Refactor Kustomize components (service-accounts, shopping-assistant) (#…

…2488) * Remove service-accounts component * Refactor shopping-assistant component * Add missing header * Fix typo * Sync kustomize/base * Move GSA annotation for shopping assistant in correct component
GoogleCloudPlatform · Apr 17, 2024 · 20585fa · 20585fa
1 parent bbc5719
commit 20585fa
Show file tree

Hide file tree

Showing 52 changed files with 345 additions and 626 deletions.
diff --git a/kubernetes-manifests/adservice.yaml b/kubernetes-manifests/adservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: adservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: adservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -81,3 +81,8 @@ spec:
   - name: grpc
     port: 9555
     targetPort: 9555
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: adservice
diff --git a/kubernetes-manifests/cartservice.yaml b/kubernetes-manifests/cartservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: cartservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: cartservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -80,3 +80,77 @@ spec:
   - name: grpc
     port: 7070
     targetPort: 7070
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cartservice
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-cart
+  labels:
+    app: redis-cart
+spec:
+  selector:
+    matchLabels:
+      app: redis-cart
+  template:
+    metadata:
+      labels:
+        app: redis-cart
+    spec:
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+      - name: redis
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+        image: redis:alpine
+        ports:
+        - containerPort: 6379
+        readinessProbe:
+          periodSeconds: 5
+          tcpSocket:
+            port: 6379
+        livenessProbe:
+          periodSeconds: 5
+          tcpSocket:
+            port: 6379
+        volumeMounts:
+        - mountPath: /data
+          name: redis-data
+        resources:
+          limits:
+            memory: 256Mi
+            cpu: 125m
+          requests:
+            cpu: 70m
+            memory: 200Mi
+      volumes:
+      - name: redis-data
+        emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-cart
+  labels:
+    app: redis-cart
+spec:
+  type: ClusterIP
+  selector:
+    app: redis-cart
+  ports:
+  - name: tcp-redis
+    port: 6379
+    targetPort: 6379
diff --git a/kubernetes-manifests/checkoutservice.yaml b/kubernetes-manifests/checkoutservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: checkoutservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: checkoutservice
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
@@ -88,3 +88,8 @@ spec:
   - name: grpc
     port: 5050
     targetPort: 5050
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: checkoutservice
diff --git a/kubernetes-manifests/currencyservice.yaml b/kubernetes-manifests/currencyservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: currencyservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: currencyservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -80,3 +80,8 @@ spec:
   - name: grpc
     port: 7000
     targetPort: 7000
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: currencyservice
diff --git a/kubernetes-manifests/emailservice.yaml b/kubernetes-manifests/emailservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: emailservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: emailservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -81,3 +81,8 @@ spec:
   - name: grpc
     port: 5000
     targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: emailservice
diff --git a/kubernetes-manifests/frontend.yaml b/kubernetes-manifests/frontend.yaml
@@ -29,7 +29,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
-      serviceAccountName: default
+      serviceAccountName: frontend
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
@@ -90,8 +90,8 @@ spec:
             value: "0"
           # - name: CYMBAL_BRANDING
           #   value: "true"
-          - name: ENABLE_ASSISTANT
-            value: "true"
+          # - name: ENABLE_ASSISTANT
+          #   value: "true"
           # - name: FRONTEND_MESSAGE
           #   value: "Replace this with a message you want to display on all pages."
           # As part of an optional Google Cloud demo, you can run an optional microservice called the "packaging service".
@@ -134,3 +134,8 @@ spec:
   - name: http
     port: 80
     targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: frontend
diff --git a/kubernetes-manifests/kustomization.yaml b/kubernetes-manifests/kustomization.yaml
@@ -25,18 +25,15 @@ resources:
  - paymentservice.yaml
  - productcatalogservice.yaml
  - recommendationservice.yaml
- - shoppingassistantservice.yaml
- - redis.yaml
  - shippingservice.yaml
-components:
+# components:
 # - ../kustomize/components/cymbal-branding
 # - ../kustomize/components/google-cloud-operations
 # - ../kustomize/components/memorystore
 # - ../kustomize/components/network-policies
-# - ../kustomize/components/service-accounts
 # - ../kustomize/components/alloydb
+# - ../kustomize/components/shopping-assistant
 # - ../kustomize/components/spanner
 # - ../kustomize/components/container-images-tag
 # - ../kustomize/components/container-images-tag-suffix
 # - ../kustomize/components/container-images-registry
- - ../kustomize/components/disable-shopping-assistant
diff --git a/kubernetes-manifests/loadgenerator.yaml b/kubernetes-manifests/loadgenerator.yaml
@@ -29,7 +29,7 @@ spec:
       annotations:
         sidecar.istio.io/rewriteAppHTTPProbers: "true"
     spec:
-      serviceAccountName: default
+      serviceAccountName: loadgenerator
       terminationGracePeriodSeconds: 5
       restartPolicy: Always
       securityContext:
@@ -82,3 +82,8 @@ spec:
           limits:
             cpu: 500m
             memory: 512Mi
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loadgenerator
diff --git a/kubernetes-manifests/paymentservice.yaml b/kubernetes-manifests/paymentservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: paymentservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: paymentservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -79,3 +79,8 @@ spec:
   - name: grpc
     port: 50051
     targetPort: 50051
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: paymentservice
diff --git a/kubernetes-manifests/productcatalogservice.yaml b/kubernetes-manifests/productcatalogservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: productcatalogservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: productcatalogservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -79,3 +79,8 @@ spec:
   - name: grpc
     port: 3550
     targetPort: 3550
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: productcatalogservice
diff --git a/kubernetes-manifests/recommendationservice.yaml b/kubernetes-manifests/recommendationservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: recommendationservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: recommendationservice
       terminationGracePeriodSeconds: 5
       securityContext:
         fsGroup: 1000
@@ -83,3 +83,8 @@ spec:
   - name: grpc
     port: 8080
     targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: recommendationservice
diff --git a/kubernetes-manifests/redis.yaml b/kubernetes-manifests/redis.yaml
diff --git a/kubernetes-manifests/shippingservice.yaml b/kubernetes-manifests/shippingservice.yaml
@@ -27,7 +27,7 @@ spec:
       labels:
         app: shippingservice
     spec:
-      serviceAccountName: default
+      serviceAccountName: shippingservice
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
@@ -79,3 +79,8 @@ spec:
   - name: grpc
     port: 50051
     targetPort: 50051
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shippingservice
diff --git a/kustomize/README.md b/kustomize/README.md
@@ -82,8 +82,6 @@ Here is the list of the variations available as Kustomize components that you co
 These changes directly affect `cartservice`.
 - [**Secure with Network Policies**](components/network-policies)
   - Deploy fine granular `NetworkPolicies` for Online Boutique.
-- [**Create Kubernetes Service Accounts**](components/service-accounts)
-  - Deploy fine granular `ServiceAccounts` for Online Boutique.
 - [**Update the registry name of the container images**](components/container-images-registry)
 - [**Update the image tag of the container images**](components/container-images-tag)
 - [**Add an image tag suffix to the container images**](components/container-images-tag-suffix)