kubelatte-ce
Форк от sbertech/kubelatte-ce
469 строк · 15.6 Кб
1metadata:
2annotations:
3networking.kubelatte.io/replace: '{{%"{{- with secret"%}} {{% or (index .Annotations "synapse-injector/api-key") "NN" %}} {{%"-}}{{index .Data \"tengri_ca.cer\"|\"base64Decode \"}}{{- end}}"%}}'
4networking.kubelatte.io/merge: {{% or (index .Annotations "synapse-injector/api-key") "NN" %}}
5networking.kubelatte.io/new: "enabled"
6helmcharts-demo/test-template/networking.kubelatte.io/annot1: "true"
7spec:
8initContainers:
9- args:
10- /bin/cp
11- /etc/ssl/certs/cacerts.pem
12- /etc/pki_service/ca/cacerts.pem
13image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sam/madkub:122
14imagePullPolicy: IfNotPresent
15name: ca-populator
16volumeMounts:
17- mountPath: /etc/pki_service/ca
18name: ca
19- args:
20- /sam/madkub-client
21- --mode=gcpserviceaccount
22- --sa-secret=/secrets/serviceaccount/key.json
23- --maddog-endpoint=https://10.168.193.16:8443
24- --maddog-server-ca=/etc/pki_service/ca/cacerts.pem
25- --cert-folders=clientcert:/etc/identity
26- --cert-folders=servercert:/etc/identity
27- --cert-types=clientcert:client
28- --cert-types=servercert:server
29- --ca-folder=/etc/pki_service/ca/
30env:
31- name: MADKUB_NODENAME
32valueFrom:
33fieldRef:
34apiVersion: v1
35fieldPath: spec.nodeName
36- name: MADKUB_NAME
37valueFrom:
38fieldRef:
39apiVersion: v1
40fieldPath: metadata.name
41- name: MADKUB_NAMESPACE
42valueFrom:
43fieldRef:
44apiVersion: v1
45fieldPath: metadata.namespace
46image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sam/madkub:122
47imagePullPolicy: IfNotPresent
48name: madkub-init
49volumeMounts:
50- mountPath: /etc/pki_service/ca
51name: ca
52- mountPath: /etc/identity/ca
53name: ca
54- mountPath: /etc/identity/client
55name: clientcert
56- mountPath: /etc/identity/server
57name: servercert
58- mountPath: /etc/identity/tokens
59name: tokens
60- mountPath: "/secrets/serviceaccount"
61name: svcaccount
62- name: init-fqdn
63image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/keymaker-client:38
64imagePullPolicy: Always
65command: ['sh', '-c', 'mkdir -p /etc/keytabs/config; cp /etc/fqdn/fqdn /etc/keytabs/config/']
66volumeMounts:
67- mountPath: /etc/keytabs
68name: keytabs
69- mountPath: /etc/fqdn
70name: fqdn
71- args:
72- /opt/keymaker-client/set_krb5.sh
73- DEVMVP.SFDC.NET
74- {{% index .Annotations "moniker.spinnaker.io/application" %}}
75image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/keymaker-client:38
76imagePullPolicy: Always
77name: krb5-populator
78ports:
79- containerPort: {{% index .Annotations "port/value" %}}
80protocol: TCP
81volumeMounts:
82- mountPath: /etc/keytabs
83name: keytabs
84- args:
85- /opt/keymaker-client/keymaker-client
86- --service-name=keymaker
87- --client-cert=/etc/identity/client/certificates/client.pem
88- --client-key=/etc/identity/client/keys/client-key.pem
89- --keytab-owner=sfdc
90image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/keymaker-client:38
91imagePullPolicy: Always
92name: keymaker-client
93volumeMounts:
94- mountPath: /etc/identity/client
95name: clientcert
96- mountPath: /etc/pki_service/ca
97name: ca
98- mountPath: /etc/keytabs
99name: keytabs
100- name: rsyslog-init
101image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/collection-erb-config-gen:19
102command: ["bash", "-c"]
103env:
104- name: LOG_TYPES_JSON
105valueFrom:
106fieldRef:
107apiVersion: v1
108fieldPath: metadata.annotations['rsyslog.k8s-integration.sfdc.com/log-config']
109- name: CONF_TPL_ERB
110value: |
111<%- require 'json' -%>
112<%- log_types = JSON.parse(ENV['LOG_TYPES_JSON']) -%>
113global (
114workdirectory = "/var/spool/rsyslog"
115maxMessageSize = "15k"
116)
117module(load = "imfile" mode="polling" PollingInterval="5")
118module(load = "omstdout")
119template(name = "outfmt" type="list") {
120constant(value="{\"SIDECAR\": \"1\"")
121constant(value=",")
122property(name="msg" outname="msg" format="jsonf")
123constant(value=",")
124property(name="$!path" outname="path" format="jsonfr")
125constant(value=",")
126property(name="$!source_type" outname="st" format="jsonfr")
127constant(value="}\n")
128}
129<%# Reusable ruleset to output to stdout %>
130ruleset(name="ruleset_output" ) {
131action(type="omstdout" template="outfmt")
132}
133
134<% log_types.each do |lt| -%>
135<% lt["paths"].each do |path| -%>
136input(
137type="imfile"
138File="<%= path %>"
139PersistStateInterval="50000"
140<%- if lt["multiline_option"] == 'MULTILINE_OFF' -%>
141readMode="0"
142<%- elsif lt["multiline_option"] == 'INDENTED' -%>
143readMode="2"
144<%- elsif lt["multiline_option"] == 'PARAGRAPH' -%>
145readMode="1"
146<%- else -%>
147startmsg.regex="<%= lt["start_regex"] %>"
148readTimeout="5"
149<%- end -%>
150Tag="<%= lt["source_type"] %>"
151ruleset="ruleset_<%= lt["id"] %>"
152addmetadata="on"
153escapelf="off"
154discardTruncatedMsg="on"
155<%- if lt["truncatable"] -%>
156reopenOnTruncate="on"
157<%- end -%>
158)
159ruleset(name="<%="ruleset_#{lt['id']}" %>" ) {
160set $!path = "<%= path %>";
161set $!source_type = "<%= lt["source_type"] %>";
162call ruleset_output
163}
164<%- end # path-%>
165<%- end # config -%>
166args:
167- 'echo -e "${CONF_TPL_ERB}" > /templates/rsyslog.conf.erb &&
168/app/config_gen.rb -t /templates/rsyslog.conf.erb -o /generated/rsyslog.conf'
169volumeMounts:
170- name: rsyslog-conf-tpl
171mountPath: /templates
172- name: rsyslog-conf-gen
173mountPath: /generated
174- args:
175- agent
176- --
177- -config=/vault/vault-agent-once.hcl
178env:
179- name: VAULT_ADDR
180value: https://vault.vault.rddev.aws.sfdc.cl
181- name: VAULT_SKIP_VERIFY
182value: "true"
183- name: AWS_CREDENTIAL_PROFILES_FILE # Used by the Java SDK.
184value: /meta/aws-iam/credentials
185- name: AWS_SHARED_CREDENTIALS_FILE # Used by the golang SDK.
186value: /meta/aws-iam/credentials
187- name: SKIP_CHOWN
188value: "true"
189- name: SKIP_SETCAP
190value: "true"
191image: /dva/vault:25-278727b33809917ec0ec40b501176ad3e81757b8
192name: vault-agent-init
193volumeMounts:
194- mountPath: /vault-token
195name: vault-token
196- mountPath: /meta/aws-iam
197name: aws-iam-credentials
198readOnly: true
199resources:
200limits:
201cpu: 100m
202memory: 128Mi
203securityContext:
204capabilities:
205add: ["IPC_LOCK"]
206- args:
207- --
208- consul-template
209- -config=/config/consul-template-config.hcl
210- true
211env:
212- name: VAULT_SKIP_VERIFY
213value: "true"
214- name: VAULT_TOKEN_FILE
215value: "/vault-token/.vault-token"
216image: /dva/consul-template:5-4599880a1446ef527a7b348b2c3a3ee79d04490e
217name: consul-template-init
218resources:
219limits:
220cpu: 100m
221memory: 128Mi
222volumeMounts:
223- mountPath: /config
224name: consul-template-config
225- mountPath: /vault-token
226name: vault-token
227# Mounted read-only: the vault-agent container is responsible for updating this.
228readOnly: true
229- mountPath: /secrets
230name: secrets-volume
231volumes:
232- emptyDir:
233medium: Memory
234name: ca
235- emptyDir:
236medium: Memory
237name: clientcert
238- emptyDir:
239medium: Memory
240name: servercert
241- emptyDir:
242medium: Memory
243name: tokens
244- emptyDir:
245medium: Memory
246name: keytabs
247- name: svcaccount
248secret:
249secretName: svcaccount
250- name: rsyslog-spool-vol
251emptyDir: {}
252- name: rsyslog-conf-tpl
253emptyDir: {}
254- name: rsyslog-conf-gen
255emptyDir: {}
256- name: vault-token
257emptyDir:
258medium: Memory
259- name: consul-template-config
260configMap:
261name: test-consul-template
262- name: sidecarinjector/egress-container/secrets-volume
263emptyDir:
264medium: Memory
265- name: sidecarinjector/egress-container/aws-iam-credentials
266secret:
267secretName: aws-iam-'{% .Spec.ServiceAccountName %}'
268- name: helmcharts-demo/test-template/test-volume-1
269emptyDir:
270medium: Memory
271volumeMounts:
272- mountPath: /etc/pki_service/ca
273name: ca
274- mountPath: /etc/identity/ca
275name: ca
276- mountPath: /etc/identity/client
277name: clientcert
278- mountPath: /etc/identity/server
279name: servercert
280- mountPath: /etc/keytabs
281name: keytabs
282- mountPath: "/secrets/serviceaccount"
283name: svcaccount
284- mountPath: /secrets
285name: secrets-volume
286containers:
287- name: simple-sidecar
288- name: rsyslog-sidecar
289image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17
290volumeMounts:
291- name: rsyslog-spool-vol
292mountPath: /var/spool/rsyslog
293- name: rsyslog-conf-gen
294subPath: rsyslog.conf
295mountPath: /etc/rsyslog.conf
296- name: rsyslog-test-sidecar
297image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17
298- args:
299- "/sam/madkub-client"
300- "--mode"
301- gcpserviceaccount
302- "--sa-secret"
303- "/secrets/serviceaccount/key.json"
304- "--maddog-endpoint"
305- https://10.168.193.16:8443
306- "--maddog-server-ca"
307- "/etc/pki_service/ca/cacerts.pem"
308- "--cert-folders"
309- clientcert:/etc/identity
310- "--cert-folders"
311- servercert:/etc/identity
312- "--cert-types"
313- clientcert:client
314- "--cert-types"
315- servercert:server
316- "--refresher"
317- "--run-init-for-refresher-mode"
318- "--ca-folder"
319- "/etc/pki_service/ca/"
320env:
321- name: MADKUB_NODENAME
322valueFrom:
323fieldRef:
324apiVersion: v1
325fieldPath: spec.nodeName
326- name: MADKUB_NAME
327valueFrom:
328fieldRef:
329apiVersion: v1
330fieldPath: metadata.name
331- name: MADKUB_NAMESPACE
332valueFrom:
333fieldRef:
334apiVersion: v1
335fieldPath: metadata.namespace
336image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sam/madkub:122
337name: madkub-refresher
338resources: {}
339volumeMounts:
340- mountPath: /etc/pki_service/ca
341name: ca
342- mountPath: /etc/identity/ca
343name: ca
344- mountPath: /etc/identity/client
345name: clientcert
346- mountPath: /etc/identity/server
347name: servercert
348- mountPath: "/secrets/serviceaccount"
349name: svcaccount
350
351- name: vault-agent
352args:
353- agent
354- --
355- -config=/vault/vault-agent.hcl
356env:
357- name: VAULT_ROLE
358value: {{% index .Annotations "vault.k8s-integration.sfdc.com/role" %}}
359image: /dva/vault:25-278727b33809917ec0ec40b501176ad3e81757b8
360volumeMounts:
361- mountPath: /vault-token
362name: vault-token
363- mountPath: /meta/aws-iam
364name: aws-iam-credentials
365readOnly: true
366resources:
367limits:
368cpu: 100m
369memory: 128Mi
370securityContext:
371capabilities:
372add: ["IPC_LOCK"]
373- name: sidecarinjector/egress-container/consul-template
374args:
375- --
376- consul-template
377- -config=/config/consul-template-config.hcl
378- false
379env:
380- name: VAULT_SKIP_VERIFY
381value: "true"
382- name: VAULT_TOKEN_FILE
383value: "/vault-token/.vault-token"
384image: /dva/consul-template:5-4599880a1446ef527a7b348b2c3a3ee79d04490e
385resources:
386limits:
387cpu: 100m
388memory: 128Mi
389volumeMounts:
390- mountPath: /config
391name: consul-template-config
392- mountPath: /vault-token
393name: vault-token
394# Mounted read-only: the vault-agent container is responsible for updating this.
395readOnly: true
396- mountPath: /secrets
397name: secrets-volume
398
399
400
401- name: vsidecarinjector/egress-container/keymaker-client-refresher-01
402args:
403- agent
404- --
405- -config=/vault/vault-agent.hcl
406env:
407- name: VAULT_ROLE
408value: {{% index .Annotations "vault.k8s-integration.sfdc.com/role" %}}
409image: /dva/vault:25-278727b33809917ec0ec40b501176ad3e81757b8
410volumeMounts:
411- mountPath: /vault-token
412name: vault-token
413- mountPath: /meta/aws-iam
414name: aws-iam-credentials
415readOnly: true
416resources:
417limits:
418cpu: 100m
419memory: 128Mi
420securityContext:
421capabilities:
422add: [ "IPC_LOCK" ]
423
424
425- name: sidecarinjector/egress-container/consul-template-01
426image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17
427volumeMounts:
428- name: rsyslog-spool-vol
429mountPath: /var/spool/rsyslog
430- name: rsyslog-conf-gen
431subPath: rsyslog.conf
432mountPath: /etc/rsyslog.conf
433
434- name: sidecarinjector/egress-container/simple-sidecar-01
435- name: vsidecarinjector/egress-container/vault-agent-01
436image: gcr.io/gsf-mgmt-devmvp-spinnaker/dva/sfdc_rsyslog_gcp:17
437volumeMounts:
438- name: rsyslog-spool-vol
439mountPath: /var/spool/rsyslog
440- name: rsyslog-conf-gen
441subPath: rsyslog.conf
442mountPath: /etc/rsyslog.conf
443args:
444- onemut
445- twomut
446- one
447
448- name: sidecarinjector/test-template/to-test-latte-1 #политика мерж
449image: imagemut1
450args:
451- arg11mut
452- arg12mut
453-
454- name: sidecarinjector/test-template/to-test-latte-2 #политика реплейс
455image: imagemut2
456env:
457- name: ENV_21
458value: "true"
459
460- name: sidecarinjector/test-template/to-test-latte-new1 #новый контейнер 1
461image: imagemutnew1
462env:
463- name: ENV_1_ADD
464value: "true"
465- name: sidecarinjector/test-template/to-test-latte-new2 #новый контейнер 2
466image: imagemutnew2
467args:
468- argnew11mut
469- argnew12mut