Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable AWS App Mesh #55

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from
Draft

Enable AWS App Mesh #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1d7be3f
first stab at getting certmanager up
timothy-spencer Sep 2, 2021
1cf4e93
make cert-manager happen in fargate
timothy-spencer Sep 8, 2021
4c14bcb
add app mesh controller, make sure dependencies are proper
timothy-spencer Sep 9, 2021
f95ebce
may still need to set IRSA up, but this gets it running at least
timothy-spencer Sep 9, 2021
ecb8b17
add the default appmesh
timothy-spencer Sep 9, 2021
75345e3
needed to add IRSA after all
timothy-spencer Sep 9, 2021
cf144bb
docs are wrong somehow about the label
timothy-spencer Sep 9, 2021
06e73c7
added a comment
timothy-spencer Sep 9, 2021
1e21576
added mesh to 2048, fixed bugs with IRSA and certs
timothy-spencer Sep 20, 2021
439ffff
this seems like it should work, but it does not. Checkpoint
timothy-spencer Sep 30, 2021
f0d6aff
try using nlb instead of alb
timothy-spencer Oct 5, 2021
d2c6672
Now have it working from gw-2048 to the app
timothy-spencer Oct 14, 2021
d8f36c6
scale 2048 back up like it was before
timothy-spencer Oct 14, 2021
779e18d
terraform fmt
timothy-spencer Oct 14, 2021
354e429
Merge branch 'main' into tspencer/appmesh
timothy-spencer Oct 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
187 changes: 172 additions & 15 deletions terraform/provision/2048_fixture.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,16 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: deployment-2048-cert
namespace: default
spec:
dnsNames:
- "deployment-2048.default.svc.cluster.local"
secretName: deployment-2048-tls
issuerRef:
name: ca-issuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand All @@ -12,13 +24,24 @@ spec:
metadata:
labels:
app.kubernetes.io/name: app-2048
annotations:
appmesh.k8s.aws/secretMounts: ca-key-pair:/etc/keys/2048/
spec:
serviceAccountName: appmesh-pod
containers:
- image: alexwhen/docker-2048
imagePullPolicy: Always
name: app-2048
ports:
- containerPort: 80
volumeMounts:
- mountPath: "/etc/keys/2048"
name: deployment-2048-tls
readOnly: true
volumes:
- name: deployment-2048-tls
secret:
secretName: deployment-2048-tls
---
apiVersion: v1
kind: Service
Expand All @@ -33,21 +56,155 @@ spec:
selector:
app.kubernetes.io/name: app-2048
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualNode
metadata:
namespace: default
name: deployment-2048
spec:
awsName: deployment-2048-virtual-node
podSelector:
matchLabels:
app.kubernetes.io/name: app-2048
listeners:
- portMapping:
port: 80
protocol: http
tls:
certificate:
file:
certificateChain: /etc/keys/2048/tls.crt
privateKey: /etc/keys/2048/tls.key
mode: STRICT
serviceDiscovery:
dns:
hostname: service-2048.default.svc.cluster.local
backendDefaults:
clientPolicy:
tls:
enforce: true
validation:
trust:
file:
certificateChain: /etc/keys/2048/ca.crt
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualService
metadata:
namespace: default
name: service-2048
spec:
awsName: service-2048-virtual-service
provider:
virtualNode:
virtualNodeRef:
name: deployment-2048

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gw-2048-cert
namespace: default
spec:
dnsNames:
- "gw-2048.default.svc.cluster.local"
secretName: gw-2048-tls
issuerRef:
name: ca-issuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gw-2048
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: gw-2048
template:
metadata:
labels:
app: gw-2048
annotations:
appmesh.k8s.aws/secretMounts: ca-key-pair:/etc/keys/2048/
spec:
serviceAccountName: appmesh-pod
containers:
- name: envoy
image: 840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.19.1.0-prod
ports:
- containerPort: 8443
volumeMounts:
- mountPath: "/etc/keys/2048"
name: gw-2048-tls
readOnly: true
volumes:
- name: gw-2048-tls
secret:
secretName: gw-2048-tls
---
apiVersion: v1
kind: Service
metadata:
name: ingress-2048
name: gw-2048
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "ssl"
spec:
ports:
- port: 443
targetPort: 8443
name: https
type: LoadBalancer
selector:
app: gw-2048
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualGateway
metadata:
name: gw-2048
namespace: default
spec:
backendDefaults:
clientPolicy:
tls:
enforce: true
namespaceSelector:
matchLabels:
mesh: default
podSelector:
matchLabels:
app: gw-2048
gatewayRouteSelector:
matchLabels:
gateway: gw-2048
listeners:
- portMapping:
port: 8443
protocol: http
tls:
certificate:
file:
certificateChain: /etc/keys/2048/tls.crt
privateKey: /etc/keys/2048/tls.key
mode: STRICT
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: GatewayRoute
metadata:
name: gateway-route
namespace: default
labels:
gateway: gw-2048
spec:
httpRoute:
match:
prefix: "/"
action:
target:
virtualService:
virtualServiceRef:
name: service-2048
port:
number: 80
Loading