diff --git a/README.md b/README.md index 6dc5d0ae..40b93b41 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,10 @@ To deploy the helm chart, run: `helm install helm/chart/maesh --namespace maesh --set image.pullPolicy=IfNotPresent --set image.tag=latest` +Note: The chart uses the `local-path` provisioner for k3s, but you can override that using: + +`helm install helm/chart/maesh --namespace maesh --set image.pullPolicy=IfNotPresent --set image.tag=latest --set metrics.storageClass=hostpath` + ## Usage To use maesh, instead of referencing services via their normal `.`, instead use `..maesh`. diff --git a/helm/chart/maesh/charts/metrics/templates/grafana-pdb.yaml b/helm/chart/maesh/charts/metrics/templates/grafana-pdb.yaml new file mode 100644 index 00000000..77505f9c --- /dev/null +++ b/helm/chart/maesh/charts/metrics/templates/grafana-pdb.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: grafana + labels: + app: {{ .Release.Name | quote }} + chart: {{ include "maesh.chartLabel" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: grafana + component: core diff --git a/helm/chart/maesh/charts/metrics/templates/grafana.yaml b/helm/chart/maesh/charts/metrics/templates/grafana.yaml index 9be10af7..003311b9 100644 --- a/helm/chart/maesh/charts/metrics/templates/grafana.yaml +++ b/helm/chart/maesh/charts/metrics/templates/grafana.yaml @@ -18,13 +18,19 @@ spec: app: grafana component: core spec: + serviceAccountName: grafana-k8s + automountServiceAccountToken: false securityContext: + runAsNonRoot: true runAsUser: 472 fsGroup: 472 containers: - image: {{ .Values.image.grafana | quote }} name: grafana-core imagePullPolicy: IfNotPresent + ports: + - name: web + containerPort: 3000 resources: limits: cpu: 100m @@ -32,13 +38,15 @@ spec: requests: cpu: 100m memory: 100Mi - # env: - # - name: GF_PATHS_CONFIG - # value: /var/grafana/grafana.ini readinessProbe: httpGet: path: /login - port: 3000 + port: web + livenessProbe: + tcpSocket: + port: web + initialDelaySeconds: 5 + periodSeconds: 10 volumeMounts: - name: metrics-storage mountPath: /var/lib/grafana @@ -145,8 +153,8 @@ spec: ports: - port: 3000 selector: - app: {{ .Release.Name | quote }} - component: grafana + app: grafana + component: core --- {{- $files := .Files }} diff --git a/helm/chart/maesh/charts/metrics/templates/prometheus-pdb.yaml b/helm/chart/maesh/charts/metrics/templates/prometheus-pdb.yaml new file mode 100644 index 00000000..e5c69c88 --- /dev/null +++ b/helm/chart/maesh/charts/metrics/templates/prometheus-pdb.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: prometheus + labels: + app: {{ .Release.Name | quote }} + chart: {{ include "maesh.chartLabel" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: prometheus + component: core diff --git a/helm/chart/maesh/charts/metrics/templates/prometheus.yaml b/helm/chart/maesh/charts/metrics/templates/prometheus.yaml index 73acd42c..5bfa5fba 100644 --- a/helm/chart/maesh/charts/metrics/templates/prometheus.yaml +++ b/helm/chart/maesh/charts/metrics/templates/prometheus.yaml @@ -86,6 +86,7 @@ spec: component: core spec: serviceAccountName: prometheus-k8s + automountServiceAccountToken: true securityContext: fsGroup: 2000 runAsUser: 1000 @@ -101,6 +102,15 @@ spec: ports: - name: webui containerPort: 9090 + readinessProbe: + httpGet: + path: "/" + port: webui + initialDelaySeconds: 5 + livenessProbe: + tcpSocket: + port: webui + initialDelaySeconds: 5 resources: requests: cpu: 500m @@ -168,5 +178,5 @@ spec: protocol: TCP name: webui selector: - app: {{ .Release.Name | quote }} - component: prometheus + app: prometheus + component: core diff --git a/helm/chart/maesh/charts/metrics/templates/rbac.yaml b/helm/chart/maesh/charts/metrics/templates/rbac.yaml index 5edff58a..996f7b14 100644 --- a/helm/chart/maesh/charts/metrics/templates/rbac.yaml +++ b/helm/chart/maesh/charts/metrics/templates/rbac.yaml @@ -54,3 +54,14 @@ metadata: chart: {{ include "maesh.chartLabel" . | quote }} release: {{ .Release.Name | quote }} heritage: {{ .Release.Service | quote }} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: grafana-k8s + namespace: {{ .Release.Namespace }} + labels: + chart: {{ include "maesh.chartLabel" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} diff --git a/helm/chart/maesh/charts/metrics/templates/storage.yaml b/helm/chart/maesh/charts/metrics/templates/storage.yaml index 4156184f..f93d9170 100644 --- a/helm/chart/maesh/charts/metrics/templates/storage.yaml +++ b/helm/chart/maesh/charts/metrics/templates/storage.yaml @@ -14,7 +14,7 @@ spec: resources: requests: storage: 10Gi - storageClassName: local-path + storageClassName: {{ .Values.storageClass }} --- apiVersion: v1 @@ -32,4 +32,4 @@ spec: resources: requests: storage: 10Gi - storageClassName: local-path + storageClassName: {{ .Values.storageClass }} diff --git a/helm/chart/maesh/charts/metrics/values.yaml b/helm/chart/maesh/charts/metrics/values.yaml index 8898f0e3..a5d265e3 100644 --- a/helm/chart/maesh/charts/metrics/values.yaml +++ b/helm/chart/maesh/charts/metrics/values.yaml @@ -1,3 +1,4 @@ image: prometheus: prom/prometheus:v2.11.1 grafana: grafana/grafana:6.2.5 +storageClass: local-path diff --git a/helm/chart/maesh/charts/tracing/templates/jaeger-deployment.yaml b/helm/chart/maesh/charts/tracing/templates/jaeger-deployment.yaml new file mode 100644 index 00000000..e393ee6e --- /dev/null +++ b/helm/chart/maesh/charts/tracing/templates/jaeger-deployment.yaml @@ -0,0 +1,93 @@ +# +# Copyright 2017-2019 The Jaeger Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# or implied. See the License for the specific language governing permissions and limitations under +# the License. +# + +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: jaeger + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one +spec: + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "16686" + spec: + serviceAccountName: jaeger + automountServiceAccountToken: false + securityContext: + runAsNonRoot: true + runAsUser: 999 + containers: + - env: + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + image: {{ .Values.image.jaeger | quote }} + name: jaeger + ports: + - containerPort: 5775 + protocol: UDP + name: thrift-legacy + - containerPort: 6831 + protocol: UDP + name: compact-thrift + - containerPort: 6832 + protocol: UDP + name: binary-thrift + - containerPort: 5778 + protocol: TCP + name: serve-configs + - containerPort: 9411 + protocol: TCP + name: collector-zip + - containerPort: 14267 + protocol: TCP + name: collector-tch + - containerPort: 14268 + protocol: TCP + name: collector-http + - containerPort: 14269 + protocol: TCP + name: readiness + - containerPort: 16686 + protocol: TCP + name: serve-frontend + readinessProbe: + httpGet: + path: "/" + port: readiness + initialDelaySeconds: 5 + livenessProbe: + tcpSocket: + port: readiness + initialDelaySeconds: 5 + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "200m" diff --git a/helm/chart/maesh/charts/tracing/templates/jaeger-pdb.yaml b/helm/chart/maesh/charts/tracing/templates/jaeger-pdb.yaml new file mode 100644 index 00000000..e17f24f4 --- /dev/null +++ b/helm/chart/maesh/charts/tracing/templates/jaeger-pdb.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: jaeger + labels: + app: {{ .Release.Name | quote }} + chart: {{ include "maesh.chartLabel" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one diff --git a/helm/chart/maesh/charts/tracing/templates/jaeger-sa.yaml b/helm/chart/maesh/charts/tracing/templates/jaeger-sa.yaml new file mode 100644 index 00000000..b3960952 --- /dev/null +++ b/helm/chart/maesh/charts/tracing/templates/jaeger-sa.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jaeger + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name | quote}} + chart: {{ include "maesh.chartLabel" . | quote}} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +automountServiceAccountToken: false + diff --git a/helm/chart/maesh/charts/tracing/templates/jaeger-services.yaml b/helm/chart/maesh/charts/tracing/templates/jaeger-services.yaml new file mode 100644 index 00000000..fd503744 --- /dev/null +++ b/helm/chart/maesh/charts/tracing/templates/jaeger-services.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-query + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: query +spec: + ports: + - name: query-http + protocol: TCP + port: 16686 + targetPort: serve-frontend + selector: + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: collector +spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: collector-tch + - name: jaeger-collector-http + port: 14268 + protocol: TCP + targetPort: collector-http + - name: jaeger-collector-zipkin + port: 9411 + protocol: TCP + targetPort: collector-zip + selector: + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-agent + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: agent +spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: thrift-legacy + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: compact-thrift + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: binary-thrift + - name: agent-configs + port: 5778 + protocol: TCP + targetPort: serve-configs + clusterIP: None + selector: + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one + +--- +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: zipkin +spec: + ports: + - name: jaeger-collector-zipkin + port: 9411 + protocol: TCP + targetPort: collector-zip + clusterIP: None + selector: + app.kubernetes.io/name: jaeger + app.kubernetes.io/component: all-in-one diff --git a/helm/chart/maesh/charts/tracing/templates/jaeger.yaml b/helm/chart/maesh/charts/tracing/templates/jaeger.yaml deleted file mode 100644 index 2a58c854..00000000 --- a/helm/chart/maesh/charts/tracing/templates/jaeger.yaml +++ /dev/null @@ -1,165 +0,0 @@ -# -# Copyright 2017-2019 The Jaeger Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# in compliance with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed under the License -# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# or implied. See the License for the specific language governing permissions and limitations under -# the License. -# - ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: jaeger - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: all-in-one -spec: - replicas: 1 - strategy: - type: Recreate - template: - metadata: - labels: - app: jaeger - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: all-in-one - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "16686" - spec: - containers: - - env: - - name: COLLECTOR_ZIPKIN_HTTP_PORT - value: "9411" - image: {{ .Values.image.jaeger | quote }} - name: jaeger - ports: - - containerPort: 5775 - protocol: UDP - - containerPort: 6831 - protocol: UDP - - containerPort: 6832 - protocol: UDP - - containerPort: 5778 - protocol: TCP - - containerPort: 16686 - protocol: TCP - - containerPort: 9411 - protocol: TCP - readinessProbe: - httpGet: - path: "/" - port: 14269 - initialDelaySeconds: 5 - ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-query - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: query -spec: - ports: - - name: query-http - protocol: TCP - port: 16686 - selector: - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: all-in-one - type: ClusterIP - ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: collector -spec: - ports: - - name: jaeger-collector-tchannel - port: 14267 - protocol: TCP - targetPort: 14267 - - name: jaeger-collector-http - port: 14268 - protocol: TCP - targetPort: 14268 - - name: jaeger-collector-zipkin - port: 9411 - protocol: TCP - targetPort: 9411 - selector: - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: all-in-one - type: ClusterIP - ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-agent - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: agent -spec: - ports: - - name: agent-zipkin-thrift - port: 5775 - protocol: UDP - targetPort: 5775 - - name: agent-compact - port: 6831 - protocol: UDP - targetPort: 6831 - - name: agent-binary - port: 6832 - protocol: UDP - targetPort: 6832 - - name: agent-configs - port: 5778 - protocol: TCP - targetPort: 5778 - clusterIP: None - selector: - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: all-in-one - ---- -apiVersion: v1 -kind: Service -metadata: - name: zipkin - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: zipkin -spec: - ports: - - name: jaeger-collector-zipkin - port: 9411 - protocol: TCP - targetPort: 9411 - clusterIP: None - selector: - app.kubernetes.io/name: jaeger - app.kubernetes.io/component: all-in-one diff --git a/helm/chart/maesh/templates/controller/controller-deployment.yaml b/helm/chart/maesh/templates/controller/controller-deployment.yaml index 95caa614..cf731a17 100644 --- a/helm/chart/maesh/templates/controller/controller-deployment.yaml +++ b/helm/chart/maesh/templates/controller/controller-deployment.yaml @@ -26,6 +26,10 @@ spec: prometheus.io/port: "4646" spec: serviceAccountName: maesh-controller + automountServiceAccountToken: true + securityContext: + runAsNonRoot: true + runAsUser: 999 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -66,9 +70,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "200m" diff --git a/helm/chart/maesh/templates/controller/controller-pdb.yaml b/helm/chart/maesh/templates/controller/controller-pdb.yaml new file mode 100644 index 00000000..b46c2785 --- /dev/null +++ b/helm/chart/maesh/templates/controller/controller-pdb.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: maesh-controller + labels: + app: {{ .Release.Name | quote }} + chart: {{ include "maesh.chartLabel" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: {{ .Release.Name | quote }} + component: controller + release: {{ .Release.Name | quote }} diff --git a/helm/chart/maesh/templates/controller/controller-rbac.yaml b/helm/chart/maesh/templates/controller/controller-rbac.yaml index 7b4b506f..6718b847 100644 --- a/helm/chart/maesh/templates/controller/controller-rbac.yaml +++ b/helm/chart/maesh/templates/controller/controller-rbac.yaml @@ -1,15 +1,4 @@ --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: maesh-controller - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name | quote}} - chart: {{ include "maesh.chartLabel" . | quote}} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} ---- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/helm/chart/maesh/templates/controller/controller-sa.yaml b/helm/chart/maesh/templates/controller/controller-sa.yaml new file mode 100644 index 00000000..867a19fa --- /dev/null +++ b/helm/chart/maesh/templates/controller/controller-sa.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: maesh-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name | quote}} + chart: {{ include "maesh.chartLabel" . | quote}} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} diff --git a/helm/chart/maesh/templates/mesh/mesh-daemonset.yaml b/helm/chart/maesh/templates/mesh/mesh-daemonset.yaml index 86e659bf..af62faa3 100644 --- a/helm/chart/maesh/templates/mesh/mesh-daemonset.yaml +++ b/helm/chart/maesh/templates/mesh/mesh-daemonset.yaml @@ -22,6 +22,10 @@ spec: release: {{ .Release.Name | quote }} spec: serviceAccountName: maesh-mesh + automountServiceAccountToken: false + securityContext: + runAsNonRoot: true + runAsUser: 999 terminationGracePeriodSeconds: 30 {{- if .Values.tracing.enabled }} initContainers: @@ -29,6 +33,13 @@ spec: image: groundnuty/k8s-wait-for:v1.2 imagePullPolicy: Always args: ["service", "-lapp.kubernetes.io/name=jaeger-agent"] + resources: + requests: + memory: "10Mi" + cpu: "50m" + limits: + memory: "20Mi" + cpu: "100m" {{- end }} {{- if .Values.image.pullSecret }} imagePullSecrets: @@ -58,15 +69,28 @@ spec: {{- if .Values.metrics.enabled }} - "--metrics.prometheus" {{- end }} + ports: + - name: readiness + containerPort: 1081 + - name: liveness + containerPort: 10000 + - name: api + containerPort: 8080 readinessProbe: httpGet: path: /ping - port: 1081 + port: readiness initialDelaySeconds: 3 periodSeconds: 1 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE + livenessProbe: + tcpSocket: + port: liveness + initialDelaySeconds: 3 + periodSeconds: 1 + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "200m" diff --git a/helm/chart/maesh/templates/mesh/mesh-pdb.yaml b/helm/chart/maesh/templates/mesh/mesh-pdb.yaml new file mode 100644 index 00000000..56708c43 --- /dev/null +++ b/helm/chart/maesh/templates/mesh/mesh-pdb.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: maesh-mesh + labels: + app: {{ .Release.Name | quote }} + chart: {{ include "maesh.chartLabel" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: {{ .Release.Name | quote }} + component: maesh-mesh + release: {{ .Release.Name | quote }} diff --git a/helm/chart/maesh/templates/mesh/mesh-rbac.yaml b/helm/chart/maesh/templates/mesh/mesh-rbac.yaml deleted file mode 100644 index cb1913c2..00000000 --- a/helm/chart/maesh/templates/mesh/mesh-rbac.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: maesh-mesh - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name | quote}} - chart: {{ include "maesh.chartLabel" . | quote}} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: maesh-mesh-role - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name | quote}} - chart: {{ include "maesh.chartLabel" . | quote}} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - namespaces - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: maesh-mesh - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name | quote}} - chart: {{ include "maesh.chartLabel" . | quote}} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: maesh-mesh-role -subjects: -- kind: ServiceAccount - name: maesh-mesh - namespace: {{ .Release.Namespace }} diff --git a/helm/chart/maesh/templates/mesh/mesh-sa.yaml b/helm/chart/maesh/templates/mesh/mesh-sa.yaml new file mode 100644 index 00000000..a4a6dec5 --- /dev/null +++ b/helm/chart/maesh/templates/mesh/mesh-sa.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: maesh-mesh + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name | quote}} + chart: {{ include "maesh.chartLabel" . | quote}} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +automountServiceAccountToken: false + diff --git a/helm/chart/maesh/templates/mesh/mesh-service.yaml b/helm/chart/maesh/templates/mesh/mesh-service.yaml index 3393178d..4cd22058 100644 --- a/helm/chart/maesh/templates/mesh/mesh-service.yaml +++ b/helm/chart/maesh/templates/mesh/mesh-service.yaml @@ -10,5 +10,6 @@ spec: ports: - port: 8080 name: mesh-api + targetPort: api selector: component: maesh-mesh diff --git a/spinach.yaml b/spinach.yaml new file mode 100644 index 00000000..33fe6336 --- /dev/null +++ b/spinach.yaml @@ -0,0 +1,7 @@ +# Severities: Ok: 0, Info: 1, Warn: 2, Error: 3 +popeye: + codes: + 301: + severity: 1 # Set severity level to Info if pod needs to connect to the API. + 302: + severity: 1 # Set severity level to Info if pod needs to run as root.