apiVersion: apps/v1
kind: Deployment
metadata:
name: vqa-c-plane
labels:
run: app
spec:
replicas: 3 # To test availability, set the number of pod to '3'
selector:
matchLabels:
run: app
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
labels:
run: app
annotations:
prometheus.io/port: "9102"
prometheus.io/scrape: "true"
spec: # Below setting enables pods deploy to multi-AZs evenly.
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values: # A user should specify a node hostname where you want to deploy pods
- vqa-peter-test-vbsnodepl-jjfxj
containers:
- name: vqa-test-node
image: vcr-platform.linecorp.com/vqa/vqa-test-node:peter
securityContext:
runAsUser: 0
allowPrivilegeEscalation: true
imagePullPolicy: Always
ports:
- containerPort: 10345
resources:
limits:
memory: "128Mi"
cpu: "500m"
volumeMounts:
- name: pv-for-log
mountPath: /var/log
- name: verda-common-proxy
image: vcr-platform.linecorp.com/vks/verda-common-proxy:latest
ports:
- containerPort: 9102
protocol: TCP
resources:
limits:
memory: "128Mi"
cpu: "500m"
volumeMounts:
- name: config
mountPath: /app/configs/config.yml
subPath: config.yml
- name: auditlog-volume
mountPath: /var/tmp/
- name: fluentd
image: harbor.linecorp.com/vks/fluentd-kubernetes-daemonset:latest
imagePullPolicy: Always
env:
- name: FLUENTD_CONF
value: fluentd.conf
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: fluentd-config
mountPath: /fluentd/etc
- name: auditlog-volume
mountPath: /var/tmp/
initContainers:
- name: init-container
image: vcr-platform.linecorp.com/vks/init-container:latest
args:
- "80" # redirect from application port
- "8080" # to proxy port
securityContext:
capabilities:
add:
- NET_ADMIN
volumes:
- name: config
configMap:
name: verda-common-proxy-config
- name: fluentd-config
configMap:
name: fluentd-config
- name: auditlog-volume
emptyDir: {}
- name: pv-for-log
persistentVolumeClaim:
claimName: ssd-auto-vbs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ssd-auto-vbs
spec:
accessModes:
- ReadWriteOnce # VBS based PV only supports ReadWriteOnce
resources:
requests:
storage: 10Gi # size must be multiple of 10Gi
storageClassName: "ssd-auto" # provisioned to nova AZ
---
apiVersion: v1
kind: ConfigMap
metadata:
name: verda-common-proxy-config
data:
config.yml: |-
# config example
server:
listenPort: "8080" # proxy port
forwardURL: "http://localhost:3000" # app host:port
loglevel: "debug" # debug, info, warn, error
metricsPort: "9102"
# matches routes to pipeline
routes:
- path: "/v1/"
methods:
pipeline: vks-gw-api
- path: "/k8s"
methods:
pipeline: k8s
# matches pipeline to sequence of middlewares
pipelines:
vks-gw-api:
- init
- logging
- auditlog
- keystone
- headers
k8s:
- init
- logging
public:
- init
- logging
# contains configs for middleswares
middlewares:
keystone:
endpoint: "https://verda-masterdev-api.linecorp.com:5000/v3"
headers:
renameHeaders:
X-RenameFrom: "X-RenameTo"
auditlog:
auditLogFilepath: "/var/tmp/auditlog.log"
auditLogMethodsWhitelist:
- POST
- PUT
- PATCH
- DELETE
auditLogMaskedRequestHeaders:
- Authorization
- X-Auth-Token
auditLogMaskedResponseHeaders:
- X-Subject-Token
auditLogMaskedRequestBodyKeys:
- token
auditLogMaskedResponseBodyKeys:
- password
---
apiVersion: v1
kind: ConfigMap
metadata:
name: fluentd-config
data:
fluentd.conf: |-
@type tail
path /var/tmp/auditlog.log
pos_file /var/tmp/auditlog.pos
time_format %Y-%m-%dT%H:%M:%S.%L
tag auditlog
format json
@type elasticsearch
host auditlog-api-vksmansur.line-ves-dev.com
port 12000
user auditlog-1
password 3B4lb2xHdMWwq1AU
scheme https
ssl_verify false
ssl_version TLSv1_2
logstash_format true
reload_connections false
reconnect_on_error true
reload_on_failure true
@type file
path /var/log/fluentd-es.buffer
flush_at_shutdown true
flush_mode interval
flush_interval 60s
chunk_limit_size 10MB
chunk_limit_records 10000
flatten_hashes true
flatten_hashes_separator _
@log_level debug
---
apiVersion: v1
kind: Service
metadata:
name: metrics-service
spec:
type: NodePort
selector:
run: app
ports:
- name: "metrics"
port: 5080
targetPort: 9102
---
apiVersion: v1
kind: Service
metadata:
name: vqa-test-node-service
spec:
type: NodePort
selector:
run: app
ports:
- name: "vqa-test-node"
targetPort: 10345
port: 7080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vqa-test-node-ingress
spec:
ingressClassName: fabriclb
tls:
- hosts:
- vqa-test-node-vbs.vqa-fabriclb.line-apps.com
rules:
- host: vqa-test-node-vbs.vqa-fabriclb.line-apps.com # You should customize this hostname
http:
paths:
- path: /metrics
pathType: Prefix
backend:
service:
name: metrics-service
port:
name: "metrics"
- path: /
pathType: Prefix
backend:
service:
name: vqa-test-node-service
port:
name: "vqa-test-node"