krg7880 · February 6, 2019 18:57
diff --git a/ambassador-deployment.yml b/ambassador-deployment.yml
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: ambassador-staging
 spec:
  replicas: 2
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: 'false'
        consul.hashicorp.com/connect-inject: 'false'
      labels:
        service: ambassador
        env: staging
    spec:
      serviceAccountName: ambassador
      volumes:
        - name: stats-exporter-mapping-config
          configMap:
            name: ambassador-config
            items:
              - key: exporterConfiguration
                path: mapping-config.yaml
        - name: istio-certs
          secret:
            optional: true
            secretName: istio.default
      containers:
        - name: ambassador
          image: quay.io/datawire/ambassador:0.50.0
          resources:
            limits:
              cpu: 1
              memory: 400Mi
            requests:
              cpu: 200m
              memory: 100Mi
          env:
            - name: AMBASSADOR_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: AMBASSADOR_ID
              value: ambassador-staging
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
            - name: admin
              containerPort: 8877
          livenessProbe:
            httpGet:
              path: /ambassador/v0/check_alive
              port: 8877
            initialDelaySeconds: 30
            periodSeconds: 3
          readinessProbe:
            httpGet:
              path: /ambassador/v0/check_ready
              port: 8877
            initialDelaySeconds: 30
            periodSeconds: 3
          volumeMounts:
            - mountPath: /etc/istiocerts/
              name: istio-certs
              readOnly: true
        - name: statsd-sink
          image: datawire/prom-statsd-exporter:0.6.0
          ports:
            - name: metrics
              containerPort: 9102
            - name: listener
              containerPort: 8125
          args:
            [
              '-statsd.listen-address=:8125',
              '-statsd.mapping-config=/statsd-exporter/mapping-config.yaml',
            ]
          volumeMounts:
            - name: stats-exporter-mapping-config
              mountPath: /statsd-exporter/
              readOnly: true
      restartPolicy: Always
diff --git a/ambassador-LB.yml b/ambassador-LB.yml
 apiVersion: v1
 kind: Service
 metadata:
  name: ambassador-staging
  annotations:
    external-dns.alpha.kubernetes.io/hostname: '*.staging.<REDACTED>.io'

    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:us-east-1:<REDACTED>'
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '*'
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind:  Module
      name:  ambassador # name must be ambassador
      ambassador_id: ambassador-staging
      config:
        use_proxy_proto: true
        use_remote_address: true

      # enable zipkin tracing
      ---
      apiVersion: ambassador/v1
      kind: TracingService
      name: tracing
      service: "zipkin.istio-system:9411"
      driver: zipkin
      config: {}

      # modify ambassador to use the new certs for istio enabled svcs
      ---
      apiVersion: ambassador/v1
      kind:  Module
      name: tls
      config:
        server:
          enabled: True
          redirect_cleartext_from: 80
        client:
          enabled: False
        upstream:
          cert_chain_file: /etc/istiocerts/cert-chain.pem
          private_key_file: /etc/istiocerts/key.pem
 spec:
  externalTrafficPolicy: Cluster
  type: LoadBalancer
  ports:
    - name: ambassador-http
      port: 80
      targetPort: 80
    - name: ambassador-https
      port: 443
      targetPort: 443
  selector:
    service: ambassador
    env: staging
diff --git a/ambassador-monitor-svc.yml b/ambassador-monitor-svc.yml
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: ambassador-monitor
  labels:
    app: ambassador
    service: ambassador-monitor
    env: staging
 spec:
  type: ClusterIP
  ports:
    - port: 9102
      name: prometheus-metrics
  selector:
    service: ambassador
    env: staging
diff --git a/ambassador-rbac.yml b/ambassador-rbac.yml
 ---
 # exposes diagnostics UI
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    service: ambassador-admin
  name: ambassador-admin
 spec:
  type: NodePort
  ports:
    - name: ambassador-admin
      port: 8877
      targetPort: 8877
  selector:
    service: ambassador
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: ambassador
 rules:
  - apiGroups: ['']
    resources:
      - services
    verbs: ['get', 'list', 'watch']
  - apiGroups: ['']
    resources:
      - configmaps
    verbs: ['create', 'update', 'patch', 'get', 'list', 'watch']
  - apiGroups: ['']
    resources:
      - secrets
    verbs: ['get', 'list', 'watch']
  - apiGroups: ['']
    resources:
      - namespaces
    verbs: ['get', 'list', 'watch']
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ambassador
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: ambassador
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ambassador
 subjects:
  - kind: ServiceAccount
    name: ambassador
    namespace: default
diff --git a/application-deployment.yml b/application-deployment.yml
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: croc-hunter-staging
  namespace: upd-services
  annotations:
    getambassador.io/config: |
      ---
        apiVersion: ambassador/v1
        kind:  Mapping
        name:  croc-hunter-staging-mapping
        prefix: /
        ambassador_id: ambassador-staging
        tls: upstream
        service: croc-hunter-staging.upd-services
        host: "croc-hunter.staging.<REDACTED>.io"
 spec:
  selector:
    app: nginx
    env: staging
    branch: '067744'
    team: services
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: croc-hunter-staging
  namespace: upd-services
 spec:
  selector:
    matchLabels:
      app: nginx
      env: staging
      branch: '067744'
      team: services
  template:
    metadata:
      labels:
        app: nginx
        env: staging
        branch: '067744'
        team: services
    spec:
      containers:
        - image: quay.io/lachie83/croc-hunter:master-8da9f3d
          name: croc-hunter-staging
          ports:
            - containerPort: 8080
              name: http
          # liveness and readiness probes are failing with SSL test
          # livenessProbe:
          #   httpGet:
          #     path: /
          #     port: http
          #     scheme: HTTPS
          # readinessProbe:
          #   httpGet:
          #     path: /
          #     port: http
          #     scheme: HTTPS
	---
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: ambassador-staging
	spec:
	replicas: 2
	template:
	metadata:
	annotations:
	sidecar.istio.io/inject: 'false'
	consul.hashicorp.com/connect-inject: 'false'
	labels:
	service: ambassador
	env: staging
	spec:
	serviceAccountName: ambassador
	volumes:
	- name: stats-exporter-mapping-config
	configMap:
	name: ambassador-config
	items:
	- key: exporterConfiguration
	path: mapping-config.yaml
	- name: istio-certs
	secret:
	optional: true
	secretName: istio.default
	containers:
	- name: ambassador
	image: quay.io/datawire/ambassador:0.50.0
	resources:
	limits:
	cpu: 1
	memory: 400Mi
	requests:
	cpu: 200m
	memory: 100Mi
	env:
	- name: AMBASSADOR_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	- name: AMBASSADOR_ID
	value: ambassador-staging
	ports:
	- name: http
	containerPort: 80
	- name: https
	containerPort: 443
	- name: admin
	containerPort: 8877
	livenessProbe:
	httpGet:
	path: /ambassador/v0/check_alive
	port: 8877
	initialDelaySeconds: 30
	periodSeconds: 3
	readinessProbe:
	httpGet:
	path: /ambassador/v0/check_ready
	port: 8877
	initialDelaySeconds: 30
	periodSeconds: 3
	volumeMounts:
	- mountPath: /etc/istiocerts/
	name: istio-certs
	readOnly: true
	- name: statsd-sink
	image: datawire/prom-statsd-exporter:0.6.0
	ports:
	- name: metrics
	containerPort: 9102
	- name: listener
	containerPort: 8125
	args:
	[
	'-statsd.listen-address=:8125',
	'-statsd.mapping-config=/statsd-exporter/mapping-config.yaml',
	]
	volumeMounts:
	- name: stats-exporter-mapping-config
	mountPath: /statsd-exporter/
	readOnly: true
	restartPolicy: Always
	apiVersion: v1
	kind: Service
	metadata:
	name: ambassador-staging
	annotations:
	external-dns.alpha.kubernetes.io/hostname: '*.staging.<REDACTED>.io'

	service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:us-east-1:<REDACTED>'
	service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '*'
	service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
	service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
	service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
	getambassador.io/config: \|
	---
	apiVersion: ambassador/v1
	kind: Module
	name: ambassador # name must be ambassador
	ambassador_id: ambassador-staging
	config:
	use_proxy_proto: true
	use_remote_address: true

	# enable zipkin tracing
	---
	apiVersion: ambassador/v1
	kind: TracingService
	name: tracing
	service: "zipkin.istio-system:9411"
	driver: zipkin
	config: {}

	# modify ambassador to use the new certs for istio enabled svcs
	---
	apiVersion: ambassador/v1
	kind: Module
	name: tls
	config:
	server:
	enabled: True
	redirect_cleartext_from: 80
	client:
	enabled: False
	upstream:
	cert_chain_file: /etc/istiocerts/cert-chain.pem
	private_key_file: /etc/istiocerts/key.pem
	spec:
	externalTrafficPolicy: Cluster
	type: LoadBalancer
	ports:
	- name: ambassador-http
	port: 80
	targetPort: 80
	- name: ambassador-https
	port: 443
	targetPort: 443
	selector:
	service: ambassador
	env: staging
	---
	# exposes diagnostics UI
	apiVersion: v1
	kind: Service
	metadata:
	labels:
	service: ambassador-admin
	name: ambassador-admin
	spec:
	type: NodePort
	ports:
	- name: ambassador-admin
	port: 8877
	targetPort: 8877
	selector:
	service: ambassador
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRole
	metadata:
	name: ambassador
	rules:
	- apiGroups: ['']
	resources:
	- services
	verbs: ['get', 'list', 'watch']
	- apiGroups: ['']
	resources:
	- configmaps
	verbs: ['create', 'update', 'patch', 'get', 'list', 'watch']
	- apiGroups: ['']
	resources:
	- secrets
	verbs: ['get', 'list', 'watch']
	- apiGroups: ['']
	resources:
	- namespaces
	verbs: ['get', 'list', 'watch']
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ambassador
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: ambassador
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: ambassador
	subjects:
	- kind: ServiceAccount
	name: ambassador
	namespace: default