Last active
April 2, 2020 02:19
-
-
Save mandarjog/950fe461d4e043a206f4e23e0a3d3be6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The following solution is used to enable GCLB with 1.0.x istio-on-gke add on. | |
| # | |
| # Ingress gateway in gke-add-on cannot be modified because it is reconciled. | |
| # | |
| # 1. Create a new ilgateway deployment with `--statusPort 15020`. | |
| # 2. Create a new service of type 'NodePort` to point to the above deployment | |
| # 3. In the target namespace, create a `gateway` resource to point to the ilbgateway by using | |
| # `selector: { "istio": "ilgateway" } | |
| # 4. Point k8s (GCLB) ingress resource to ilgateway | |
| # 5. Add advanced health-check for GCLB | |
| # Port: 15020 | |
| # Path: /healthz/ready | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: entrypoint-gateway | |
| namespace: FIXME | |
| spec: | |
| selector: | |
| istio: ilgateway | |
| servers: | |
| - hosts: | |
| - '*' | |
| port: | |
| name: http | |
| number: 80 | |
| protocol: HTTP | |
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: basic-ingress | |
| namespace: istio-system | |
| spec: | |
| backend: | |
| serviceName: istio-ilgateway | |
| servicePort: 80 | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| app: istio-ilgateway | |
| chart: gateways-1.0.6 | |
| heritage: Tiller | |
| istio: ilgateway | |
| k8s-app: istio | |
| release: istio | |
| name: istio-ilgateway | |
| namespace: istio-system | |
| spec: | |
| ports: | |
| - name: http2 | |
| port: 80 | |
| protocol: TCP | |
| targetPort: 80 | |
| - name: https | |
| port: 443 | |
| protocol: TCP | |
| targetPort: 443 | |
| - name: tcp | |
| port: 31400 | |
| protocol: TCP | |
| targetPort: 31400 | |
| - name: tcp-pilot-grpc-tls | |
| port: 15011 | |
| protocol: TCP | |
| targetPort: 15011 | |
| - name: tcp-citadel-grpc-tls | |
| port: 8060 | |
| protocol: TCP | |
| targetPort: 8060 | |
| - name: tcp-dns-tls | |
| port: 853 | |
| protocol: TCP | |
| targetPort: 853 | |
| - name: http2-prometheus | |
| port: 15030 | |
| protocol: TCP | |
| targetPort: 15030 | |
| - name: http2-grafana | |
| port: 15031 | |
| protocol: TCP | |
| targetPort: 15031 | |
| selector: | |
| app: istio-ilgateway | |
| istio: ilgateway | |
| sessionAffinity: None | |
| type: NodePort | |
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| app: istio-ilgateway | |
| chart: gateways-1.0.6 | |
| heritage: Tiller | |
| istio: ilgateway | |
| k8s-app: istio | |
| release: istio | |
| name: istio-ilgateway | |
| namespace: istio-system | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: istio-ilgateway | |
| istio: ilgateway | |
| template: | |
| metadata: | |
| annotations: | |
| sidecar.istio.io/inject: "false" | |
| labels: | |
| app: istio-ilgateway | |
| istio: ilgateway | |
| spec: | |
| containers: | |
| - args: | |
| - proxy | |
| - router | |
| - -v | |
| - "2" | |
| - --discoveryRefreshDelay | |
| - 1s | |
| - --drainDuration | |
| - 45s | |
| - --parentShutdownDuration | |
| - 1m0s | |
| - --connectTimeout | |
| - 10s | |
| - --serviceCluster | |
| - istio-ilgateway | |
| - --zipkinAddress | |
| - zipkin:9411 | |
| - --proxyAdminPort | |
| - "15000" | |
| - --statusPort | |
| - "15020" | |
| - --controlPlaneAuthPolicy | |
| - NONE | |
| - --discoveryAddress | |
| - istio-pilot:8080 | |
| env: | |
| - name: POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: metadata.name | |
| - name: POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: metadata.namespace | |
| - name: INSTANCE_IP | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: status.podIP | |
| - name: ISTIO_META_POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: metadata.name | |
| image: gcr.io/gke-release/istio/proxyv2:1.0.6-gke.3 | |
| imagePullPolicy: IfNotPresent | |
| name: istio-proxy | |
| ports: | |
| - containerPort: 80 | |
| protocol: TCP | |
| - containerPort: 443 | |
| protocol: TCP | |
| - containerPort: 31400 | |
| protocol: TCP | |
| - containerPort: 15011 | |
| protocol: TCP | |
| - containerPort: 8060 | |
| protocol: TCP | |
| - containerPort: 853 | |
| protocol: TCP | |
| - containerPort: 15030 | |
| protocol: TCP | |
| - containerPort: 15031 | |
| protocol: TCP | |
| - containerPort: 15090 | |
| name: http-envoy-prom | |
| protocol: TCP | |
| resources: {} | |
| terminationMessagePath: /dev/termination-log | |
| terminationMessagePolicy: File | |
| volumeMounts: | |
| - mountPath: /etc/certs | |
| name: istio-certs | |
| readOnly: true | |
| - mountPath: /etc/istio/ingressgateway-certs | |
| name: ingressgateway-certs | |
| readOnly: true | |
| - mountPath: /etc/istio/ingressgateway-ca-certs | |
| name: ingressgateway-ca-certs | |
| readOnly: true | |
| dnsPolicy: ClusterFirst | |
| restartPolicy: Always | |
| schedulerName: default-scheduler | |
| securityContext: {} | |
| serviceAccount: istio-ingressgateway-service-account | |
| serviceAccountName: istio-ingressgateway-service-account | |
| terminationGracePeriodSeconds: 30 | |
| volumes: | |
| - name: istio-certs | |
| secret: | |
| defaultMode: 420 | |
| optional: true | |
| secretName: istio.istio-ingressgateway-service-account | |
| - name: ingressgateway-certs | |
| secret: | |
| defaultMode: 420 | |
| optional: true | |
| secretName: istio-ingressgateway-certs | |
| - name: ingressgateway-ca-certs | |
| secret: | |
| defaultMode: 420 | |
| optional: true | |
| secretName: istio-ingressgateway-ca-certs | |
| --- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment