diff --git a/kubernetes-manifests/adservice.yaml b/kubernetes-manifests/adservice.yaml index 838e4aff5d9..25ff1b7f578 100644 --- a/kubernetes-manifests/adservice.yaml +++ b/kubernetes-manifests/adservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: adservice spec: - serviceAccountName: default + serviceAccountName: adservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -81,3 +81,8 @@ spec: - name: grpc port: 9555 targetPort: 9555 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: adservice diff --git a/kubernetes-manifests/cartservice.yaml b/kubernetes-manifests/cartservice.yaml index d8fdc8bf8d0..5470d36453f 100644 --- a/kubernetes-manifests/cartservice.yaml +++ b/kubernetes-manifests/cartservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: cartservice spec: - serviceAccountName: default + serviceAccountName: cartservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -80,3 +80,77 @@ spec: - name: grpc port: 7070 targetPort: 7070 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cartservice +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart + labels: + app: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: redis + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart + labels: + app: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 diff --git a/kubernetes-manifests/checkoutservice.yaml b/kubernetes-manifests/checkoutservice.yaml index 56e5c41d562..c7dc5a0d9d8 100644 --- a/kubernetes-manifests/checkoutservice.yaml +++ b/kubernetes-manifests/checkoutservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: checkoutservice spec: - serviceAccountName: default + serviceAccountName: checkoutservice securityContext: fsGroup: 1000 runAsGroup: 1000 @@ -88,3 +88,8 @@ spec: - name: grpc port: 5050 targetPort: 5050 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: checkoutservice diff --git a/kubernetes-manifests/currencyservice.yaml b/kubernetes-manifests/currencyservice.yaml index 394d513bdc8..58fc03284a9 100644 --- a/kubernetes-manifests/currencyservice.yaml +++ b/kubernetes-manifests/currencyservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: currencyservice spec: - serviceAccountName: default + serviceAccountName: currencyservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -80,3 +80,8 @@ spec: - name: grpc port: 7000 targetPort: 7000 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: currencyservice diff --git a/kubernetes-manifests/emailservice.yaml b/kubernetes-manifests/emailservice.yaml index b607f77e208..bea781adb7d 100644 --- a/kubernetes-manifests/emailservice.yaml +++ b/kubernetes-manifests/emailservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: emailservice spec: - serviceAccountName: default + serviceAccountName: emailservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -81,3 +81,8 @@ spec: - name: grpc port: 5000 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: emailservice diff --git a/kubernetes-manifests/frontend.yaml b/kubernetes-manifests/frontend.yaml index c711f9554d3..5aec4f3d466 100644 --- a/kubernetes-manifests/frontend.yaml +++ b/kubernetes-manifests/frontend.yaml @@ -29,7 +29,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: - serviceAccountName: default + serviceAccountName: frontend securityContext: fsGroup: 1000 runAsGroup: 1000 @@ -90,8 +90,8 @@ spec: value: "0" # - name: CYMBAL_BRANDING # value: "true" - - name: ENABLE_ASSISTANT - value: "true" + # - name: ENABLE_ASSISTANT + # value: "true" # - name: FRONTEND_MESSAGE # value: "Replace this with a message you want to display on all pages." # As part of an optional Google Cloud demo, you can run an optional microservice called the "packaging service". @@ -134,3 +134,8 @@ spec: - name: http port: 80 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: frontend diff --git a/kubernetes-manifests/kustomization.yaml b/kubernetes-manifests/kustomization.yaml index dd90e64d8f4..bf69f4ea237 100644 --- a/kubernetes-manifests/kustomization.yaml +++ b/kubernetes-manifests/kustomization.yaml @@ -25,18 +25,15 @@ resources: - paymentservice.yaml - productcatalogservice.yaml - recommendationservice.yaml - - shoppingassistantservice.yaml - - redis.yaml - shippingservice.yaml -components: +# components: # - ../kustomize/components/cymbal-branding # - ../kustomize/components/google-cloud-operations # - ../kustomize/components/memorystore # - ../kustomize/components/network-policies -# - ../kustomize/components/service-accounts # - ../kustomize/components/alloydb +# - ../kustomize/components/shopping-assistant # - ../kustomize/components/spanner # - ../kustomize/components/container-images-tag # - ../kustomize/components/container-images-tag-suffix # - ../kustomize/components/container-images-registry - - ../kustomize/components/disable-shopping-assistant diff --git a/kubernetes-manifests/loadgenerator.yaml b/kubernetes-manifests/loadgenerator.yaml index 091f2fb10d2..389f019c663 100644 --- a/kubernetes-manifests/loadgenerator.yaml +++ b/kubernetes-manifests/loadgenerator.yaml @@ -29,7 +29,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: - serviceAccountName: default + serviceAccountName: loadgenerator terminationGracePeriodSeconds: 5 restartPolicy: Always securityContext: @@ -82,3 +82,8 @@ spec: limits: cpu: 500m memory: 512Mi +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: loadgenerator diff --git a/kubernetes-manifests/paymentservice.yaml b/kubernetes-manifests/paymentservice.yaml index 1f372736832..a0a1526f073 100644 --- a/kubernetes-manifests/paymentservice.yaml +++ b/kubernetes-manifests/paymentservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: paymentservice spec: - serviceAccountName: default + serviceAccountName: paymentservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -79,3 +79,8 @@ spec: - name: grpc port: 50051 targetPort: 50051 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: paymentservice diff --git a/kubernetes-manifests/productcatalogservice.yaml b/kubernetes-manifests/productcatalogservice.yaml index 0682fd09c21..6774650622e 100644 --- a/kubernetes-manifests/productcatalogservice.yaml +++ b/kubernetes-manifests/productcatalogservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: productcatalogservice spec: - serviceAccountName: default + serviceAccountName: productcatalogservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -79,3 +79,8 @@ spec: - name: grpc port: 3550 targetPort: 3550 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: productcatalogservice diff --git a/kubernetes-manifests/recommendationservice.yaml b/kubernetes-manifests/recommendationservice.yaml index 81a0d187f0b..2d2c6eed9d3 100644 --- a/kubernetes-manifests/recommendationservice.yaml +++ b/kubernetes-manifests/recommendationservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: recommendationservice spec: - serviceAccountName: default + serviceAccountName: recommendationservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -83,3 +83,8 @@ spec: - name: grpc port: 8080 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: recommendationservice diff --git a/kubernetes-manifests/redis.yaml b/kubernetes-manifests/redis.yaml deleted file mode 100644 index 9a7bbb04a30..00000000000 --- a/kubernetes-manifests/redis.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-cart - labels: - app: redis-cart -spec: - selector: - matchLabels: - app: redis-cart - template: - metadata: - labels: - app: redis-cart - spec: - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: redis - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: redis:alpine - ports: - - containerPort: 6379 - readinessProbe: - periodSeconds: 5 - tcpSocket: - port: 6379 - livenessProbe: - periodSeconds: 5 - tcpSocket: - port: 6379 - volumeMounts: - - mountPath: /data - name: redis-data - resources: - limits: - memory: 256Mi - cpu: 125m - requests: - cpu: 70m - memory: 200Mi - volumes: - - name: redis-data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: redis-cart - labels: - app: redis-cart -spec: - type: ClusterIP - selector: - app: redis-cart - ports: - - name: tcp-redis - port: 6379 - targetPort: 6379 diff --git a/kubernetes-manifests/shippingservice.yaml b/kubernetes-manifests/shippingservice.yaml index 190ba99b251..41cd5260d79 100644 --- a/kubernetes-manifests/shippingservice.yaml +++ b/kubernetes-manifests/shippingservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: shippingservice spec: - serviceAccountName: default + serviceAccountName: shippingservice securityContext: fsGroup: 1000 runAsGroup: 1000 @@ -79,3 +79,8 @@ spec: - name: grpc port: 50051 targetPort: 50051 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: shippingservice diff --git a/kustomize/README.md b/kustomize/README.md index 7216e8759d1..c153342f282 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -82,8 +82,6 @@ Here is the list of the variations available as Kustomize components that you co These changes directly affect `cartservice`. - [**Secure with Network Policies**](components/network-policies) - Deploy fine granular `NetworkPolicies` for Online Boutique. -- [**Create Kubernetes Service Accounts**](components/service-accounts) - - Deploy fine granular `ServiceAccounts` for Online Boutique. - [**Update the registry name of the container images**](components/container-images-registry) - [**Update the image tag of the container images**](components/container-images-tag) - [**Add an image tag suffix to the container images**](components/container-images-tag-suffix) diff --git a/kustomize/base/adservice.yaml b/kustomize/base/adservice.yaml index 2166c13d6ac..7f311a1637f 100644 --- a/kustomize/base/adservice.yaml +++ b/kustomize/base/adservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: adservice + labels: + app: adservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: adservice spec: - serviceAccountName: default + serviceAccountName: adservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -69,6 +71,8 @@ apiVersion: v1 kind: Service metadata: name: adservice + labels: + app: adservice spec: type: ClusterIP selector: @@ -77,3 +81,8 @@ spec: - name: grpc port: 9555 targetPort: 9555 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: adservice diff --git a/kustomize/base/cartservice.yaml b/kustomize/base/cartservice.yaml index fd33416a2bb..100907c38bc 100644 --- a/kustomize/base/cartservice.yaml +++ b/kustomize/base/cartservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: cartservice + labels: + app: cartservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: cartservice spec: - serviceAccountName: default + serviceAccountName: cartservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -68,6 +70,8 @@ apiVersion: v1 kind: Service metadata: name: cartservice + labels: + app: cartservice spec: type: ClusterIP selector: @@ -76,3 +80,77 @@ spec: - name: grpc port: 7070 targetPort: 7070 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cartservice +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart + labels: + app: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: redis + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart + labels: + app: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 diff --git a/kustomize/base/checkoutservice.yaml b/kustomize/base/checkoutservice.yaml index 14b0bfa9ef7..517daab7f9e 100644 --- a/kustomize/base/checkoutservice.yaml +++ b/kustomize/base/checkoutservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: checkoutservice + labels: + app: checkoutservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: checkoutservice spec: - serviceAccountName: default + serviceAccountName: checkoutservice securityContext: fsGroup: 1000 runAsGroup: 1000 @@ -76,6 +78,8 @@ apiVersion: v1 kind: Service metadata: name: checkoutservice + labels: + app: checkoutservice spec: type: ClusterIP selector: @@ -84,3 +88,8 @@ spec: - name: grpc port: 5050 targetPort: 5050 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: checkoutservice diff --git a/kustomize/base/currencyservice.yaml b/kustomize/base/currencyservice.yaml index c0b9ef7a411..6845846509a 100644 --- a/kustomize/base/currencyservice.yaml +++ b/kustomize/base/currencyservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: currencyservice + labels: + app: currencyservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: currencyservice spec: - serviceAccountName: default + serviceAccountName: currencyservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -68,6 +70,8 @@ apiVersion: v1 kind: Service metadata: name: currencyservice + labels: + app: currencyservice spec: type: ClusterIP selector: @@ -76,3 +80,8 @@ spec: - name: grpc port: 7000 targetPort: 7000 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: currencyservice diff --git a/kustomize/base/emailservice.yaml b/kustomize/base/emailservice.yaml index c6e7f274562..5782260189a 100644 --- a/kustomize/base/emailservice.yaml +++ b/kustomize/base/emailservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: emailservice + labels: + app: emailservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: emailservice spec: - serviceAccountName: default + serviceAccountName: emailservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -69,6 +71,8 @@ apiVersion: v1 kind: Service metadata: name: emailservice + labels: + app: emailservice spec: type: ClusterIP selector: @@ -77,3 +81,8 @@ spec: - name: grpc port: 5000 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: emailservice diff --git a/kustomize/base/frontend.yaml b/kustomize/base/frontend.yaml index ec9f9677c2f..7341f9b559d 100644 --- a/kustomize/base/frontend.yaml +++ b/kustomize/base/frontend.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: frontend + labels: + app: frontend spec: selector: matchLabels: @@ -27,7 +29,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: - serviceAccountName: default + serviceAccountName: frontend securityContext: fsGroup: 1000 runAsGroup: 1000 @@ -88,8 +90,8 @@ spec: value: "0" # - name: CYMBAL_BRANDING # value: "true" - - name: ENABLE_ASSISTANT - value: "true" + # - name: ENABLE_ASSISTANT + # value: "true" # - name: FRONTEND_MESSAGE # value: "Replace this with a message you want to display on all pages." # As part of an optional Google Cloud demo, you can run an optional microservice called the "packaging service". @@ -107,6 +109,8 @@ apiVersion: v1 kind: Service metadata: name: frontend + labels: + app: frontend spec: type: ClusterIP selector: @@ -120,6 +124,8 @@ apiVersion: v1 kind: Service metadata: name: frontend-external + labels: + app: frontend spec: type: LoadBalancer selector: @@ -128,3 +134,8 @@ spec: - name: http port: 80 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: frontend diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index ce2068d77a7..44b660d4a7f 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -25,5 +25,4 @@ resources: - paymentservice.yaml - productcatalogservice.yaml - recommendationservice.yaml -- redis.yaml - shippingservice.yaml diff --git a/kustomize/base/loadgenerator.yaml b/kustomize/base/loadgenerator.yaml index 8f7076dd16c..a7ff57ea757 100644 --- a/kustomize/base/loadgenerator.yaml +++ b/kustomize/base/loadgenerator.yaml @@ -15,6 +15,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: loadgenerator + labels: + app: loadgenerator spec: selector: matchLabels: @@ -27,7 +29,7 @@ spec: annotations: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: - serviceAccountName: default + serviceAccountName: loadgenerator terminationGracePeriodSeconds: 5 restartPolicy: Always securityContext: @@ -80,3 +82,8 @@ spec: limits: cpu: 500m memory: 512Mi +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: loadgenerator diff --git a/kustomize/base/paymentservice.yaml b/kustomize/base/paymentservice.yaml index 06f1923a991..81475ffc768 100644 --- a/kustomize/base/paymentservice.yaml +++ b/kustomize/base/paymentservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: paymentservice + labels: + app: paymentservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: paymentservice spec: - serviceAccountName: default + serviceAccountName: paymentservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -67,6 +69,8 @@ apiVersion: v1 kind: Service metadata: name: paymentservice + labels: + app: paymentservice spec: type: ClusterIP selector: @@ -75,3 +79,8 @@ spec: - name: grpc port: 50051 targetPort: 50051 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: paymentservice diff --git a/kustomize/base/productcatalogservice.yaml b/kustomize/base/productcatalogservice.yaml index b154002af19..7725503b3c8 100644 --- a/kustomize/base/productcatalogservice.yaml +++ b/kustomize/base/productcatalogservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: productcatalogservice + labels: + app: productcatalogservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: productcatalogservice spec: - serviceAccountName: default + serviceAccountName: productcatalogservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -67,6 +69,8 @@ apiVersion: v1 kind: Service metadata: name: productcatalogservice + labels: + app: productcatalogservice spec: type: ClusterIP selector: @@ -75,3 +79,8 @@ spec: - name: grpc port: 3550 targetPort: 3550 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: productcatalogservice diff --git a/kustomize/base/recommendationservice.yaml b/kustomize/base/recommendationservice.yaml index 3596d288637..142972ca258 100644 --- a/kustomize/base/recommendationservice.yaml +++ b/kustomize/base/recommendationservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: recommendationservice + labels: + app: recommendationservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: recommendationservice spec: - serviceAccountName: default + serviceAccountName: recommendationservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -71,6 +73,8 @@ apiVersion: v1 kind: Service metadata: name: recommendationservice + labels: + app: recommendationservice spec: type: ClusterIP selector: @@ -79,3 +83,8 @@ spec: - name: grpc port: 8080 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: recommendationservice diff --git a/kustomize/base/redis.yaml b/kustomize/base/redis.yaml deleted file mode 100644 index 2098754d918..00000000000 --- a/kustomize/base/redis.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-cart -spec: - selector: - matchLabels: - app: redis-cart - template: - metadata: - labels: - app: redis-cart - spec: - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: redis - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: redis:alpine - ports: - - containerPort: 6379 - readinessProbe: - periodSeconds: 5 - tcpSocket: - port: 6379 - livenessProbe: - periodSeconds: 5 - tcpSocket: - port: 6379 - volumeMounts: - - mountPath: /data - name: redis-data - resources: - limits: - memory: 256Mi - cpu: 125m - requests: - cpu: 70m - memory: 200Mi - volumes: - - name: redis-data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: redis-cart -spec: - type: ClusterIP - selector: - app: redis-cart - ports: - - name: tcp-redis - port: 6379 - targetPort: 6379 diff --git a/kustomize/base/shippingservice.yaml b/kustomize/base/shippingservice.yaml index 423fdd9d14b..c7833153a00 100644 --- a/kustomize/base/shippingservice.yaml +++ b/kustomize/base/shippingservice.yaml @@ -16,6 +16,8 @@ apiVersion: apps/v1 kind: Deployment metadata: name: shippingservice + labels: + app: shippingservice spec: selector: matchLabels: @@ -25,7 +27,7 @@ spec: labels: app: shippingservice spec: - serviceAccountName: default + serviceAccountName: shippingservice securityContext: fsGroup: 1000 runAsGroup: 1000 @@ -67,6 +69,8 @@ apiVersion: v1 kind: Service metadata: name: shippingservice + labels: + app: shippingservice spec: type: ClusterIP selector: @@ -75,3 +79,8 @@ spec: - name: grpc port: 50051 targetPort: 50051 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: shippingservice diff --git a/kustomize/components/alloydb/README.md b/kustomize/components/alloydb/README.md index c805176330a..9a7084434c2 100644 --- a/kustomize/components/alloydb/README.md +++ b/kustomize/components/alloydb/README.md @@ -116,7 +116,6 @@ To automate the deployment of Online Boutique integrated with AlloyDB you can le From the `kustomize/` folder at the root level of this repository, execute these commands: ```bash -kustomize edit add component components/service-accounts kustomize edit add component components/alloydb ``` _**Note:** this Kustomize component will also remove the `redis-cart` `Deployment` and `Service` not used anymore._ @@ -128,7 +127,6 @@ kind: Kustomization resources: - base components: -- components/service-accounts - components/alloydb ``` diff --git a/kustomize/components/alloydb/kustomization.yaml b/kustomize/components/alloydb/kustomization.yaml index 736c651859d..7aaffc3a084 100644 --- a/kustomize/components/alloydb/kustomization.yaml +++ b/kustomize/components/alloydb/kustomization.yaml @@ -83,14 +83,6 @@ patches: name: productcatalogservice annotations: iam.gke.io/gcp-service-account: ALLOYDB_USER_GSA_ID -# shoppingassistantservice - add the GSA annotation for the shoppingassistantservice KSA -- patch: |- - apiVersion: v1 - kind: ServiceAccount - metadata: - name: shoppingassistantservice - annotations: - iam.gke.io/gcp-service-account: ALLOYDB_USER_GSA_ID # redis - remove the redis-cart Deployment - patch: |- apiVersion: apps/v1 diff --git a/kustomize/components/service-accounts/README.md b/kustomize/components/service-accounts/README.md deleted file mode 100644 index 46a63b524f0..00000000000 --- a/kustomize/components/service-accounts/README.md +++ /dev/null @@ -1,54 +0,0 @@ -# Create Kubernetes Service Accounts for Online Boutique - -Creating a `ServiceAccount` per `Deployment` could be helpful if you need to define a fine granular identity for each `Deployment` in your Kubernetes clusters. This could help if for example you want to give specific Google Cloud IAM role binding by leveraging [Workload Identity with GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable). Another scenario could be if you want to define fine granular [`AuthorizationPolicies` with Istio/ASM](https://cloud.google.com/service-mesh/docs/by-example/authz). - -## Deploy Online Boutique with `ServiceAccounts` via Kustomize - -To automate the deployment of Online Boutique integrated with fine granular `ServiceAccounts` (one per `Deployment`), you can leverage the following variation with [Kustomize](../..). - -From the `kustomize/` folder at the root level of this repository, execute this command: - -```bash -kustomize edit add component components/service-accounts -``` - -_Note: this Kustomize component will also update the `serviceAccountName` field in all `Deployments`._ - -This will update the `kustomize/kustomization.yaml` file which could be similar to: - -```yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- base -components: -- components/service-accounts -``` - -You can locally render these manifests by running `kubectl kustomize .` as well as deploying them by running `kubectl apply -k .`. - -Once deployed, you can verify that the `ServiceAccounts` are successfully deployed: - -```bash -kubectl get serviceaccount -``` - -The output could be similar to: - -```output -NAME SECRETS AGE -default 1 2m58s -adservice 1 2m58s -cartservice 1 2m58s -checkoutservice 1 2m58s -currencyservice 1 2m58s -emailservice 1 2m58s -frontend 1 2m58s -loadgenerator 1 2m58s -paymentservice 1 2m58s -productcatalogservice 1 2m58s -recommendationservice 1 2m58s -shippingservice 1 2m58s -``` - -_Note: We made the choice that the `redis-cart` `Deployment` doesn't have its own `ServiceAccount` because it doesn't need its own identity to talk to another `Deployment` or externally to the GKE cluster._ diff --git a/kustomize/components/service-accounts/kustomization.yaml b/kustomize/components/service-accounts/kustomization.yaml deleted file mode 100644 index 46a0c1b0535..00000000000 --- a/kustomize/components/service-accounts/kustomization.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -resources: -- service-account-adservice.yaml -- service-account-cartservice.yaml -- service-account-checkoutservice.yaml -- service-account-currencyservice.yaml -- service-account-emailservice.yaml -- service-account-frontend.yaml -- service-account-loadgenerator.yaml -- service-account-paymentservice.yaml -- service-account-productcatalogservice.yaml -- service-account-recommendationservice.yaml -- service-account-shippingservice.yaml -- service-account-shoppingassistantservice.yaml -patches: -- target: - kind: Deployment - name: adservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: adservice -- target: - kind: Deployment - name: cartservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: cartservice -- target: - kind: Deployment - name: shoppingassistantservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: shoppingassistantservice -- target: - kind: Deployment - name: checkoutservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: checkoutservice -- target: - kind: Deployment - name: currencyservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: currencyservice -- target: - kind: Deployment - name: emailservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: emailservice -- target: - kind: Deployment - name: frontend - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: frontend -- target: - kind: Deployment - name: loadgenerator - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: loadgenerator -- target: - kind: Deployment - name: paymentservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: paymentservice -- target: - kind: Deployment - name: productcatalogservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: productcatalogservice -- target: - kind: Deployment - name: recommendationservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: recommendationservice -- target: - kind: Deployment - name: shippingservice - patch: |- - - op: replace - path: /spec/template/spec/serviceAccountName - value: shippingservice diff --git a/kustomize/components/service-accounts/service-account-adservice.yaml b/kustomize/components/service-accounts/service-account-adservice.yaml deleted file mode 100644 index 67fdf08d66f..00000000000 --- a/kustomize/components/service-accounts/service-account-adservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: adservice diff --git a/kustomize/components/service-accounts/service-account-cartservice.yaml b/kustomize/components/service-accounts/service-account-cartservice.yaml deleted file mode 100644 index 1702077c7eb..00000000000 --- a/kustomize/components/service-accounts/service-account-cartservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cartservice diff --git a/kustomize/components/service-accounts/service-account-checkoutservice.yaml b/kustomize/components/service-accounts/service-account-checkoutservice.yaml deleted file mode 100644 index 0cb35e90b06..00000000000 --- a/kustomize/components/service-accounts/service-account-checkoutservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: checkoutservice diff --git a/kustomize/components/service-accounts/service-account-currencyservice.yaml b/kustomize/components/service-accounts/service-account-currencyservice.yaml deleted file mode 100644 index bcd9bcce2bf..00000000000 --- a/kustomize/components/service-accounts/service-account-currencyservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: currencyservice diff --git a/kustomize/components/service-accounts/service-account-emailservice.yaml b/kustomize/components/service-accounts/service-account-emailservice.yaml deleted file mode 100644 index 052ec7ad5a2..00000000000 --- a/kustomize/components/service-accounts/service-account-emailservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: emailservice diff --git a/kustomize/components/service-accounts/service-account-frontend.yaml b/kustomize/components/service-accounts/service-account-frontend.yaml deleted file mode 100644 index 87647cf280b..00000000000 --- a/kustomize/components/service-accounts/service-account-frontend.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: frontend diff --git a/kustomize/components/service-accounts/service-account-loadgenerator.yaml b/kustomize/components/service-accounts/service-account-loadgenerator.yaml deleted file mode 100644 index 5ffeaed1f63..00000000000 --- a/kustomize/components/service-accounts/service-account-loadgenerator.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loadgenerator diff --git a/kustomize/components/service-accounts/service-account-paymentservice.yaml b/kustomize/components/service-accounts/service-account-paymentservice.yaml deleted file mode 100644 index 3ae1050b3f6..00000000000 --- a/kustomize/components/service-accounts/service-account-paymentservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: paymentservice diff --git a/kustomize/components/service-accounts/service-account-productcatalogservice.yaml b/kustomize/components/service-accounts/service-account-productcatalogservice.yaml deleted file mode 100644 index a611f74bd7c..00000000000 --- a/kustomize/components/service-accounts/service-account-productcatalogservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: productcatalogservice diff --git a/kustomize/components/service-accounts/service-account-recommendationservice.yaml b/kustomize/components/service-accounts/service-account-recommendationservice.yaml deleted file mode 100644 index c60e955aee0..00000000000 --- a/kustomize/components/service-accounts/service-account-recommendationservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: recommendationservice diff --git a/kustomize/components/service-accounts/service-account-shippingservice.yaml b/kustomize/components/service-accounts/service-account-shippingservice.yaml deleted file mode 100644 index 051c627836c..00000000000 --- a/kustomize/components/service-accounts/service-account-shippingservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: shippingservice diff --git a/kustomize/components/service-accounts/service-account-shoppingassistantservice.yaml b/kustomize/components/service-accounts/service-account-shoppingassistantservice.yaml deleted file mode 100644 index 0755cba6ee9..00000000000 --- a/kustomize/components/service-accounts/service-account-shoppingassistantservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: shoppingassistantservice diff --git a/kustomize/components/service-mesh-istio/README.md b/kustomize/components/service-mesh-istio/README.md index a286f27442b..81abed5cff0 100644 --- a/kustomize/components/service-mesh-istio/README.md +++ b/kustomize/components/service-mesh-istio/README.md @@ -91,7 +91,6 @@ Once the service mesh and namespace injection are configured, you can then deplo From the `kustomize/` folder at the root level of this repository, execute these commands: ```bash -kustomize edit add component components/service-accounts kustomize edit add component components/service-mesh-istio ``` @@ -102,7 +101,6 @@ kind: Kustomization resources: - base components: -- components/service-accounts - components/service-mesh-istio ``` diff --git a/kustomize/components/shopping-assistant/README.md b/kustomize/components/shopping-assistant/README.md index 04bdce7523e..10ae09acc44 100644 --- a/kustomize/components/shopping-assistant/README.md +++ b/kustomize/components/shopping-assistant/README.md @@ -95,23 +95,22 @@ This demo adds a new service to Online Boutique called `shoppingassistantservice 1. Paste this secret key in the shopping assistant service envs, replacing `GOOGLE_API_KEY_VAL`. ```sh - vim kubernetes-manifests/shoppingassistantservice.yaml + vim kustomize/components/shopping-assistant/shoppingassistantservice.yaml ``` 1. Change the commented-out components in `kubernetes-manifests/kustomization.yaml` to look like this: ```yaml - components: - - ../kustomize/components/cymbal-branding # remove comment + components: # remove comment + # - ../kustomize/components/cymbal-branding # - ../kustomize/components/google-cloud-operations # - ../kustomize/components/memorystore # - ../kustomize/components/network-policies - - ../kustomize/components/service-accounts # remove comment - ../kustomize/components/alloydb # remove comment + - ../kustomize/components/shopping-assistant # remove comment # - ../kustomize/components/spanner # - ../kustomize/components/container-images-tag # - ../kustomize/components/container-images-tag-suffix # - ../kustomize/components/container-images-registry - # - ../kustomize/components/disable-shopping-assistant # add comment ``` 1. Deploy to the GKE cluster. diff --git a/kustomize/components/disable-shopping-assistant/kustomization.yaml b/kustomize/components/shopping-assistant/kustomization.yaml similarity index 64% rename from kustomize/components/disable-shopping-assistant/kustomization.yaml rename to kustomize/components/shopping-assistant/kustomization.yaml index 3f7fb36239d..90ec7866d6b 100644 --- a/kustomize/components/disable-shopping-assistant/kustomization.yaml +++ b/kustomize/components/shopping-assistant/kustomization.yaml @@ -4,7 +4,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -14,22 +14,9 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component +resources: +- shoppingassistantservice.yaml patches: -# shoppingassistantservice - remove Deployment -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: shoppingassistantservice - $patch: delete -# shoppingassistantservice - remove Service -- patch: |- - apiVersion: v1 - kind: Service - metadata: - name: shoppingassistantservice - $patch: delete -# frontend - set ENABLE_ASSISTANT to false - patch: |- apiVersion: apps/v1 kind: Deployment @@ -42,4 +29,4 @@ patches: - name: server env: - name: ENABLE_ASSISTANT - value: "false" + value: "true" diff --git a/kustomize/components/shopping-assistant/scripts/1_deploy_alloydb_infra.sh b/kustomize/components/shopping-assistant/scripts/1_deploy_alloydb_infra.sh index ed28a1a3c22..afcac99950a 100755 --- a/kustomize/components/shopping-assistant/scripts/1_deploy_alloydb_infra.sh +++ b/kustomize/components/shopping-assistant/scripts/1_deploy_alloydb_infra.sh @@ -101,14 +101,15 @@ sed -i "s/ALLOYDB_PRODUCTS_DATABASE_NAME_VAL/${ALLOYDB_PRODUCTS_DATABASE_NAME}/g sed -i "s/ALLOYDB_PRODUCTS_TABLE_NAME_VAL/${ALLOYDB_PRODUCTS_TABLE_NAME}/g" kustomize/components/alloydb/kustomization.yaml sed -i "s/ALLOYDB_SECRET_NAME_VAL/${ALLOYDB_SECRET_NAME}/g" kustomize/components/alloydb/kustomization.yaml -# Substitute environment values (kubernetes-manifests/shoppingassistantservice.yaml) -sed -i "s/PROJECT_ID_VAL/${PROJECT_ID}/g" kubernetes-manifests/shoppingassistantservice.yaml -sed -i "s/REGION_VAL/${REGION}/g" kubernetes-manifests/shoppingassistantservice.yaml -sed -i "s/ALLOYDB_CLUSTER_NAME_VAL/${ALLOYDB_CLUSTER_NAME}/g" kubernetes-manifests/shoppingassistantservice.yaml -sed -i "s/ALLOYDB_INSTANCE_NAME_VAL/${ALLOYDB_INSTANCE_NAME}/g" kubernetes-manifests/shoppingassistantservice.yaml -sed -i "s/ALLOYDB_DATABASE_NAME_VAL/${ALLOYDB_PRODUCTS_DATABASE_NAME}/g" kubernetes-manifests/shoppingassistantservice.yaml -sed -i "s/ALLOYDB_TABLE_NAME_VAL/${ALLOYDB_PRODUCTS_TABLE_NAME}/g" kubernetes-manifests/shoppingassistantservice.yaml -sed -i "s/ALLOYDB_SECRET_NAME_VAL/${ALLOYDB_SECRET_NAME}/g" kubernetes-manifests/shoppingassistantservice.yaml +# Substitute environment values (kustomize/components/shopping-assistant/shoppingassistantservice.yaml) +sed -i "s/PROJECT_ID_VAL/${PROJECT_ID}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/REGION_VAL/${REGION}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/ALLOYDB_CLUSTER_NAME_VAL/${ALLOYDB_CLUSTER_NAME}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/ALLOYDB_INSTANCE_NAME_VAL/${ALLOYDB_INSTANCE_NAME}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/ALLOYDB_DATABASE_NAME_VAL/${ALLOYDB_PRODUCTS_DATABASE_NAME}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/ALLOYDB_TABLE_NAME_VAL/${ALLOYDB_PRODUCTS_TABLE_NAME}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/ALLOYDB_SECRET_NAME_VAL/${ALLOYDB_SECRET_NAME}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml +sed -i "s/ALLOYDB_USER_GSA_ID/${ALLOYDB_USER_GSA_ID}/g" kustomize/components/shopping-assistant/shoppingassistantservice.yaml # Create service account for the cart and shopping assistant services gcloud iam service-accounts create ${ALLOYDB_USER_GSA_NAME} \ diff --git a/kubernetes-manifests/shoppingassistantservice.yaml b/kustomize/components/shopping-assistant/shoppingassistantservice.yaml similarity index 91% rename from kubernetes-manifests/shoppingassistantservice.yaml rename to kustomize/components/shopping-assistant/shoppingassistantservice.yaml index 341bb4f48dc..d4c180f3896 100644 --- a/kubernetes-manifests/shoppingassistantservice.yaml +++ b/kustomize/components/shopping-assistant/shoppingassistantservice.yaml @@ -27,7 +27,7 @@ spec: labels: app: shoppingassistantservice spec: - serviceAccountName: default + serviceAccountName: shoppingassistantservice terminationGracePeriodSeconds: 5 securityContext: fsGroup: 1000 @@ -86,3 +86,10 @@ spec: - name: http port: 80 targetPort: 8080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: shoppingassistantservice + annotations: + iam.gke.io/gcp-service-account: ALLOYDB_USER_GSA_ID diff --git a/kustomize/components/spanner/README.md b/kustomize/components/spanner/README.md index 1a237a8bd6c..6878cea3e7d 100644 --- a/kustomize/components/spanner/README.md +++ b/kustomize/components/spanner/README.md @@ -64,7 +64,6 @@ To automate the deployment of Online Boutique integrated with Spanner you can le From the `kustomize/` folder at the root level of this repository, execute these commands: ```bash -kustomize edit add component components/service-accounts kustomize edit add component components/spanner ``` @@ -78,7 +77,6 @@ kind: Kustomization resources: - base components: -- components/service-accounts - components/spanner ``` diff --git a/kustomize/tests/memorystore-with-all-components/kustomization.yaml b/kustomize/tests/memorystore-with-all-components/kustomization.yaml index fce0b0605a6..05e6d41c51c 100644 --- a/kustomize/tests/memorystore-with-all-components/kustomization.yaml +++ b/kustomize/tests/memorystore-with-all-components/kustomization.yaml @@ -20,5 +20,4 @@ components: - ../../components/cymbal-branding - ../../components/google-cloud-operations - ../../components/network-policies -- ../../components/service-accounts - ../../components/memorystore diff --git a/kustomize/tests/service-mesh-istio-with-all-components/kustomization.yaml b/kustomize/tests/service-mesh-istio-with-all-components/kustomization.yaml index 299044b89f1..edb8980843c 100644 --- a/kustomize/tests/service-mesh-istio-with-all-components/kustomization.yaml +++ b/kustomize/tests/service-mesh-istio-with-all-components/kustomization.yaml @@ -20,5 +20,4 @@ components: - ../../components/cymbal-branding - ../../components/google-cloud-operations - ../../components/network-policies -- ../../components/service-accounts - ../../components/service-mesh-istio diff --git a/kustomize/tests/spanner-with-all-components/kustomization.yaml b/kustomize/tests/spanner-with-all-components/kustomization.yaml index 06891e95225..5d7ba0df2ce 100644 --- a/kustomize/tests/spanner-with-all-components/kustomization.yaml +++ b/kustomize/tests/spanner-with-all-components/kustomization.yaml @@ -20,5 +20,4 @@ components: - ../../components/cymbal-branding - ../../components/google-cloud-operations - ../../components/network-policies -- ../../components/service-accounts - ../../components/spanner