path" format="jsonfr")
125constant(value=",")
126property(name="$!source_type" outname="st" format="jsonfr")
127constant(value="}\n")
128}
129<%# Reusable ruleset to output to stdout %>
130ruleset(name="ruleset_output" ) {
131action(type="omstdout" template="outfmt")
132}
133
134<% log_types.each do |lt| -%>135<% lt["paths"].each do |path| -%>136input(
137type="imfile"
138File="<%= path %>"139PersistStateInterval="50000"
140<%- if lt["multiline_option"] == 'MULTILINE_OFF' -%>141readMode="0"
142<%- elsif lt["multiline_option"] == 'INDENTED' -%>143readMode="2"
144<%- elsif lt["multiline_option"] == 'PARAGRAPH' -%>145readMode="1"
146<%- else -%>147startmsg.regex="<%= lt["start_regex"] %>"148readTimeout="5"
149<%- end -%>150Tag="<%= lt["source_type"] %>"151ruleset="ruleset_<%= lt["id"] %>"152addmetadata="on"
153escapelf="off"
154discardTruncatedMsg="on"
155<%- if lt["truncatable"] -%>156reopenOnTruncate="on"
157<%- end -%>158)
159ruleset(name="<%="ruleset_#{lt['id']}" %>" ) {160set $!path = "<%= path %>";161set $!source_type = "<%= lt["source_type"] %>";162call ruleset_output
163}164<%- end # path-%>165<%- end # config -%>166args:167- 'echo -e "${CONF_TPL_ERB}" > /templates/rsyslog.conf.erb &&168/app/config_gen.rb -t /templates/rsyslog.conf.erb -o /generated/rsyslog.conf'169volumeMounts:170- name: rsyslog-conf-tpl171mountPath: /templates172- name: rsyslog-conf-gen173mountPath: /generated174- args:175- agent176- --177- -config=/vault/vault-agent-once.hcl178env:179- name: VAULT_ADDR180value: https://vault.vault.rddev.aws.sfdc.cl181- name: VAULT_SKIP_VERIFY182value: "true"183- name: AWS_CREDENTIAL_PROFILES_FILE # Used by the Java SDK.184value: /meta/aws-iam/credentials185- name: AWS_SHARED_CREDENTIALS_FILE # Used by the golang SDK.186value: /meta/aws-iam/credentials187- name: SKIP_CHOWN188value: "true"189- name: SKIP_SETCAP190value: "true"191image: /dva/vault:25-278727b33809917ec0ec40b501176ad3e81757b8192name: vault-agent-init193volumeMounts:194- mountPath: /vault-token195name: vault-token196- mountPath: /meta/aws-iam197name: aws-iam-credentials198readOnly: true199resources:200limits:201cpu: 100m202memory: 128Mi203securityContext:204capabilities:205add: ["IPC_LOCK"]206- args:207- --208- consul-template209- -config=/config/consul-template-config.hcl210- true211env:212- name: VAULT_SKIP_VERIFY213value: "true"214- name: VAULT_TOKEN_FILE215value: "/vault-token/.vault-token"216image: /dva/consul-template:5-4599880a1446ef527a7b348b2c3a3ee79d04490e217name: consul-template-init218resources:219limits:220cpu: 100m221memory: 128Mi222volumeMounts:223- mountPath: /config224name: consul-template-config225- mountPath: /vault-token226name: vault-token227# Mounted read-only: the vault-agent container is responsible for updating this.228readOnly: true229- mountPath: /secrets230name: secrets-volume231volumes:232- emptyDir:233medium: Memory234name: ca235- emptyDir:236medium: Memory237name: clientcert238- emptyDir:239medium: Memory240name: servercert241- emptyDir:242medium: Memory243name: tokens244- emptyDir:245medium: Memory246name: keytabs247- name: svcaccount248secret:249secretName: svcaccount250- name: rsyslog-spool-vol251emptyDir: {}252- name: rsyslog-conf-tpl253emptyDir: {}254- name: rsyslog-conf-gen255emptyDir: {}256- name: vault-token257emptyDir:258medium: Memory259- name: consul-template-config260configMap:261name: test-consul-template262- name: sidecarinjector/egress-container/secrets-volume263emptyDir:264medium: Memory265- name: sidecarinjector/egress-container/aws-iam-credentials266secret:267secretName: aws-iam-'{% .Spec.ServiceAccountName %}'268- name: helmcharts-demo/test-template/test-volume-1269emptyDir:270medium: Memory271volumeMounts:272- mountPath: /etc/pki_service/ca273name: ca274- mountPath: /etc/identity/ca275name: ca276- mountPath: /etc/identity/client277name: clientcert278- mountPath: /etc/identity/server279name: servercert280- mountPath: /etc/keytabs281name: keytabs282- mountPath: "/secrets/serviceaccount"283name: svcaccount284- mountPath: /secrets285name: secrets-volume286containers:287- name: simple-sidecar288- name: rsyslog-sidecar289image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17290volumeMounts:291- name: rsyslog-spool-vol292mountPath: /var/spool/rsyslog293- name: rsyslog-conf-gen294subPath: rsyslog.conf295mountPath: /etc/rsyslog.conf296- name: rsyslog-test-sidecar297image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17298- args:299- "/sam/madkub-client"300- "--mode"301- gcpserviceaccount302- "--sa-secret"303- "/secrets/serviceaccount/key.json"304- "--maddog-endpoint"305- https://10.168.193.16:8443306- "--maddog-server-ca"307- "/etc/pki_service/ca/cacerts.pem"308- "--cert-folders"309- clientcert:/etc/identity310- "--cert-folders"311- servercert:/etc/identity312- "--cert-types"313- clientcert:client314- "--cert-types"315- servercert:server316- "--refresher"317- "--run-init-for-refresher-mode"318- "--ca-folder"319- "/etc/pki_service/ca/"320env:321- name: MADKUB_NODENAME322valueFrom:323fieldRef:324apiVersion: v1325fieldPath: spec.nodeName326- name: MADKUB_NAME327valueFrom:328fieldRef:329apiVersion: v1330fieldPath: metadata.name331- name: MADKUB_NAMESPACE332valueFrom:333fieldRef:334apiVersion: v1335fieldPath: metadata.namespace336image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sam/madkub:122337name: madkub-refresher338resources: {}339volumeMounts:340- mountPath: /etc/pki_service/ca341name: ca342- mountPath: /etc/identity/ca343name: ca344- mountPath: /etc/identity/client345name: clientcert346- mountPath: /etc/identity/server347name: servercert348- mountPath: "/secrets/serviceaccount"349name: svcaccount350
351- name: vault-agent352args:353- agent354- --355- -config=/vault/vault-agent.hcl356env:357- name: VAULT_ROLE358value: {{% index .Annotations "vault.k8s-integration.sfdc.com/role" %}}359image: /dva/vault:25-278727b33809917ec0ec40b501176ad3e81757b8360volumeMounts:361- mountPath: /vault-token362name: vault-token363- mountPath: /meta/aws-iam364name: aws-iam-credentials365readOnly: true366resources:367limits:368cpu: 100m369memory: 128Mi370securityContext:371capabilities:372add: ["IPC_LOCK"]373- name: sidecarinjector/egress-container/consul-template374args:375- --376- consul-template377- -config=/config/consul-template-config.hcl378- false379env:380- name: VAULT_SKIP_VERIFY381value: "true"382- name: VAULT_TOKEN_FILE383value: "/vault-token/.vault-token"384image: /dva/consul-template:5-4599880a1446ef527a7b348b2c3a3ee79d04490e385resources:386limits:387cpu: 100m388memory: 128Mi389volumeMounts:390- mountPath: /config391name: consul-template-config392- mountPath: /vault-token393name: vault-token394# Mounted read-only: the vault-agent container is responsible for updating this.395readOnly: true396- mountPath: /secrets397name: secrets-volume398
399
400
401- name: vsidecarinjector/egress-container/keymaker-client-refresher-01402args:403- agent404- --405- -config=/vault/vault-agent.hcl406env:407- name: VAULT_ROLE408value: {{% index .Annotations "vault.k8s-integration.sfdc.com/role" %}}409image: /dva/vault:25-278727b33809917ec0ec40b501176ad3e81757b8410volumeMounts:411- mountPath: /vault-token412name: vault-token413- mountPath: /meta/aws-iam414name: aws-iam-credentials415readOnly: true416resources:417limits:418cpu: 100m419memory: 128Mi420securityContext:421capabilities:422add: [ "IPC_LOCK" ]423
424
425- name: sidecarinjector/egress-container/consul-template-01426image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17427volumeMounts:428- name: rsyslog-spool-vol429mountPath: /var/spool/rsyslog430- name: rsyslog-conf-gen431subPath: rsyslog.conf432mountPath: /etc/rsyslog.conf433
434- name: sidecarinjector/egress-container/simple-sidecar-01435- name: vsidecarinjector/egress-container/vault-agent-01436image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17437volumeMounts:438- name: rsyslog-spool-vol439mountPath: /var/spool/rsyslog440- name: rsyslog-conf-gen441subPath: rsyslog.conf442mountPath: /etc/rsyslog.conf443args:444- onemut445- twomut446- one447
448- name: sidecarinjector/test-template/to-test-latte-1 #политика мерж449image: imagemut1450args:451- arg11mut452- arg12mut453-454- name: sidecarinjector/test-template/to-test-latte-2 #политика реплейс455image: imagemut2456env:457- name: ENV_21458value: "true"459
460- name: sidecarinjector/test-template/to-test-latte-new1 #новый контейнер 1461image: imagemutnew1462env:463- name: ENV_1_ADD464value: "true"465- name: sidecarinjector/test-template/to-test-latte-new2 #новый контейнер 2466image: imagemutnew2467args:468- argnew11mut469- argnew12mut