├── frontend ├── static │ └── .gitkeep ├── .eslintignore ├── config │ ├── prod.env.js │ ├── dev.env.js │ └── index.js ├── src │ ├── assets │ │ └── logo.png │ ├── store │ │ ├── index.js │ │ ├── mutations.js │ │ ├── plugins.js │ │ └── state.js │ ├── components │ │ ├── App.vue │ │ ├── TodoItem.vue │ │ ├── AppNav.vue │ │ ├── common │ │ │ └── Spinner.vue │ │ ├── Todos.vue │ │ └── Login.vue │ ├── router │ │ └── index.js │ ├── main.js │ ├── zipkin.js │ └── auth.js ├── Dockerfile ├── .editorconfig ├── .gitignore ├── .postcssrc.js ├── index.html ├── build │ ├── dev-client.js │ ├── vue-loader.conf.js │ ├── build.js │ ├── webpack.dev.conf.js │ ├── check-versions.js │ ├── webpack.base.conf.js │ ├── utils.js │ ├── dev-server.js │ └── webpack.prod.conf.js ├── .babelrc ├── .eslintrc.js ├── README.md └── package.json ├── auth-api ├── .gitignore ├── Dockerfile ├── Gopkg.toml ├── tracing.go ├── README.md ├── user.go ├── Gopkg.lock └── main.go ├── log-message-processor ├── requirements.txt ├── Dockerfile ├── README.md └── main.py ├── images ├── cloud9-logo.png ├── architecture.jpeg ├── cloud9-step-01.png ├── cloud9-step-02.png ├── cloud9-step-03.png ├── cloud9-preferences.png ├── cloud9-aws-settings.png ├── cloud9-environments.png └── cloud9-disable-temp-creds.png ├── solution ├── app │ ├── users-api │ │ ├── configmap.yaml │ │ ├── secret.yaml │ │ ├── service.yaml │ │ ├── network-policy.yaml │ │ └── deployment.yaml │ ├── auth-api │ │ ├── secret.yaml │ │ ├── configmap.yaml │ │ ├── service.yaml │ │ ├── network-policy.yaml │ │ └── deployment.yaml │ ├── todos-api │ │ ├── secret.yaml │ │ ├── service.yaml │ │ ├── configmap.yaml │ │ ├── network-policy.yaml │ │ └── deployment.yaml │ ├── redis-queue │ │ ├── service.yaml │ │ ├── network-policy.yaml │ │ └── deployment.yaml │ ├── frontend │ │ ├── service.yaml │ │ ├── configmap.yaml │ │ ├── ingress.yaml │ │ ├── network-policy.yaml │ │ └── deployment.yaml │ ├── log-message-processor │ │ ├── configmap.yaml │ │ ├── network-policy.yaml │ │ └── deployment.yaml │ └── dns-network-policy │ │ └── dns-network-policy.yaml ├── flags │ └── README.md └── installation │ ├── calico.yaml │ └── ingress-controller.yaml ├── users-api ├── .mvn │ └── wrapper │ │ ├── maven-wrapper.jar │ │ └── maven-wrapper.properties ├── src │ ├── main │ │ ├── resources │ │ │ ├── data.sql │ │ │ └── application.properties │ │ └── java │ │ │ └── com │ │ │ └── elgris │ │ │ └── usersapi │ │ │ ├── models │ │ │ ├── UserRole.java │ │ │ └── User.java │ │ │ ├── repository │ │ │ └── UserRepository.java │ │ │ ├── UsersApiApplication.java │ │ │ ├── security │ │ │ ├── AccessUserFilter.java │ │ │ └── JwtAuthenticationFilter.java │ │ │ ├── configuration │ │ │ └── SecurityConfiguration.java │ │ │ └── api │ │ │ └── UsersController.java │ └── test │ │ └── java │ │ └── com │ │ └── elgris │ │ └── usersapi │ │ └── UsersApiApplicationTests.java ├── Dockerfile ├── .gitignore ├── README.md ├── pom.xml ├── mvnw.cmd └── mvnw └── todos-api ├── Dockerfile ├── .gitignore ├── routes.js ├── package.json ├── README.md ├── server.js └── todoController.js /frontend/static/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /auth-api/.gitignore: -------------------------------------------------------------------------------- 1 | vendor 2 | auth-api -------------------------------------------------------------------------------- /frontend/.eslintignore: -------------------------------------------------------------------------------- 1 | build/*.js 2 | config/*.js 3 | -------------------------------------------------------------------------------- /frontend/config/prod.env.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | NODE_ENV: '"production"' 3 | } 4 | -------------------------------------------------------------------------------- /log-message-processor/requirements.txt: -------------------------------------------------------------------------------- 1 | redis==2.10.6 2 | py_zipkin==0.11.0 3 | requests -------------------------------------------------------------------------------- /images/cloud9-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-logo.png -------------------------------------------------------------------------------- /images/architecture.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/architecture.jpeg -------------------------------------------------------------------------------- /images/cloud9-step-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-step-01.png -------------------------------------------------------------------------------- /images/cloud9-step-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-step-02.png -------------------------------------------------------------------------------- /images/cloud9-step-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-step-03.png -------------------------------------------------------------------------------- /frontend/src/assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/frontend/src/assets/logo.png -------------------------------------------------------------------------------- /images/cloud9-preferences.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-preferences.png -------------------------------------------------------------------------------- /images/cloud9-aws-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-aws-settings.png -------------------------------------------------------------------------------- /images/cloud9-environments.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-environments.png -------------------------------------------------------------------------------- /images/cloud9-disable-temp-creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/images/cloud9-disable-temp-creds.png -------------------------------------------------------------------------------- /solution/app/users-api/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: users-api 5 | data: 6 | SERVER_PORT: "8083" 7 | -------------------------------------------------------------------------------- /users-api/.mvn/wrapper/maven-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thedojoseries/kubernetes-ctf/HEAD/users-api/.mvn/wrapper/maven-wrapper.jar -------------------------------------------------------------------------------- /users-api/.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.5.0/apache-maven-3.5.0-bin.zip 2 | -------------------------------------------------------------------------------- /solution/app/auth-api/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: auth-api 5 | type: Opaque 6 | data: 7 | JWT_SECRET: bXlmYW5jeXNlY3JldA== 8 | -------------------------------------------------------------------------------- /solution/app/users-api/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: users-api 5 | type: Opaque 6 | data: 7 | JWT_SECRET: bXlmYW5jeXNlY3JldA== 8 | -------------------------------------------------------------------------------- /solution/app/todos-api/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: todos-api 5 | type: Opaque 6 | data: 7 | JWT_SECRET: bXlmYW5jeXNlY3JldA== 8 | 9 | -------------------------------------------------------------------------------- /frontend/config/dev.env.js: -------------------------------------------------------------------------------- 1 | var merge = require('webpack-merge') 2 | var prodEnv = require('./prod.env') 3 | 4 | module.exports = merge(prodEnv, { 5 | NODE_ENV: '"development"' 6 | }) 7 | -------------------------------------------------------------------------------- /solution/app/auth-api/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: auth-api 5 | data: 6 | AUTH_API_PORT: "8081" 7 | USERS_API_ADDRESS: http://users-api:8083 8 | -------------------------------------------------------------------------------- /users-api/src/main/resources/data.sql: -------------------------------------------------------------------------------- 1 | INSERT INTO users (username, firstname, lastname, role) VALUES 2 | ('admin', 'Foo', 'Bar', 1), 3 | ('johnd', 'John', 'Doe', 0), 4 | ('janed', 'Jane', 'Doe', 0); -------------------------------------------------------------------------------- /frontend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:8-alpine 2 | 3 | EXPOSE 8080 4 | 5 | WORKDIR /usr/src/app 6 | 7 | COPY package.json ./ 8 | RUN npm install 9 | 10 | COPY . . 11 | 12 | CMD ["sh", "-c", "npm start" ] -------------------------------------------------------------------------------- /solution/app/redis-queue/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: redis-queue 5 | spec: 6 | selector: 7 | app: redis-queue 8 | ports: 9 | - port: 6379 10 | -------------------------------------------------------------------------------- /frontend/.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | insert_final_newline = true 9 | trim_trailing_whitespace = true 10 | -------------------------------------------------------------------------------- /todos-api/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:8-alpine 2 | 3 | EXPOSE 8082 4 | 5 | WORKDIR /usr/src/app 6 | 7 | COPY package.json ./ 8 | RUN npm install 9 | 10 | COPY . . 11 | 12 | CMD ["sh", "-c", "npm start" ] 13 | -------------------------------------------------------------------------------- /solution/app/auth-api/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: auth-api 5 | spec: 6 | selector: 7 | app: auth-api 8 | ports: 9 | - port: 8081 10 | type: ClusterIP 11 | -------------------------------------------------------------------------------- /solution/app/frontend/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: frontend 5 | spec: 6 | selector: 7 | app: frontend 8 | ports: 9 | - port: 8080 10 | type: ClusterIP 11 | -------------------------------------------------------------------------------- /solution/app/todos-api/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: todos-api 5 | spec: 6 | selector: 7 | app: todos-api 8 | ports: 9 | - port: 8082 10 | type: ClusterIP 11 | -------------------------------------------------------------------------------- /solution/app/users-api/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: users-api 5 | spec: 6 | selector: 7 | app: users-api 8 | ports: 9 | - port: 8083 10 | type: ClusterIP 11 | -------------------------------------------------------------------------------- /solution/app/frontend/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: frontend 5 | data: 6 | AUTH_API_ADDRESS: http://auth-api:8081 7 | PORT: "8080" 8 | TODOS_API_ADDRESS: http://todos-api:8082 -------------------------------------------------------------------------------- /frontend/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | node_modules/ 3 | dist/ 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | 8 | # Editor directories and files 9 | .idea 10 | *.suo 11 | *.ntvs* 12 | *.njsproj 13 | *.sln 14 | -------------------------------------------------------------------------------- /todos-api/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | node_modules/ 3 | dist/ 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | 8 | # Editor directories and files 9 | .idea 10 | *.suo 11 | *.ntvs* 12 | *.njsproj 13 | *.sln 14 | -------------------------------------------------------------------------------- /users-api/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | jwt.secret=myfancysecret 2 | server.port=8083 3 | 4 | spring.application.name=users-api 5 | spring.zipkin.baseUrl=http://127.0.0.1:9411/ 6 | spring.sleuth.sampler.percentage=100.0 -------------------------------------------------------------------------------- /solution/app/log-message-processor/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: log-message-processor 5 | data: 6 | REDIS_HOST: redis-queue 7 | REDIS_PORT: "6379" 8 | REDIS_CHANNEL: log_channel 9 | -------------------------------------------------------------------------------- /solution/app/todos-api/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: todos-api 5 | data: 6 | TODO_API_PORT: "8082" 7 | REDIS_HOST: redis-queue 8 | REDIS_PORT: "6379" 9 | REDIS_CHANNEL: log_channel 10 | -------------------------------------------------------------------------------- /frontend/.postcssrc.js: -------------------------------------------------------------------------------- 1 | // https://github.com/michael-ciniawsky/postcss-load-config 2 | 3 | module.exports = { 4 | "plugins": { 5 | // to edit target browsers: use "browserslist" field in package.json 6 | "autoprefixer": {} 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /frontend/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | frontend 7 | 8 | 9 | 10 |
11 |
12 |
13 | 14 | 15 | -------------------------------------------------------------------------------- /log-message-processor/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6-alpine 2 | 3 | WORKDIR /usr/src/app 4 | RUN apk add --no-cache build-base 5 | COPY requirements.txt . 6 | RUN pip3 install -r requirements.txt 7 | 8 | COPY main.py . 9 | 10 | CMD ["python3","-u","main.py"] 11 | 12 | -------------------------------------------------------------------------------- /users-api/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openjdk:8-alpine 2 | 3 | EXPOSE 8083 4 | WORKDIR /usr/src/app 5 | 6 | 7 | COPY pom.xml mvnw ./ 8 | COPY .mvn/ ./.mvn 9 | RUN ./mvnw dependency:resolve 10 | 11 | COPY . . 12 | RUN ./mvnw install 13 | 14 | CMD ["java", "-jar", "./target/users-api-0.0.1-SNAPSHOT.jar"] 15 | -------------------------------------------------------------------------------- /frontend/build/dev-client.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable */ 2 | require('eventsource-polyfill') 3 | var hotClient = require('webpack-hot-middleware/client?noInfo=true&reload=true') 4 | 5 | hotClient.subscribe(function (event) { 6 | if (event.action === 'reload') { 7 | window.location.reload() 8 | } 9 | }) 10 | -------------------------------------------------------------------------------- /auth-api/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.9-alpine 2 | 3 | EXPOSE 8081 4 | 5 | WORKDIR /go/src/app 6 | RUN apk --no-cache add curl git && \ 7 | curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh 8 | 9 | COPY . . 10 | RUN dep ensure 11 | 12 | RUN go build -o auth-api 13 | 14 | CMD /go/src/app/auth-api 15 | 16 | -------------------------------------------------------------------------------- /solution/app/dns-network-policy/dns-network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-dns 5 | spec: 6 | podSelector: {} 7 | policyTypes: 8 | - Egress 9 | egress: 10 | - ports: 11 | - protocol: TCP 12 | port: 53 13 | - protocol: UDP 14 | port: 53 15 | -------------------------------------------------------------------------------- /frontend/src/store/index.js: -------------------------------------------------------------------------------- 1 | import Vue from 'vue' 2 | import Vuex from 'vuex' 3 | import { state } from './state' 4 | import * as mutations from './mutations' 5 | import plugins from './plugins' 6 | 7 | Vue.use(Vuex) 8 | 9 | const store = new Vuex.Store({ 10 | state, 11 | mutations, 12 | plugins 13 | }) 14 | 15 | export default store 16 | -------------------------------------------------------------------------------- /solution/app/frontend/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: frontend 5 | spec: 6 | ingressClassName: "nginx" 7 | rules: 8 | - host: frontend.__TEAM__.k8s-ctf.com 9 | http: 10 | paths: 11 | - backend: 12 | serviceName: frontend 13 | servicePort: 8080 14 | -------------------------------------------------------------------------------- /users-api/.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | !.mvn/wrapper/maven-wrapper.jar 3 | 4 | ### STS ### 5 | .apt_generated 6 | .classpath 7 | .factorypath 8 | .project 9 | .settings 10 | .springBeans 11 | 12 | ### IntelliJ IDEA ### 13 | .idea 14 | *.iws 15 | *.iml 16 | *.ipr 17 | 18 | ### NetBeans ### 19 | nbproject/private/ 20 | build/ 21 | nbbuild/ 22 | dist/ 23 | nbdist/ 24 | .nb-gradle/ -------------------------------------------------------------------------------- /frontend/.babelrc: -------------------------------------------------------------------------------- 1 | { 2 | "presets": [ 3 | ["env", { 4 | "modules": false, 5 | "targets": { 6 | "browsers": ["> 1%", "last 2 versions", "not ie <= 8"] 7 | } 8 | }], 9 | "stage-2" 10 | ], 11 | "plugins": ["transform-runtime"], 12 | "env": { 13 | "test": { 14 | "presets": ["env", "stage-2"], 15 | "plugins": ["istanbul"] 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /solution/app/users-api/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: users-api 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: users-api 9 | policyTypes: 10 | - Ingress 11 | ingress: 12 | - from: 13 | - podSelector: 14 | matchLabels: 15 | app: auth-api 16 | ports: 17 | - protocol: TCP 18 | port: 8083 19 | -------------------------------------------------------------------------------- /frontend/src/store/mutations.js: -------------------------------------------------------------------------------- 1 | export const UPDATE_AUTH = (state, auth) => { 2 | state.auth = auth 3 | } 4 | 5 | export const UPDATE_USER = (state, user) => { 6 | state.user = user 7 | } 8 | 9 | export const CLEAR_ALL_DATA = (state) => { 10 | // Auth 11 | state.auth.isLoggedIn = false 12 | state.auth.accessToken = null 13 | 14 | // User 15 | state.user.name = '' 16 | state.user.role = null 17 | } 18 | 19 | -------------------------------------------------------------------------------- /solution/app/redis-queue/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: redis-queue 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: redis-queue 9 | policyTypes: 10 | - Ingress 11 | ingress: 12 | - from: 13 | - podSelector: 14 | matchLabels: 15 | redis-access: "true" 16 | ports: 17 | - protocol: TCP 18 | port: 6379 19 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/models/UserRole.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.models; 2 | 3 | public enum UserRole { 4 | USER("user"), 5 | ADMIN("admin"); 6 | 7 | private String description; 8 | UserRole(final String description) { 9 | this.description = description; 10 | } 11 | 12 | 13 | @Override 14 | public String toString() { 15 | return this.description; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /solution/app/log-message-processor/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: log-message-processor 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: log-message-processor 9 | policyTypes: 10 | - Egress 11 | egress: 12 | - to: 13 | - podSelector: 14 | matchLabels: 15 | app: redis-queue 16 | ports: 17 | - protocol: TCP 18 | port: 6379 19 | -------------------------------------------------------------------------------- /frontend/src/store/plugins.js: -------------------------------------------------------------------------------- 1 | import { STORAGE_KEY } from './state' 2 | 3 | const localStoragePlugin = store => { 4 | store.subscribe((mutation, state) => { 5 | const syncedData = { auth: state.auth, user: state.user } 6 | 7 | localStorage.setItem(STORAGE_KEY, JSON.stringify(syncedData)) 8 | 9 | if (mutation.type === 'CLEAR_ALL_DATA') { 10 | localStorage.removeItem(STORAGE_KEY) 11 | } 12 | }) 13 | } 14 | 15 | export default [localStoragePlugin] 16 | -------------------------------------------------------------------------------- /users-api/src/test/java/com/elgris/usersapi/UsersApiApplicationTests.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi; 2 | 3 | import org.junit.Test; 4 | import org.junit.runner.RunWith; 5 | import org.springframework.boot.test.context.SpringBootTest; 6 | import org.springframework.test.context.junit4.SpringRunner; 7 | 8 | @RunWith(SpringRunner.class) 9 | @SpringBootTest 10 | public class UsersApiApplicationTests { 11 | 12 | @Test 13 | public void contextLoads() { 14 | } 15 | 16 | } 17 | -------------------------------------------------------------------------------- /frontend/src/components/App.vue: -------------------------------------------------------------------------------- 1 | 6 | 7 | 12 | 13 | 23 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/repository/UserRepository.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.repository; 2 | 3 | import com.elgris.usersapi.models.User; 4 | import org.springframework.data.repository.CrudRepository; 5 | 6 | import java.util.List; 7 | 8 | public interface UserRepository extends CrudRepository { 9 | User findOneByUsername(String username); 10 | User findByUsername(String username); 11 | User getByUsername(String username); 12 | } 13 | -------------------------------------------------------------------------------- /frontend/build/vue-loader.conf.js: -------------------------------------------------------------------------------- 1 | var utils = require('./utils') 2 | var config = require('../config') 3 | var isProduction = process.env.NODE_ENV === 'production' 4 | 5 | module.exports = { 6 | loaders: utils.cssLoaders({ 7 | sourceMap: isProduction 8 | ? config.build.productionSourceMap 9 | : config.dev.cssSourceMap, 10 | extract: isProduction 11 | }), 12 | transformToRequire: { 13 | video: 'src', 14 | source: 'src', 15 | img: 'src', 16 | image: 'xlink:href' 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /frontend/src/store/state.js: -------------------------------------------------------------------------------- 1 | export const STORAGE_KEY = 'microservice-app-example-frontend' 2 | 3 | let syncedData = { 4 | auth: { 5 | isLoggedIn: false, 6 | accessToken: null, 7 | refreshToken: null 8 | }, 9 | user: { 10 | name: null 11 | } 12 | } 13 | 14 | // Sync with local storage. 15 | if (localStorage.getItem(STORAGE_KEY)) { 16 | syncedData = JSON.parse(localStorage.getItem(STORAGE_KEY)) 17 | } 18 | 19 | // Merge data and export it. 20 | export const state = Object.assign(syncedData) 21 | -------------------------------------------------------------------------------- /todos-api/routes.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | const TodoController = require('./todoController'); 3 | module.exports = function (app, {tracer, redisClient, logChannel}) { 4 | const todoController = new TodoController({tracer, redisClient, logChannel}); 5 | app.route('/todos') 6 | .get(function(req,resp) {return todoController.list(req,resp)}) 7 | .post(function(req,resp) {return todoController.create(req,resp)}); 8 | 9 | app.route('/todos/:taskId') 10 | .delete(function(req,resp) {return todoController.delete(req,resp)}); 11 | }; -------------------------------------------------------------------------------- /frontend/src/components/TodoItem.vue: -------------------------------------------------------------------------------- 1 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /users-api/README.md: -------------------------------------------------------------------------------- 1 | # users-api 2 | This service is written in Java with SpringBoot. It provides simple API to retrieve user data. 3 | 4 | - `GET /users` - list all users 5 | - `GET /users/:username` - get a user by name 6 | 7 | ## Configuration 8 | 9 | The service scans environment for variables: 10 | - `JWT_SECRET` - secret value for JWT token processing. 11 | - `SERVER_PORT` - the port the service takes. 12 | 13 | ## Building and running 14 | 15 | ``` 16 | ./mvnw clean install 17 | JWT_SECRET=foo SERVER_PORT=8083 java -jar target/users-api-0.0.1-SNAPSHOT.jar 18 | ``` -------------------------------------------------------------------------------- /solution/app/auth-api/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: auth-api 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: auth-api 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | app: frontend 17 | ports: 18 | - protocol: TCP 19 | port: 8081 20 | egress: 21 | - to: 22 | - podSelector: 23 | matchLabels: 24 | app: users-api 25 | ports: 26 | - protocol: TCP 27 | port: 8083 28 | -------------------------------------------------------------------------------- /solution/app/todos-api/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: todos-api 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: todos-api 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | app: frontend 17 | ports: 18 | - protocol: TCP 19 | port: 8082 20 | egress: 21 | - to: 22 | - podSelector: 23 | matchLabels: 24 | app: redis-queue 25 | ports: 26 | - protocol: TCP 27 | port: 6379 28 | -------------------------------------------------------------------------------- /solution/app/frontend/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: frontend 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: frontend 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - {} 14 | egress: 15 | - to: 16 | - podSelector: 17 | matchLabels: 18 | app: auth-api 19 | ports: 20 | - protocol: TCP 21 | port: 8081 22 | - to: 23 | - podSelector: 24 | matchLabels: 25 | app: todos-api 26 | ports: 27 | - protocol: TCP 28 | port: 8082 29 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/UsersApiApplication.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi; 2 | 3 | import com.elgris.usersapi.security.JwtAuthenticationFilter; 4 | import org.springframework.boot.SpringApplication; 5 | import org.springframework.boot.autoconfigure.SpringBootApplication; 6 | import org.springframework.boot.web.servlet.FilterRegistrationBean; 7 | import org.springframework.context.annotation.Bean; 8 | 9 | @SpringBootApplication 10 | public class UsersApiApplication { 11 | 12 | public static void main(String[] args) { 13 | SpringApplication.run(UsersApiApplication.class, args); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /log-message-processor/README.md: -------------------------------------------------------------------------------- 1 | # log-message-processor 2 | This service is written in Python3. This is a simple consumer that listens for 3 | new messages in Redis queue and prints message content to stdout. Message can be 4 | anything, there is no additional processing. 5 | 6 | ## Configuration 7 | 8 | The service scans environment for variables: 9 | - `REDIS_HOST` - host of Redis 10 | - `REDIS_PORT` - port of Redis 11 | - `REDIS_CHANNEL` - channel the processor is going to listen to 12 | 13 | ## Building and running 14 | 15 | ``` 16 | pip3 install -r requirements.txt 17 | REDIS_HOST=127.0.0.1 REDIS_PORT=6379 REDIS_CHANNEL=log_channel python3 main.py 18 | ``` -------------------------------------------------------------------------------- /todos-api/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "todos-api", 3 | "version": "1.0.0", 4 | "description": "API for Todos in my little example app", 5 | "main": "index.js", 6 | "scripts": { 7 | "start": "nodemon server.js" 8 | }, 9 | "author": "elgris ", 10 | "license": "MIT", 11 | "dependencies": { 12 | "body-parser": "^1.18.2", 13 | "express": "^4.15.4", 14 | "express-jwt": "^5.3.0", 15 | "memory-cache": "^0.2.0", 16 | "redis": "^2.8.0", 17 | "zipkin": "^0.11.2", 18 | "zipkin-context-cls": "^0.11.0", 19 | "zipkin-instrumentation-express": "^0.11.2", 20 | "zipkin-transport-http": "^0.11.2" 21 | }, 22 | "devDependencies": { 23 | "nodemon": "^1.11.0" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /frontend/src/router/index.js: -------------------------------------------------------------------------------- 1 | import Vue from 'vue' 2 | 3 | import Auth from '@/auth' 4 | import Router from 'vue-router' 5 | Vue.use(Router) 6 | 7 | export default new Router({ 8 | routes: [ 9 | { 10 | path: '/login', 11 | name: 'login', 12 | component: require('@/components/Login.vue') 13 | }, 14 | { 15 | path: '/', 16 | alias: '/todos', 17 | name: 'todos', 18 | component: require('@/components/Todos.vue'), 19 | beforeEnter: requireLoggedIn 20 | } 21 | ] 22 | }) 23 | 24 | function requireLoggedIn (to, from, next) { 25 | if (!Auth.isLoggedIn()) { 26 | next({ 27 | path: '/login', 28 | query: { redirect: to.fullPath } 29 | }) 30 | } else { 31 | next() 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /frontend/.eslintrc.js: -------------------------------------------------------------------------------- 1 | // http://eslint.org/docs/user-guide/configuring 2 | 3 | module.exports = { 4 | root: true, 5 | parser: 'babel-eslint', 6 | parserOptions: { 7 | sourceType: 'module' 8 | }, 9 | env: { 10 | browser: true, 11 | }, 12 | // https://github.com/feross/standard/blob/master/RULES.md#javascript-standard-style 13 | extends: 'standard', 14 | // required to lint *.vue files 15 | plugins: [ 16 | 'html' 17 | ], 18 | // add your custom rules here 19 | 'rules': { 20 | // allow paren-less arrow functions 21 | 'arrow-parens': 0, 22 | // allow async-await 23 | 'generator-star-spacing': 0, 24 | // allow debugger during development 25 | 'no-debugger': process.env.NODE_ENV === 'production' ? 2 : 0 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /frontend/README.md: -------------------------------------------------------------------------------- 1 | # frontend 2 | 3 | UI for sample distributed TODO app build with VueJS 4 | 5 | ## Configuration 6 | - `PORT` - a port the application binds to 7 | - `AUTH_API_ADDRESS` - address of `auth-api` for authentication 8 | - `TODOS_API_ADDRESS` - address of `todos-api` for TODO CRUD 9 | 10 | ## Building and running 11 | 12 | ``` bash 13 | # install dependencies 14 | npm install 15 | 16 | # serve with hot reload at localhost:8080 17 | npm run dev 18 | 19 | # build for production with minification 20 | npm run build 21 | 22 | # build for production and view the bundle analyzer report 23 | npm run build --report 24 | ``` 25 | 26 | For detailed explanation on how things work, checkout the [guide](http://vuejs-templates.github.io/webpack/) and [docs for vue-loader](http://vuejs.github.io/vue-loader). 27 | -------------------------------------------------------------------------------- /auth-api/Gopkg.toml: -------------------------------------------------------------------------------- 1 | 2 | # Gopkg.toml example 3 | # 4 | # Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md 5 | # for detailed Gopkg.toml documentation. 6 | # 7 | # required = ["github.com/user/thing/cmd/thing"] 8 | # ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] 9 | # 10 | # [[constraint]] 11 | # name = "github.com/user/project" 12 | # version = "1.0.0" 13 | # 14 | # [[constraint]] 15 | # name = "github.com/user/project2" 16 | # branch = "dev" 17 | # source = "github.com/myfork/project2" 18 | # 19 | # [[override]] 20 | # name = "github.com/x/y" 21 | # version = "2.4.0" 22 | 23 | 24 | [[constraint]] 25 | name = "github.com/dgrijalva/jwt-go" 26 | version = "3.1.0" 27 | 28 | [[constraint]] 29 | name = "github.com/labstack/echo" 30 | version = "3.2.2" 31 | 32 | [[constraint]] 33 | branch = "master" 34 | name = "github.com/openzipkin/zipkin-go" -------------------------------------------------------------------------------- /frontend/src/main.js: -------------------------------------------------------------------------------- 1 | // The Vue build version to load with the `import` command 2 | // (runtime-only or standalone) has been set in webpack.base.conf with an alias. 3 | import Vue from 'vue' 4 | import BootstrapVue from 'bootstrap-vue/dist/bootstrap-vue.esm' 5 | import 'bootstrap/dist/css/bootstrap.css' 6 | import 'bootstrap-vue/dist/bootstrap-vue.css' 7 | Vue.use(BootstrapVue) 8 | 9 | import VueResource from 'vue-resource' 10 | Vue.use(VueResource) 11 | 12 | import App from '@/components/App' 13 | import router from './router' 14 | import store from './store' 15 | 16 | Vue.config.productionTip = false 17 | 18 | /* Auth plugin */ 19 | import Auth from './auth' 20 | Vue.use(Auth) 21 | 22 | /* Auth plugin */ 23 | import Zipkin from './zipkin' 24 | Vue.use(Zipkin) 25 | 26 | /* eslint-disable no-new */ 27 | new Vue({ 28 | el: '#app', 29 | router, 30 | store, 31 | template: '', 32 | components: { App } 33 | }) 34 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/security/AccessUserFilter.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.security; 2 | 3 | import io.jsonwebtoken.Claims; 4 | import io.jsonwebtoken.Jwts; 5 | import io.jsonwebtoken.SignatureException; 6 | import org.springframework.beans.factory.annotation.Value; 7 | import org.springframework.stereotype.Component; 8 | import org.springframework.web.filter.GenericFilterBean; 9 | 10 | import javax.servlet.FilterChain; 11 | import javax.servlet.ServletException; 12 | import javax.servlet.ServletRequest; 13 | import javax.servlet.ServletResponse; 14 | import javax.servlet.http.HttpServletRequest; 15 | import javax.servlet.http.HttpServletResponse; 16 | import java.io.IOException; 17 | 18 | public class AccessUserFilter extends GenericFilterBean { 19 | 20 | public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) 21 | throws IOException, ServletException { 22 | req.getAttribute("claims"); 23 | } 24 | } -------------------------------------------------------------------------------- /frontend/build/build.js: -------------------------------------------------------------------------------- 1 | require('./check-versions')() 2 | 3 | process.env.NODE_ENV = 'production' 4 | 5 | var ora = require('ora') 6 | var rm = require('rimraf') 7 | var path = require('path') 8 | var chalk = require('chalk') 9 | var webpack = require('webpack') 10 | var config = require('../config') 11 | var webpackConfig = require('./webpack.prod.conf') 12 | 13 | var spinner = ora('building for production...') 14 | spinner.start() 15 | 16 | rm(path.join(config.build.assetsRoot, config.build.assetsSubDirectory), err => { 17 | if (err) throw err 18 | webpack(webpackConfig, function (err, stats) { 19 | spinner.stop() 20 | if (err) throw err 21 | process.stdout.write(stats.toString({ 22 | colors: true, 23 | modules: false, 24 | children: false, 25 | chunks: false, 26 | chunkModules: false 27 | }) + '\n\n') 28 | 29 | console.log(chalk.cyan(' Build complete.\n')) 30 | console.log(chalk.yellow( 31 | ' Tip: built files are meant to be served over an HTTP server.\n' + 32 | ' Opening index.html over file:// won\'t work.\n' 33 | )) 34 | }) 35 | }) 36 | -------------------------------------------------------------------------------- /frontend/src/components/AppNav.vue: -------------------------------------------------------------------------------- 1 | 2 | 22 | 23 | -------------------------------------------------------------------------------- /solution/app/log-message-processor/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: log-message-processor 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: log-message-processor 10 | redis-access: "true" 11 | template: 12 | metadata: 13 | labels: 14 | app: log-message-processor 15 | redis-access: "true" 16 | spec: 17 | containers: 18 | - image: 561341012850.dkr.ecr.us-east-1.amazonaws.com/team62-log-message-processor 19 | name: log-message-processor 20 | env: 21 | - name: REDIS_HOST 22 | valueFrom: 23 | configMapKeyRef: 24 | name: log-message-processor 25 | key: REDIS_HOST 26 | - name: REDIS_PORT 27 | valueFrom: 28 | configMapKeyRef: 29 | name: log-message-processor 30 | key: REDIS_PORT 31 | - name: REDIS_CHANNEL 32 | valueFrom: 33 | configMapKeyRef: 34 | name: log-message-processor 35 | key: REDIS_CHANNEL 36 | restartPolicy: Always 37 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/models/User.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.models; 2 | 3 | import javax.persistence.*; 4 | 5 | @Entity 6 | @Table(name = "users") 7 | public class User { 8 | 9 | @Id 10 | @Column 11 | private String username; 12 | @Column 13 | private String firstname; 14 | @Column 15 | private String lastname; 16 | @Column 17 | private UserRole role; 18 | 19 | public String getUsername() { 20 | return username; 21 | } 22 | 23 | public void setUsername(String username) { 24 | this.username = username; 25 | } 26 | 27 | public String getFirstname() { 28 | return firstname; 29 | } 30 | 31 | public void setFirstname(String firstname) { 32 | this.firstname = firstname; 33 | } 34 | 35 | public String getLastname() { 36 | return lastname; 37 | } 38 | 39 | public void setLastname(String lastname) { 40 | this.lastname = lastname; 41 | } 42 | 43 | public UserRole getRole() { 44 | return role; 45 | } 46 | 47 | public void setRole(UserRole role) { 48 | this.role = role; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /solution/app/redis-queue/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-queue 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: redis-queue 10 | template: 11 | metadata: 12 | labels: 13 | app: redis-queue 14 | spec: 15 | containers: 16 | - name: redis-queue 17 | image: redis 18 | ports: 19 | - containerPort: 6379 20 | name: redisport 21 | # volumeMounts: 22 | # - mountPath: /data 23 | # name: pv-for-redis 24 | # livenessProbe: 25 | # tcpSocket: 26 | # port: redisport 27 | # failureThreshold: 3 28 | # initialDelaySeconds: 30 29 | # periodSeconds: 15 30 | # successThreshold: 1 31 | # timeoutSeconds: 2 32 | # readinessProbe: 33 | # tcpSocket: 34 | # port: redisport 35 | # failureThreshold: 3 36 | # initialDelaySeconds: 1 37 | # periodSeconds: 15 38 | # successThreshold: 1 39 | # timeoutSeconds: 2 40 | restartPolicy: Always 41 | # volumes: 42 | # - name: pv-for-redis 43 | # persistentVolumeClaim: 44 | # claimName: pv-claim 45 | -------------------------------------------------------------------------------- /frontend/build/webpack.dev.conf.js: -------------------------------------------------------------------------------- 1 | var utils = require('./utils') 2 | var webpack = require('webpack') 3 | var config = require('../config') 4 | var merge = require('webpack-merge') 5 | var baseWebpackConfig = require('./webpack.base.conf') 6 | var HtmlWebpackPlugin = require('html-webpack-plugin') 7 | var FriendlyErrorsPlugin = require('friendly-errors-webpack-plugin') 8 | 9 | // add hot-reload related code to entry chunks 10 | Object.keys(baseWebpackConfig.entry).forEach(function (name) { 11 | baseWebpackConfig.entry[name] = ['./build/dev-client'].concat(baseWebpackConfig.entry[name]) 12 | }) 13 | 14 | module.exports = merge(baseWebpackConfig, { 15 | module: { 16 | rules: utils.styleLoaders({ sourceMap: config.dev.cssSourceMap }) 17 | }, 18 | // cheap-module-eval-source-map is faster for development 19 | devtool: '#cheap-module-eval-source-map', 20 | plugins: [ 21 | new webpack.DefinePlugin({ 22 | 'process.env': config.dev.env 23 | }), 24 | // https://github.com/glenjamin/webpack-hot-middleware#installation--usage 25 | new webpack.HotModuleReplacementPlugin(), 26 | new webpack.NoEmitOnErrorsPlugin(), 27 | // https://github.com/ampedandwired/html-webpack-plugin 28 | new HtmlWebpackPlugin({ 29 | filename: 'index.html', 30 | template: 'index.html', 31 | inject: true 32 | }), 33 | new FriendlyErrorsPlugin() 34 | ] 35 | }) 36 | -------------------------------------------------------------------------------- /auth-api/tracing.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "net/http" 5 | 6 | zipkin "github.com/openzipkin/zipkin-go" 7 | zipkinhttp "github.com/openzipkin/zipkin-go/middleware/http" 8 | zipkinhttpreporter "github.com/openzipkin/zipkin-go/reporter/http" 9 | ) 10 | 11 | type TracedClient struct { 12 | client *zipkinhttp.Client 13 | } 14 | 15 | func (c *TracedClient) Do(req *http.Request) (*http.Response, error) { 16 | name := req.Method + " " + req.RequestURI 17 | return c.client.DoWithAppSpan(req, name) 18 | } 19 | 20 | func initTracing(zipkinURL string) (func(http.Handler) http.Handler, *TracedClient, error) { 21 | reporter := zipkinhttpreporter.NewReporter(zipkinURL) 22 | 23 | endpoint, err := zipkin.NewEndpoint("auth-api", "") 24 | if err != nil { 25 | return nil, nil, err 26 | } 27 | 28 | tracer, err := zipkin.NewTracer(reporter, 29 | zipkin.WithLocalEndpoint(endpoint), 30 | zipkin.WithSharedSpans(false)) 31 | if err != nil { 32 | return nil, nil, err 33 | } 34 | 35 | // create global zipkin http server middleware 36 | serverMiddleware := zipkinhttp.NewServerMiddleware( 37 | tracer, zipkinhttp.TagResponseSize(true), 38 | ) 39 | 40 | // create global zipkin traced http client 41 | client, err := zipkinhttp.NewClient(tracer, zipkinhttp.ClientTrace(true)) 42 | if err != nil { 43 | return nil, nil, err 44 | } 45 | 46 | return serverMiddleware, &TracedClient{client}, nil 47 | } 48 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/configuration/SecurityConfiguration.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.configuration; 2 | 3 | import com.elgris.usersapi.security.JwtAuthenticationFilter; 4 | import org.springframework.beans.factory.annotation.Autowired; 5 | import org.springframework.context.annotation.Configuration; 6 | import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 7 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 8 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 9 | import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 10 | import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; 11 | 12 | @EnableWebSecurity 13 | @EnableGlobalMethodSecurity(securedEnabled = true) 14 | class HttpSecurityConfiguration { 15 | 16 | @Configuration 17 | public static class ApiConfigurerAdatper extends WebSecurityConfigurerAdapter { 18 | 19 | @Autowired 20 | private JwtAuthenticationFilter jwtAuthenticationFilter; 21 | 22 | @Override 23 | protected void configure(HttpSecurity http) throws Exception { 24 | http.antMatcher("/**") 25 | .addFilterAfter(jwtAuthenticationFilter, BasicAuthenticationFilter.class); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /todos-api/README.md: -------------------------------------------------------------------------------- 1 | # todos-api 2 | 3 | This service is written in NodeJS, it provides CRUD operations over TODO entries. 4 | It keeps all the data in memory. CREATE and DELETE operations are logged by 5 | sending appropriate message to a Redis queue. The messages are then processed by 6 | `log-message-processor`. 7 | 8 | Following API endpoints are exposed: 9 | 10 | - `GET /todos` - list all TODOs for a given user, user ID is taken from JWT 11 | - `POST /todos` - create new TODO 12 | - `DELETE /todos/:taskId` - modify a TODO by ID 13 | 14 | TODO object looks like this: 15 | ``` 16 | { 17 | id: 1, 18 | userId: 1, 19 | content: "Create new todo" 20 | } 21 | ``` 22 | 23 | Log message looks like this: 24 | ``` 25 | { 26 | opName: CREATE, 27 | username: username, 28 | todoId: 5, 29 | } 30 | ``` 31 | 32 | ## Configuration 33 | 34 | The service scans environment for variables: 35 | - `TODO_API_PORT` - the port the service takes. 36 | - `JWT_SECRET` - secret value for JWT token processing. 37 | - `REDIS_HOST` - host of Redis 38 | - `REDIS_PORT` - port of Redis 39 | - `REDIS_CHANNEL` - channel the processor is going to listen to 40 | 41 | ## Building and running 42 | 43 | ``` 44 | npm install 45 | JWT_SECRET=foo TODO_API_PORT=8082 npm start 46 | ``` 47 | 48 | ## Usage 49 | 50 | ``` 51 | curl -X POST -H "Authorization: Bearer $token" 127.0.0.1:8082/todos -d '{"content": "deal with that"}' 52 | ``` 53 | -------------------------------------------------------------------------------- /solution/app/users-api/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: users-api 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: users-api 10 | template: 11 | metadata: 12 | labels: 13 | app: users-api 14 | spec: 15 | containers: 16 | - image: 561341012850.dkr.ecr.us-east-1.amazonaws.com/team62-users-api 17 | name: users-api 18 | ports: 19 | - containerPort: 8083 20 | name: usersport 21 | env: 22 | - name: JWT_SECRET 23 | valueFrom: 24 | secretKeyRef: 25 | name: users-api 26 | key: JWT_SECRET 27 | - name: SERVER_PORT 28 | valueFrom: 29 | configMapKeyRef: 30 | name: users-api 31 | key: SERVER_PORT 32 | # livenessProbe: 33 | # tcpSocket: 34 | # port: usersport 35 | # failureThreshold: 3 36 | # initialDelaySeconds: 30 37 | # periodSeconds: 15 38 | # successThreshold: 1 39 | # timeoutSeconds: 2 40 | # readinessProbe: 41 | # tcpSocket: 42 | # port: usersport 43 | # failureThreshold: 3 44 | # initialDelaySeconds: 1 45 | # periodSeconds: 15 46 | # successThreshold: 1 47 | # timeoutSeconds: 2 48 | restartPolicy: Always 49 | -------------------------------------------------------------------------------- /frontend/src/zipkin.js: -------------------------------------------------------------------------------- 1 | import { 2 | Tracer, 3 | BatchRecorder, 4 | ExplicitContext, 5 | jsonEncoder 6 | } from 'zipkin' 7 | import {HttpLogger} from 'zipkin-transport-http' 8 | import {zipkinInterceptor} from 'zipkin-instrumentation-vue-resource' 9 | const ZIPKIN_URL = window.location.protocol + '//' + window.location.host + '/zipkin' 10 | /** 11 | * Tracing plugin that uses Zipkin. Initiates new traces with outgoing requests 12 | * and injects appropriate headers. 13 | */ 14 | export default { 15 | 16 | /** 17 | * Install the Auth class. 18 | * 19 | * Creates a Vue-resource http interceptor to handle automatically adding auth headers 20 | * and refreshing tokens. Then attaches this object to the global Vue (as Vue.auth). 21 | * 22 | * @param {Object} Vue The global Vue. 23 | * @param {Object} options Any options we want to have in our plugin. 24 | * @return {void} 25 | */ 26 | install (Vue, options) { 27 | const serviceName = 'frontend' 28 | const tracer = new Tracer({ 29 | ctxImpl: new ExplicitContext(), 30 | recorder: new BatchRecorder({ 31 | logger: new HttpLogger({ 32 | endpoint: ZIPKIN_URL, 33 | jsonEncoder: jsonEncoder.JSON_V2 34 | }) 35 | }), 36 | localServiceName: serviceName 37 | }) 38 | 39 | const interceptor = zipkinInterceptor({tracer, serviceName}) 40 | Vue.http.interceptors.push(interceptor) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /frontend/build/check-versions.js: -------------------------------------------------------------------------------- 1 | var chalk = require('chalk') 2 | var semver = require('semver') 3 | var packageConfig = require('../package.json') 4 | var shell = require('shelljs') 5 | function exec (cmd) { 6 | return require('child_process').execSync(cmd).toString().trim() 7 | } 8 | 9 | var versionRequirements = [ 10 | { 11 | name: 'node', 12 | currentVersion: semver.clean(process.version), 13 | versionRequirement: packageConfig.engines.node 14 | }, 15 | ] 16 | 17 | if (shell.which('npm')) { 18 | versionRequirements.push({ 19 | name: 'npm', 20 | currentVersion: exec('npm --version'), 21 | versionRequirement: packageConfig.engines.npm 22 | }) 23 | } 24 | 25 | module.exports = function () { 26 | var warnings = [] 27 | for (var i = 0; i < versionRequirements.length; i++) { 28 | var mod = versionRequirements[i] 29 | if (!semver.satisfies(mod.currentVersion, mod.versionRequirement)) { 30 | warnings.push(mod.name + ': ' + 31 | chalk.red(mod.currentVersion) + ' should be ' + 32 | chalk.green(mod.versionRequirement) 33 | ) 34 | } 35 | } 36 | 37 | if (warnings.length) { 38 | console.log('') 39 | console.log(chalk.yellow('To use this template, you must update following to modules:')) 40 | console.log() 41 | for (var i = 0; i < warnings.length; i++) { 42 | var warning = warnings[i] 43 | console.log(' ' + warning) 44 | } 45 | console.log() 46 | process.exit(1) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /auth-api/README.md: -------------------------------------------------------------------------------- 1 | # auth-api 2 | 3 | This part of the exercise is responsible for authentication. It is written in Go and tested with Go1.9. 4 | 5 | It provides a single useful API endpoint `POST /login` that takes a simple JSON object and 6 | returns an access token in case of successful authentication. 7 | 8 | The JSON object structure is following: 9 | ```json 10 | { 11 | "username": "admin", 12 | "password": "admin", 13 | } 14 | ``` 15 | 16 | ## Prerequisites 17 | [Users API](/users-api) must be running, because `auth-api` fetches user data from it (yes, it is a little bit contrived, but anyways it's OVERENGINEERING!) 18 | 19 | ## Configuration 20 | 21 | The service scans environment for variables: 22 | - `AUTH_API_PORT` - the port the service takes. 23 | - `USERS_API_ADDRESS` - base URL of [Users API](/users-api). 24 | - `JWT_SECRET` - secret value for JWT generator. Must be shared amongst all components. 25 | 26 | Following users are hardcoded for you: 27 | 28 | | Username | Password | 29 | |-----------|-----------| 30 | | admin | admin | 31 | | johnd | foo | 32 | | janed | ddd | 33 | 34 | ## Building and running 35 | 36 | 1. Update the dependencies with [glide](https://github.com/Masterminds/glide) 37 | ``` 38 | glide up 39 | ``` 40 | 2. Compile a binary and then run it 41 | ``` 42 | go build 43 | AUTH_API_PORT=8000 USERS_API_ADDRESS=http://users-api:8082 JWT_SECRET=foo ./auth-api 44 | ``` 45 | 46 | ## Usage 47 | 48 | ``` 49 | curl -X POST 127.0.0.1:8000/login -d '{"username": "admin","password": "admin"}' 50 | ``` 51 | -------------------------------------------------------------------------------- /solution/app/frontend/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: frontend 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: frontend 10 | template: 11 | metadata: 12 | labels: 13 | app: frontend 14 | spec: 15 | containers: 16 | - image: 561341012850.dkr.ecr.us-east-1.amazonaws.com/team62-frontend 17 | name: frontend 18 | ports: 19 | - containerPort: 8080 20 | name: fport 21 | env: 22 | - name: AUTH_API_ADDRESS 23 | valueFrom: 24 | configMapKeyRef: 25 | name: frontend 26 | key: AUTH_API_ADDRESS 27 | - name: PORT 28 | valueFrom: 29 | configMapKeyRef: 30 | name: frontend 31 | key: PORT 32 | - name: TODOS_API_ADDRESS 33 | valueFrom: 34 | configMapKeyRef: 35 | name: frontend 36 | key: TODOS_API_ADDRESS 37 | 38 | # livenessProbe: 39 | # httpGet: 40 | # path: / 41 | # port: fport 42 | # failureThreshold: 3 43 | # initialDelaySeconds: 30 44 | # periodSeconds: 15 45 | # successThreshold: 1 46 | # timeoutSeconds: 2 47 | # readinessProbe: 48 | # httpGet: 49 | # path: / 50 | # port: fport 51 | # failureThreshold: 3 52 | # initialDelaySeconds: 1 53 | # periodSeconds: 15 54 | # successThreshold: 1 55 | # timeoutSeconds: 2 56 | restartPolicy: Always 57 | -------------------------------------------------------------------------------- /solution/app/auth-api/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: auth-api 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: auth-api 10 | template: 11 | metadata: 12 | labels: 13 | app: auth-api 14 | spec: 15 | containers: 16 | - image: 561341012850.dkr.ecr.us-east-1.amazonaws.com/team62-auth-api 17 | name: auth-api 18 | ports: 19 | - containerPort: 8081 20 | name: authport 21 | env: 22 | - name: AUTH_API_PORT 23 | valueFrom: 24 | configMapKeyRef: 25 | name: auth-api 26 | key: AUTH_API_PORT 27 | - name: JWT_SECRET 28 | valueFrom: 29 | secretKeyRef: 30 | name: auth-api 31 | key: JWT_SECRET 32 | - name: USERS_API_ADDRESS 33 | valueFrom: 34 | configMapKeyRef: 35 | name: auth-api 36 | key: USERS_API_ADDRESS 37 | # livenessProbe: 38 | # httpGet: 39 | # path: /version 40 | # port: authport 41 | # failureThreshold: 3 42 | # initialDelaySeconds: 30 43 | # periodSeconds: 15 44 | # successThreshold: 1 45 | # timeoutSeconds: 2 46 | # readinessProbe: 47 | # httpGet: 48 | # path: /version 49 | # port: authport 50 | # failureThreshold: 3 51 | # initialDelaySeconds: 1 52 | # periodSeconds: 15 53 | # successThreshold: 1 54 | # timeoutSeconds: 2 55 | restartPolicy: Always 56 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/api/UsersController.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.api; 2 | 3 | import com.elgris.usersapi.models.User; 4 | import com.elgris.usersapi.repository.UserRepository; 5 | import io.jsonwebtoken.Claims; 6 | import org.springframework.beans.factory.annotation.Autowired; 7 | import org.springframework.security.access.AccessDeniedException; 8 | import org.springframework.web.bind.annotation.*; 9 | 10 | import javax.servlet.http.HttpServletRequest; 11 | import java.util.LinkedList; 12 | import java.util.List; 13 | 14 | @RestController() 15 | @RequestMapping("/users") 16 | public class UsersController { 17 | 18 | @Autowired 19 | private UserRepository userRepository; 20 | 21 | 22 | @RequestMapping(value = "/", method = RequestMethod.GET) 23 | public List getUsers() { 24 | List response = new LinkedList<>(); 25 | userRepository.findAll().forEach(response::add); 26 | 27 | return response; 28 | } 29 | 30 | @RequestMapping(value = "/{username}", method = RequestMethod.GET) 31 | public User getUser(HttpServletRequest request, @PathVariable("username") String username) { 32 | 33 | Object requestAttribute = request.getAttribute("claims"); 34 | if((requestAttribute == null) || !(requestAttribute instanceof Claims)){ 35 | throw new RuntimeException("Did not receive required data from JWT token"); 36 | } 37 | 38 | Claims claims = (Claims) requestAttribute; 39 | 40 | if (!username.equalsIgnoreCase((String)claims.get("username"))) { 41 | throw new AccessDeniedException("No access for requested entity"); 42 | } 43 | 44 | return userRepository.findOneByUsername(username); 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /solution/flags/README.md: -------------------------------------------------------------------------------- 1 | # Section 1: Building Docker Images 2 | 3 | * frontend: DevSlopCTF{npm} 4 | * auth-api: DevSlopCTF{dep} 5 | * todos-api: DevSlopCTF{npm} 6 | * users-api: DevSlopCTF{maven} 7 | * log-message-processor: DevSlopCTF{pip} or DevSlopCTF{pip3} 8 | 9 | # Section 2: Pushing Docker Images to Amazon ECR Repositories 10 | 11 | * frontend: DevSlopCTF{1000000} 12 | * auth-api: DevSlopCTF{100} or DevSlopCTF{0x100} 13 | * todos-api: DevSlopCTF{71ccb7a35a452ea8153b6d920f9f190e} 14 | * users-api: DevSlopCTF{a3dabeca8436d7dc296f76aac3e573b6337801e57dcc99a3d1c0ce9b26f3df166bbb2a58c0d8d2b3} 15 | * log-message-processor: DevSlopCTF{e8fc4fa250e0974faef1212664c143cf1ee2ca052e7155a0ec246a0f2bf90376760f3cb64023af05d7b09ee0760a62bbec0666f7a24c93ed3bcf7ededf325bf4} 16 | 17 | # Section 3: Deploying Microservices to Kubernetes 18 | 19 | * frontend: DevSlopCTF{^/zipkin} 20 | * auth-api: DevSlopCTF{proc.go} 21 | * todos-api: DevSlopCTF{nodemon} 22 | * users-api: DevSlopCTF{UsersApiApplication} 23 | * log-message-processor: DevSlopCTF{REDIS_HOST} 24 | 25 | # Section 4: Configuring Environment Variables with ConfigMaps and Secrets 26 | 27 | * frontend: DevSlopCTF{http://todos-api:8082} 28 | * auth-api: DevSlopCTF{c5cbf6a748} 29 | * todos-api: DevSlopCTF{connect to redis} 30 | * users-api: DevSlopCTF{{.spec.containers[0].image}} 31 | * log-message-processor: DevSlopCTF{Name does not resolve} 32 | 33 | # Section 5: Deploying Redis 34 | 35 | * redis-queue: DevSlopCTF{standalone} 36 | 37 | # Section 6: Deploying Services 38 | 39 | * frontend: DevSlopCTF{/app.js} 40 | * auth-api: DevSlopCTF{Not Found} 41 | * todos-api: DevSlopCTF{invalid token} 42 | * users-api: DevSlopCTF{javax.servlet.ServletException} 43 | * redis-queue: DevSlopCTF{Empty reply from server} 44 | 45 | # Section 7: Configuring Ingress For The Front-End 46 | 47 | * flag: DevSlopCTF{122} 48 | 49 | # Section 8: Securing the Cluster with Network Policies 50 | 51 | * flag: DevSlopCTF{1061167113} 52 | -------------------------------------------------------------------------------- /solution/app/todos-api/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: todos-api 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: todos-api 10 | redis-access: "true" 11 | template: 12 | metadata: 13 | labels: 14 | app: todos-api 15 | redis-access: "true" 16 | spec: 17 | containers: 18 | - image: 561341012850.dkr.ecr.us-east-1.amazonaws.com/team62-todos-api 19 | name: todos-api 20 | ports: 21 | - containerPort: 8082 22 | name: tport 23 | env: 24 | - name: JWT_SECRET 25 | valueFrom: 26 | secretKeyRef: 27 | name: todos-api 28 | key: JWT_SECRET 29 | - name: TODO_API_PORT 30 | valueFrom: 31 | configMapKeyRef: 32 | name: todos-api 33 | key: TODO_API_PORT 34 | - name: REDIS_HOST 35 | valueFrom: 36 | configMapKeyRef: 37 | name: todos-api 38 | key: REDIS_HOST 39 | - name: REDIS_PORT 40 | valueFrom: 41 | configMapKeyRef: 42 | name: todos-api 43 | key: REDIS_PORT 44 | - name: REDIS_CHANNEL 45 | valueFrom: 46 | configMapKeyRef: 47 | name: todos-api 48 | key: REDIS_CHANNEL 49 | # livenessProbe: 50 | # httpGet: 51 | # path: /health 52 | # port: tport 53 | # failureThreshold: 3 54 | # initialDelaySeconds: 30 55 | # periodSeconds: 15 56 | # successThreshold: 1 57 | # timeoutSeconds: 2 58 | # readinessProbe: 59 | # httpGet: 60 | # path: /health 61 | # port: tport 62 | # failureThreshold: 3 63 | # initialDelaySeconds: 1 64 | # periodSeconds: 15 65 | # successThreshold: 1 66 | # timeoutSeconds: 2 67 | restartPolicy: Always 68 | -------------------------------------------------------------------------------- /frontend/build/webpack.base.conf.js: -------------------------------------------------------------------------------- 1 | var path = require('path') 2 | var utils = require('./utils') 3 | var config = require('../config') 4 | var vueLoaderConfig = require('./vue-loader.conf') 5 | 6 | function resolve (dir) { 7 | return path.join(__dirname, '..', dir) 8 | } 9 | 10 | module.exports = { 11 | entry: { 12 | app: './src/main.js' 13 | }, 14 | output: { 15 | path: config.build.assetsRoot, 16 | filename: '[name].js', 17 | publicPath: process.env.NODE_ENV === 'production' 18 | ? config.build.assetsPublicPath 19 | : config.dev.assetsPublicPath 20 | }, 21 | resolve: { 22 | extensions: ['.js', '.vue', '.json'], 23 | alias: { 24 | 'vue$': 'vue/dist/vue.esm.js', 25 | '@': resolve('src') 26 | } 27 | }, 28 | module: { 29 | rules: [ 30 | { 31 | test: /\.(js|vue)$/, 32 | loader: 'eslint-loader', 33 | enforce: 'pre', 34 | include: [resolve('src'), resolve('test')], 35 | options: { 36 | formatter: require('eslint-friendly-formatter') 37 | } 38 | }, 39 | { 40 | test: /\.vue$/, 41 | loader: 'vue-loader', 42 | options: vueLoaderConfig 43 | }, 44 | { 45 | test: /\.js$/, 46 | loader: 'babel-loader', 47 | include: [resolve('src'), resolve('test')] 48 | }, 49 | { 50 | test: /\.(png|jpe?g|gif|svg)(\?.*)?$/, 51 | loader: 'url-loader', 52 | options: { 53 | limit: 10000, 54 | name: utils.assetsPath('img/[name].[hash:7].[ext]') 55 | } 56 | }, 57 | { 58 | test: /\.(mp4|webm|ogg|mp3|wav|flac|aac)(\?.*)?$/, 59 | loader: 'url-loader', 60 | options: { 61 | limit: 10000, 62 | name: utils.assetsPath('media/[name].[hash:7].[ext]') 63 | } 64 | }, 65 | { 66 | test: /\.(woff2?|eot|ttf|otf)(\?.*)?$/, 67 | loader: 'url-loader', 68 | options: { 69 | limit: 10000, 70 | name: utils.assetsPath('fonts/[name].[hash:7].[ext]') 71 | } 72 | } 73 | ] 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /frontend/config/index.js: -------------------------------------------------------------------------------- 1 | // see http://vuejs-templates.github.io/webpack for documentation. 2 | var path = require('path') 3 | 4 | module.exports = { 5 | build: { 6 | env: require('./prod.env'), 7 | index: path.resolve(__dirname, '../dist/index.html'), 8 | assetsRoot: path.resolve(__dirname, '../dist'), 9 | assetsSubDirectory: 'static', 10 | assetsPublicPath: '/', 11 | productionSourceMap: true, 12 | // Gzip off by default as many popular static hosts such as 13 | // Surge or Netlify already gzip all static assets for you. 14 | // Before setting to `true`, make sure to: 15 | // npm install --save-dev compression-webpack-plugin 16 | productionGzip: false, 17 | productionGzipExtensions: ['js', 'css'], 18 | // Run the build command with an extra argument to 19 | // View the bundle analyzer report after build finishes: 20 | // `npm run build --report` 21 | // Set to `true` or `false` to always turn it on or off 22 | bundleAnalyzerReport: process.env.npm_config_report 23 | }, 24 | dev: { 25 | env: require('./dev.env'), 26 | port: process.env.PORT, 27 | autoOpenBrowser: false, 28 | assetsSubDirectory: 'static', 29 | assetsPublicPath: '/', 30 | proxyTable: { 31 | '/login': { 32 | target: process.env.AUTH_API_ADDRESS || 'http://127.0.0.1:8081', 33 | secure: false 34 | }, 35 | '/todos': { 36 | target: process.env.TODOS_API_ADDRESS || 'http://127.0.0.1:8082', 37 | secure: false 38 | }, 39 | '/zipkin': { 40 | target: process.env.ZIPKIN_URL || 'http://127.0.0.1:9411/api/v2/spans', 41 | pathRewrite: { 42 | '^/zipkin': '' 43 | }, 44 | secure: false 45 | }, 46 | }, 47 | // CSS Sourcemaps off by default because relative paths are "buggy" 48 | // with this option, according to the CSS-Loader README 49 | // (https://github.com/webpack/css-loader#sourcemaps) 50 | // In our experience, they generally work as expected, 51 | // just be aware of this issue when enabling this option. 52 | cssSourceMap: false 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /users-api/src/main/java/com/elgris/usersapi/security/JwtAuthenticationFilter.java: -------------------------------------------------------------------------------- 1 | package com.elgris.usersapi.security; 2 | 3 | import io.jsonwebtoken.Claims; 4 | import io.jsonwebtoken.Jwts; 5 | import io.jsonwebtoken.SignatureException; 6 | import org.springframework.beans.factory.annotation.Value; 7 | import org.springframework.stereotype.Component; 8 | import org.springframework.web.filter.GenericFilterBean; 9 | 10 | import javax.servlet.FilterChain; 11 | import javax.servlet.ServletException; 12 | import javax.servlet.ServletRequest; 13 | import javax.servlet.ServletResponse; 14 | import javax.servlet.http.HttpServletRequest; 15 | import javax.servlet.http.HttpServletResponse; 16 | import java.io.IOException; 17 | 18 | @Component 19 | public class JwtAuthenticationFilter extends GenericFilterBean { 20 | 21 | @Value("${jwt.secret}") 22 | private String jwtSecret; 23 | 24 | public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) 25 | throws IOException, ServletException { 26 | 27 | final HttpServletRequest request = (HttpServletRequest) req; 28 | final HttpServletResponse response = (HttpServletResponse) res; 29 | final String authHeader = request.getHeader("authorization"); 30 | 31 | if ("OPTIONS".equals(request.getMethod())) { 32 | response.setStatus(HttpServletResponse.SC_OK); 33 | 34 | chain.doFilter(req, res); 35 | } else { 36 | 37 | if (authHeader == null || !authHeader.startsWith("Bearer ")) { 38 | throw new ServletException("Missing or invalid Authorization header"); 39 | } 40 | 41 | final String token = authHeader.substring(7); 42 | 43 | try { 44 | final Claims claims = Jwts.parser() 45 | .setSigningKey(jwtSecret.getBytes()) 46 | .parseClaimsJws(token) 47 | .getBody(); 48 | request.setAttribute("claims", claims); 49 | } catch (final SignatureException e) { 50 | throw new ServletException("Invalid token"); 51 | } 52 | 53 | chain.doFilter(req, res); 54 | } 55 | } 56 | } -------------------------------------------------------------------------------- /frontend/build/utils.js: -------------------------------------------------------------------------------- 1 | var path = require('path') 2 | var config = require('../config') 3 | var ExtractTextPlugin = require('extract-text-webpack-plugin') 4 | 5 | exports.assetsPath = function (_path) { 6 | var assetsSubDirectory = process.env.NODE_ENV === 'production' 7 | ? config.build.assetsSubDirectory 8 | : config.dev.assetsSubDirectory 9 | return path.posix.join(assetsSubDirectory, _path) 10 | } 11 | 12 | exports.cssLoaders = function (options) { 13 | options = options || {} 14 | 15 | var cssLoader = { 16 | loader: 'css-loader', 17 | options: { 18 | minimize: process.env.NODE_ENV === 'production', 19 | sourceMap: options.sourceMap 20 | } 21 | } 22 | 23 | // generate loader string to be used with extract text plugin 24 | function generateLoaders (loader, loaderOptions) { 25 | var loaders = [cssLoader] 26 | if (loader) { 27 | loaders.push({ 28 | loader: loader + '-loader', 29 | options: Object.assign({}, loaderOptions, { 30 | sourceMap: options.sourceMap 31 | }) 32 | }) 33 | } 34 | 35 | // Extract CSS when that option is specified 36 | // (which is the case during production build) 37 | if (options.extract) { 38 | return ExtractTextPlugin.extract({ 39 | use: loaders, 40 | fallback: 'vue-style-loader' 41 | }) 42 | } else { 43 | return ['vue-style-loader'].concat(loaders) 44 | } 45 | } 46 | 47 | // https://vue-loader.vuejs.org/en/configurations/extract-css.html 48 | return { 49 | css: generateLoaders(), 50 | postcss: generateLoaders(), 51 | less: generateLoaders('less'), 52 | sass: generateLoaders('sass', { indentedSyntax: true }), 53 | scss: generateLoaders('sass'), 54 | stylus: generateLoaders('stylus'), 55 | styl: generateLoaders('stylus') 56 | } 57 | } 58 | 59 | // Generate loaders for standalone style files (outside of .vue) 60 | exports.styleLoaders = function (options) { 61 | var output = [] 62 | var loaders = exports.cssLoaders(options) 63 | for (var extension in loaders) { 64 | var loader = loaders[extension] 65 | output.push({ 66 | test: new RegExp('\\.' + extension + '$'), 67 | use: loader 68 | }) 69 | } 70 | return output 71 | } 72 | -------------------------------------------------------------------------------- /log-message-processor/main.py: -------------------------------------------------------------------------------- 1 | import time 2 | import redis 3 | import os 4 | import json 5 | import requests 6 | from py_zipkin.zipkin import zipkin_span, ZipkinAttrs, generate_random_64bit_string 7 | import time 8 | import random 9 | 10 | def log_message(message): 11 | time_delay = random.randrange(0, 2000) 12 | time.sleep(time_delay / 1000) 13 | print('message received after waiting for {}ms: {}'.format(time_delay, message)) 14 | 15 | if __name__ == '__main__': 16 | redis_host = os.environ['REDIS_HOST'] 17 | redis_port = int(os.environ['REDIS_PORT']) 18 | redis_channel = os.environ['REDIS_CHANNEL'] 19 | zipkin_url = os.environ['ZIPKIN_URL'] if 'ZIPKIN_URL' in os.environ else '' 20 | def http_transport(encoded_span): 21 | requests.post( 22 | zipkin_url, 23 | data=encoded_span, 24 | headers={'Content-Type': 'application/x-thrift'}, 25 | ) 26 | 27 | pubsub = redis.Redis(host=redis_host, port=redis_port, db=0).pubsub() 28 | pubsub.subscribe([redis_channel]) 29 | for item in pubsub.listen(): 30 | try: 31 | message = json.loads(str(item['data'].decode("utf-8"))) 32 | except Exception as e: 33 | log_message(e) 34 | continue 35 | 36 | if not zipkin_url or 'zipkinSpan' not in message: 37 | log_message(message) 38 | continue 39 | 40 | span_data = message['zipkinSpan'] 41 | try: 42 | with zipkin_span( 43 | service_name='log-message-processor', 44 | zipkin_attrs=ZipkinAttrs( 45 | trace_id=span_data['_traceId']['value'], 46 | span_id=generate_random_64bit_string(), 47 | parent_span_id=span_data['_spanId'], 48 | is_sampled=span_data['_sampled']['value'], 49 | flags=None 50 | ), 51 | span_name='save_log', 52 | transport_handler=http_transport, 53 | sample_rate=100 54 | ): 55 | log_message(message) 56 | except Exception as e: 57 | print('did not send data to Zipkin: {}'.format(e)) 58 | log_message(message) 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /frontend/src/components/common/Spinner.vue: -------------------------------------------------------------------------------- 1 | 12 | 13 | 37 | 38 | 93 | -------------------------------------------------------------------------------- /todos-api/server.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | const express = require('express') 3 | const bodyParser = require("body-parser") 4 | const jwt = require('express-jwt') 5 | 6 | const ZIPKIN_URL = process.env.ZIPKIN_URL || 'http://127.0.0.1:9411/api/v2/spans'; 7 | const {Tracer, 8 | BatchRecorder, 9 | jsonEncoder: {JSON_V2}} = require('zipkin'); 10 | const CLSContext = require('zipkin-context-cls'); 11 | const {HttpLogger} = require('zipkin-transport-http'); 12 | const zipkinMiddleware = require('zipkin-instrumentation-express').expressMiddleware; 13 | 14 | const logChannel = process.env.REDIS_CHANNEL || 'log_channel'; 15 | const redisClient = require("redis").createClient({ 16 | host: process.env.REDIS_HOST || 'localhost', 17 | port: process.env.REDIS_PORT || 6379, 18 | retry_strategy: function (options) { 19 | if (options.error && options.error.code === 'ECONNREFUSED') { 20 | return new Error('The server refused the connection'); 21 | } 22 | if (options.total_retry_time > 1000 * 60 * 60) { 23 | return new Error('Retry time exhausted'); 24 | } 25 | if (options.attempt > 10) { 26 | console.log('reattemtping to connect to redis, attempt #' + options.attempt) 27 | return undefined; 28 | } 29 | return Math.min(options.attempt * 100, 2000); 30 | } 31 | }); 32 | const port = process.env.TODO_API_PORT || 8082 33 | const jwtSecret = process.env.JWT_SECRET || "foo" 34 | 35 | const app = express() 36 | 37 | // tracing 38 | const ctxImpl = new CLSContext('zipkin'); 39 | const recorder = new BatchRecorder({ 40 | logger: new HttpLogger({ 41 | endpoint: ZIPKIN_URL, 42 | jsonEncoder: JSON_V2 43 | }) 44 | }); 45 | const localServiceName = 'todos-api'; 46 | const tracer = new Tracer({ctxImpl, recorder, localServiceName}); 47 | 48 | 49 | app.use(jwt({ secret: jwtSecret })) 50 | app.use(zipkinMiddleware({tracer})); 51 | app.use(function (err, req, res, next) { 52 | if (err.name === 'UnauthorizedError') { 53 | res.status(401).send({ message: 'invalid token' }) 54 | } 55 | }) 56 | app.use(bodyParser.urlencoded({ extended: false })) 57 | app.use(bodyParser.json()) 58 | 59 | const routes = require('./routes') 60 | routes(app, {tracer, redisClient, logChannel}) 61 | 62 | app.listen(port, function () { 63 | console.log('todo list RESTful API server started on: ' + port) 64 | }) 65 | -------------------------------------------------------------------------------- /auth-api/user.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "encoding/json" 6 | "fmt" 7 | "io/ioutil" 8 | "net/http" 9 | 10 | jwt "github.com/dgrijalva/jwt-go" 11 | ) 12 | 13 | var allowedUserHashes = map[string]interface{}{ 14 | "admin_admin": nil, 15 | "johnd_foo": nil, 16 | "janed_ddd": nil, 17 | } 18 | 19 | type User struct { 20 | Username string `json:"username"` 21 | FirstName string `json:"firstname"` 22 | LastName string `json:"lastname"` 23 | Role string `json:"role"` 24 | } 25 | 26 | type HTTPDoer interface { 27 | Do(req *http.Request) (*http.Response, error) 28 | } 29 | 30 | type UserService struct { 31 | Client HTTPDoer 32 | UserAPIAddress string 33 | AllowedUserHashes map[string]interface{} 34 | } 35 | 36 | func (h *UserService) Login(ctx context.Context, username, password string) (User, error) { 37 | user, err := h.getUser(ctx, username) 38 | if err != nil { 39 | return user, err 40 | } 41 | 42 | userKey := fmt.Sprintf("%s_%s", username, password) 43 | 44 | if _, ok := h.AllowedUserHashes[userKey]; !ok { 45 | return user, ErrWrongCredentials // this is BAD, business logic layer must not return HTTP-specific errors 46 | } 47 | 48 | return user, nil 49 | } 50 | 51 | func (h *UserService) getUser(ctx context.Context, username string) (User, error) { 52 | var user User 53 | 54 | token, err := h.getUserAPIToken(username) 55 | if err != nil { 56 | return user, err 57 | } 58 | url := fmt.Sprintf("%s/users/%s", h.UserAPIAddress, username) 59 | req, _ := http.NewRequest("GET", url, nil) 60 | req.Header.Add("Authorization", "Bearer "+token) 61 | 62 | req = req.WithContext(ctx) 63 | 64 | resp, err := h.Client.Do(req) 65 | if err != nil { 66 | return user, err 67 | } 68 | 69 | defer resp.Body.Close() 70 | bodyBytes, err := ioutil.ReadAll(resp.Body) 71 | if err != nil { 72 | return user, err 73 | } 74 | 75 | if resp.StatusCode < 200 || resp.StatusCode >= 300 { 76 | return user, fmt.Errorf("could not get user data: %s", string(bodyBytes)) 77 | } 78 | 79 | err = json.Unmarshal(bodyBytes, &user) 80 | 81 | return user, err 82 | } 83 | 84 | func (h *UserService) getUserAPIToken(username string) (string, error) { 85 | token := jwt.New(jwt.SigningMethodHS256) 86 | claims := token.Claims.(jwt.MapClaims) 87 | claims["username"] = username 88 | claims["scope"] = "read" 89 | return token.SignedString([]byte(jwtSecret)) 90 | } 91 | -------------------------------------------------------------------------------- /users-api/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | com.elgris 7 | users-api 8 | 0.0.1-SNAPSHOT 9 | jar 10 | 11 | users-api 12 | Demo project for Spring Boot 13 | 14 | 15 | org.springframework.boot 16 | spring-boot-starter-parent 17 | 1.5.6.RELEASE 18 | 19 | 20 | 21 | 22 | UTF-8 23 | UTF-8 24 | 1.8 25 | 26 | 27 | 28 | 29 | org.springframework.boot 30 | spring-boot-starter-web 31 | 32 | 33 | org.springframework.boot 34 | spring-boot-starter-security 35 | 36 | 37 | 38 | io.jsonwebtoken 39 | jjwt 40 | 0.7.0 41 | 42 | 43 | 44 | org.springframework.boot 45 | spring-boot-starter-data-jpa 46 | 47 | 48 | 49 | com.h2database 50 | h2 51 | 52 | 53 | 54 | org.springframework.cloud 55 | spring-cloud-starter-zipkin 56 | 1.3.1.RELEASE 57 | 58 | 59 | 60 | org.springframework.boot 61 | spring-boot-starter-test 62 | test 63 | 64 | 65 | 66 | 67 | 68 | 69 | org.springframework.boot 70 | spring-boot-maven-plugin 71 | 72 | 73 | 74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /frontend/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "frontend", 3 | "version": "1.0.0", 4 | "description": "UI for sample distributed TODO app", 5 | "author": "elgris ", 6 | "private": true, 7 | "scripts": { 8 | "dev": "node build/dev-server.js", 9 | "start": "node build/dev-server.js", 10 | "build": "node build/build.js", 11 | "lint": "eslint --ext .js,.vue src" 12 | }, 13 | "dependencies": { 14 | "bootstrap-vue": "^0.22.1", 15 | "jwt-decode": "^2.2.0", 16 | "vue": "^2.3.3", 17 | "vue-resource": "^1.3.4", 18 | "vue-router": "^2.6.0", 19 | "vuex": "^2.3.1", 20 | "zipkin": "^0.11.2", 21 | "zipkin-instrumentation-vue-resource": "^0.2.0", 22 | "zipkin-transport-http": "^0.11.2" 23 | }, 24 | "devDependencies": { 25 | "node-sass": "^4.5.3", 26 | "sass-loader": "^6.0.6", 27 | "autoprefixer": "^7.1.2", 28 | "babel-core": "^6.22.1", 29 | "babel-eslint": "^7.1.1", 30 | "babel-loader": "^7.1.1", 31 | "babel-plugin-transform-runtime": "^6.22.0", 32 | "babel-preset-env": "^1.3.2", 33 | "babel-preset-stage-2": "^6.22.0", 34 | "babel-register": "^6.22.0", 35 | "chalk": "^2.0.1", 36 | "connect-history-api-fallback": "^1.3.0", 37 | "copy-webpack-plugin": "^4.0.1", 38 | "css-loader": "^0.28.5", 39 | "cssnano": "^3.10.0", 40 | "eslint": "^3.19.0", 41 | "eslint-config-standard": "^6.2.1", 42 | "eslint-friendly-formatter": "^3.0.0", 43 | "eslint-loader": "^1.7.1", 44 | "eslint-plugin-html": "^3.0.0", 45 | "eslint-plugin-promise": "^3.4.0", 46 | "eslint-plugin-standard": "^2.0.1", 47 | "eventsource-polyfill": "^0.9.6", 48 | "express": "^4.14.1", 49 | "extract-text-webpack-plugin": "^2.0.0", 50 | "file-loader": "^0.11.1", 51 | "friendly-errors-webpack-plugin": "^1.1.3", 52 | "html-webpack-plugin": "^2.28.0", 53 | "http-proxy-middleware": "^0.17.3", 54 | "opn": "^5.1.0", 55 | "optimize-css-assets-webpack-plugin": "^2.0.0", 56 | "ora": "^1.2.0", 57 | "rimraf": "^2.6.0", 58 | "semver": "^5.3.0", 59 | "shelljs": "^0.7.6", 60 | "url-loader": "^0.5.8", 61 | "vue-loader": "^12.1.0", 62 | "vue-style-loader": "^3.0.1", 63 | "vue-template-compiler": "^2.3.3", 64 | "webpack": "^2.6.1", 65 | "webpack-bundle-analyzer": "^2.2.1", 66 | "webpack-dev-middleware": "^1.10.0", 67 | "webpack-hot-middleware": "^2.18.0", 68 | "webpack-merge": "^4.1.0" 69 | }, 70 | "engines": { 71 | "node": ">= 4.0.0", 72 | "npm": ">= 3.0.0" 73 | }, 74 | "browserslist": [ 75 | "> 1%", 76 | "last 2 versions", 77 | "not ie <= 8" 78 | ] 79 | } 80 | -------------------------------------------------------------------------------- /auth-api/Gopkg.lock: -------------------------------------------------------------------------------- 1 | # This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. 2 | 3 | 4 | [[projects]] 5 | name = "github.com/dgrijalva/jwt-go" 6 | packages = ["."] 7 | revision = "dbeaa9332f19a944acb5736b4456cfcc02140e29" 8 | version = "v3.1.0" 9 | 10 | [[projects]] 11 | name = "github.com/labstack/echo" 12 | packages = [ 13 | ".", 14 | "middleware" 15 | ] 16 | revision = "b338075a0fc6e1a0683dbf03d09b4957a289e26f" 17 | version = "3.2.6" 18 | 19 | [[projects]] 20 | name = "github.com/labstack/gommon" 21 | packages = [ 22 | "bytes", 23 | "color", 24 | "log", 25 | "random" 26 | ] 27 | revision = "57409ada9da0f2afad6664c49502f8c50fbd8476" 28 | version = "0.2.3" 29 | 30 | [[projects]] 31 | name = "github.com/mattn/go-colorable" 32 | packages = ["."] 33 | revision = "167de6bfdfba052fa6b2d3664c8f5272e23c9072" 34 | version = "v0.0.9" 35 | 36 | [[projects]] 37 | name = "github.com/mattn/go-isatty" 38 | packages = ["."] 39 | revision = "0360b2af4f38e8d38c7fce2a9f4e702702d73a39" 40 | version = "v0.0.3" 41 | 42 | [[projects]] 43 | branch = "master" 44 | name = "github.com/openzipkin/zipkin-go" 45 | packages = [ 46 | ".", 47 | "idgenerator", 48 | "middleware/http", 49 | "model", 50 | "propagation", 51 | "propagation/b3", 52 | "reporter", 53 | "reporter/http" 54 | ] 55 | revision = "3741243b287094fda649c7f0fa74bd51f37dc122" 56 | 57 | [[projects]] 58 | branch = "master" 59 | name = "github.com/valyala/bytebufferpool" 60 | packages = ["."] 61 | revision = "e746df99fe4a3986f4d4f79e13c1e0117ce9c2f7" 62 | 63 | [[projects]] 64 | branch = "master" 65 | name = "github.com/valyala/fasttemplate" 66 | packages = ["."] 67 | revision = "dcecefd839c4193db0d35b88ec65b4c12d360ab0" 68 | 69 | [[projects]] 70 | branch = "master" 71 | name = "golang.org/x/crypto" 72 | packages = [ 73 | "acme", 74 | "acme/autocert" 75 | ] 76 | revision = "49796115aa4b964c318aad4f3084fdb41e9aa067" 77 | 78 | [[projects]] 79 | branch = "master" 80 | name = "golang.org/x/net" 81 | packages = ["context"] 82 | revision = "cbe0f9307d0156177f9dd5dc85da1a31abc5f2fb" 83 | 84 | [[projects]] 85 | branch = "master" 86 | name = "golang.org/x/sys" 87 | packages = ["unix"] 88 | revision = "c1138c84af3a9927aee1a1b8b7ce06c9b7ea52bc" 89 | 90 | [[projects]] 91 | name = "google.golang.org/grpc" 92 | packages = ["metadata"] 93 | revision = "8e4536a86ab602859c20df5ebfd0bd4228d08655" 94 | version = "v1.10.0" 95 | 96 | [solve-meta] 97 | analyzer-name = "dep" 98 | analyzer-version = 1 99 | inputs-digest = "e4ae9d27bce5a7d452ffa8d5a8cffe562fe7c8853f59a1dc12f64e73cd95013a" 100 | solver-name = "gps-cdcl" 101 | solver-version = 1 102 | -------------------------------------------------------------------------------- /frontend/build/dev-server.js: -------------------------------------------------------------------------------- 1 | require('./check-versions')() 2 | 3 | var config = require('../config') 4 | if (!process.env.NODE_ENV) { 5 | process.env.NODE_ENV = JSON.parse(config.dev.env.NODE_ENV) 6 | } 7 | 8 | var opn = require('opn') 9 | var path = require('path') 10 | var express = require('express') 11 | var webpack = require('webpack') 12 | var proxyMiddleware = require('http-proxy-middleware') 13 | var webpackConfig = require('./webpack.dev.conf') 14 | 15 | // default port where dev server listens for incoming traffic 16 | var port = process.env.PORT || config.dev.port || 8080 17 | // automatically open browser, if not set will be false 18 | var autoOpenBrowser = !!config.dev.autoOpenBrowser 19 | // Define HTTP proxies to your custom API backend 20 | // https://github.com/chimurai/http-proxy-middleware 21 | var proxyTable = config.dev.proxyTable 22 | 23 | var app = express() 24 | var compiler = webpack(webpackConfig) 25 | 26 | var devMiddleware = require('webpack-dev-middleware')(compiler, { 27 | publicPath: webpackConfig.output.publicPath, 28 | quiet: true 29 | }) 30 | 31 | var hotMiddleware = require('webpack-hot-middleware')(compiler, { 32 | log: false, 33 | heartbeat: 2000 34 | }) 35 | // force page reload when html-webpack-plugin template changes 36 | compiler.plugin('compilation', function (compilation) { 37 | compilation.plugin('html-webpack-plugin-after-emit', function (data, cb) { 38 | hotMiddleware.publish({ action: 'reload' }) 39 | cb() 40 | }) 41 | }) 42 | 43 | // proxy api requests 44 | Object.keys(proxyTable).forEach(function (context) { 45 | var options = proxyTable[context] 46 | if (typeof options === 'string') { 47 | options = { target: options } 48 | } 49 | app.use(proxyMiddleware(options.filter || context, options)) 50 | }) 51 | 52 | // handle fallback for HTML5 history API 53 | app.use(require('connect-history-api-fallback')()) 54 | 55 | // serve webpack bundle output 56 | app.use(devMiddleware) 57 | 58 | // enable hot-reload and state-preserving 59 | // compilation error display 60 | app.use(hotMiddleware) 61 | 62 | // serve pure static assets 63 | var staticPath = path.posix.join(config.dev.assetsPublicPath, config.dev.assetsSubDirectory) 64 | app.use(staticPath, express.static('./static')) 65 | 66 | var uri = 'http://127.0.0.1:' + port 67 | 68 | var _resolve 69 | var readyPromise = new Promise(resolve => { 70 | _resolve = resolve 71 | }) 72 | 73 | console.log('> Starting dev server...') 74 | devMiddleware.waitUntilValid(() => { 75 | console.log('> Listening at ' + uri + '\n') 76 | // when env is testing, don't need open it 77 | if (autoOpenBrowser && process.env.NODE_ENV !== 'testing') { 78 | opn(uri) 79 | } 80 | _resolve() 81 | }) 82 | 83 | var server = app.listen(port) 84 | 85 | module.exports = { 86 | ready: readyPromise, 87 | close: () => { 88 | server.close() 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /todos-api/todoController.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | const cache = require('memory-cache'); 3 | const {Annotation, 4 | jsonEncoder: {JSON_V2}} = require('zipkin'); 5 | 6 | const OPERATION_CREATE = 'CREATE', 7 | OPERATION_DELETE = 'DELETE'; 8 | 9 | class TodoController { 10 | constructor({tracer, redisClient, logChannel}) { 11 | this._tracer = tracer; 12 | this._redisClient = redisClient; 13 | this._logChannel = logChannel; 14 | } 15 | 16 | // TODO: these methods are not concurrent-safe 17 | list (req, res) { 18 | const data = this._getTodoData(req.user.username) 19 | 20 | res.json(data.items) 21 | } 22 | 23 | create (req, res) { 24 | // TODO: must be transactional and protected for concurrent access, but 25 | // the purpose of the whole example app it's enough 26 | const data = this._getTodoData(req.user.username) 27 | const todo = { 28 | content: req.body.content, 29 | id: data.lastInsertedID 30 | } 31 | data.items[data.lastInsertedID] = todo 32 | 33 | data.lastInsertedID++ 34 | this._setTodoData(req.user.username, data) 35 | 36 | this._logOperation(OPERATION_CREATE, req.user.username, todo.id) 37 | 38 | res.json(todo) 39 | } 40 | 41 | delete (req, res) { 42 | const data = this._getTodoData(req.user.username) 43 | const id = req.params.taskId 44 | delete data.items[id] 45 | this._setTodoData(req.user.username, data) 46 | 47 | this._logOperation(OPERATION_DELETE, req.user.username, id) 48 | 49 | res.status(204) 50 | res.send() 51 | } 52 | 53 | _logOperation (opName, username, todoId) { 54 | this._tracer.scoped(() => { 55 | const traceId = this._tracer.id; 56 | this._redisClient.publish(this._logChannel, JSON.stringify({ 57 | zipkinSpan: traceId, 58 | opName: opName, 59 | username: username, 60 | todoId: todoId, 61 | })) 62 | }) 63 | } 64 | 65 | _getTodoData (userID) { 66 | var data = cache.get(userID) 67 | if (data == null) { 68 | data = { 69 | items: { 70 | '1': { 71 | id: 1, 72 | content: "Create new todo", 73 | }, 74 | '2': { 75 | id: 2, 76 | content: "Update me", 77 | }, 78 | '3': { 79 | id: 3, 80 | content: "Delete example ones", 81 | } 82 | }, 83 | lastInsertedID: 3 84 | } 85 | 86 | this._setTodoData(userID, data) 87 | } 88 | return data 89 | } 90 | 91 | _setTodoData (userID, data) { 92 | cache.put(userID, data) 93 | } 94 | } 95 | 96 | module.exports = TodoController -------------------------------------------------------------------------------- /auth-api/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "log" 6 | "net/http" 7 | "os" 8 | "time" 9 | 10 | jwt "github.com/dgrijalva/jwt-go" 11 | "github.com/labstack/echo" 12 | "github.com/labstack/echo/middleware" 13 | gommonlog "github.com/labstack/gommon/log" 14 | ) 15 | 16 | var ( 17 | // ErrHttpGenericMessage that is returned in general case, details should be logged in such case 18 | ErrHttpGenericMessage = echo.NewHTTPError(http.StatusInternalServerError, "something went wrong, please try again later") 19 | 20 | // ErrWrongCredentials indicates that login attempt failed because of incorrect login or password 21 | ErrWrongCredentials = echo.NewHTTPError(http.StatusUnauthorized, "username or password is invalid") 22 | 23 | jwtSecret = "myfancysecret" 24 | ) 25 | 26 | func main() { 27 | hostport := ":" + os.Getenv("AUTH_API_PORT") 28 | userAPIAddress := os.Getenv("USERS_API_ADDRESS") 29 | 30 | envJwtSecret := os.Getenv("JWT_SECRET") 31 | if len(envJwtSecret) != 0 { 32 | jwtSecret = envJwtSecret 33 | } 34 | 35 | userService := UserService{ 36 | Client: http.DefaultClient, 37 | UserAPIAddress: userAPIAddress, 38 | AllowedUserHashes: map[string]interface{}{ 39 | "admin_admin": nil, 40 | "johnd_foo": nil, 41 | "janed_ddd": nil, 42 | }, 43 | } 44 | 45 | e := echo.New() 46 | e.Logger.SetLevel(gommonlog.INFO) 47 | 48 | if zipkinURL := os.Getenv("ZIPKIN_URL"); len(zipkinURL) != 0 { 49 | e.Logger.Infof("init tracing to Zipkit at %s", zipkinURL) 50 | 51 | if tracedMiddleware, tracedClient, err := initTracing(zipkinURL); err == nil { 52 | e.Use(echo.WrapMiddleware(tracedMiddleware)) 53 | userService.Client = tracedClient 54 | } else { 55 | e.Logger.Infof("Zipkin tracer init failed: %s", err.Error()) 56 | } 57 | } else { 58 | e.Logger.Infof("Zipkin URL was not provided, tracing is not initialised") 59 | } 60 | 61 | e.Use(middleware.Logger()) 62 | e.Use(middleware.Recover()) 63 | e.Use(middleware.CORS()) 64 | 65 | // Route => handler 66 | e.GET("/version", func(c echo.Context) error { 67 | return c.String(http.StatusOK, "Auth API, written in Go\n") 68 | }) 69 | 70 | e.POST("/login", getLoginHandler(userService)) 71 | 72 | // Start server 73 | e.Logger.Fatal(e.Start(hostport)) 74 | } 75 | 76 | type LoginRequest struct { 77 | Username string `json:"username"` 78 | Password string `json:"password"` 79 | } 80 | 81 | func getLoginHandler(userService UserService) echo.HandlerFunc { 82 | f := func(c echo.Context) error { 83 | requestData := LoginRequest{} 84 | decoder := json.NewDecoder(c.Request().Body) 85 | if err := decoder.Decode(&requestData); err != nil { 86 | log.Printf("could not read credentials from POST body: %s", err.Error()) 87 | return ErrHttpGenericMessage 88 | } 89 | 90 | ctx := c.Request().Context() 91 | user, err := userService.Login(ctx, requestData.Username, requestData.Password) 92 | if err != nil { 93 | if err != ErrWrongCredentials { 94 | log.Printf("could not authorize user '%s': %s", requestData.Username, err.Error()) 95 | return ErrHttpGenericMessage 96 | } 97 | 98 | return ErrWrongCredentials 99 | } 100 | token := jwt.New(jwt.SigningMethodHS256) 101 | 102 | // Set claims 103 | claims := token.Claims.(jwt.MapClaims) 104 | claims["username"] = user.Username 105 | claims["firstname"] = user.FirstName 106 | claims["lastname"] = user.LastName 107 | claims["role"] = user.Role 108 | claims["exp"] = time.Now().Add(time.Hour * 72).Unix() 109 | 110 | // Generate encoded token and send it as response. 111 | t, err := token.SignedString([]byte(jwtSecret)) 112 | if err != nil { 113 | log.Printf("could not generate a JWT token: %s", err.Error()) 114 | return ErrHttpGenericMessage 115 | } 116 | 117 | return c.JSON(http.StatusOK, map[string]string{ 118 | "accessToken": t, 119 | }) 120 | } 121 | 122 | return echo.HandlerFunc(f) 123 | } 124 | -------------------------------------------------------------------------------- /frontend/src/components/Todos.vue: -------------------------------------------------------------------------------- 1 | 54 | 55 | -------------------------------------------------------------------------------- /frontend/build/webpack.prod.conf.js: -------------------------------------------------------------------------------- 1 | var path = require('path') 2 | var utils = require('./utils') 3 | var webpack = require('webpack') 4 | var config = require('../config') 5 | var merge = require('webpack-merge') 6 | var baseWebpackConfig = require('./webpack.base.conf') 7 | var CopyWebpackPlugin = require('copy-webpack-plugin') 8 | var HtmlWebpackPlugin = require('html-webpack-plugin') 9 | var ExtractTextPlugin = require('extract-text-webpack-plugin') 10 | var OptimizeCSSPlugin = require('optimize-css-assets-webpack-plugin') 11 | 12 | var env = config.build.env 13 | 14 | var webpackConfig = merge(baseWebpackConfig, { 15 | module: { 16 | rules: utils.styleLoaders({ 17 | sourceMap: config.build.productionSourceMap, 18 | extract: true 19 | }) 20 | }, 21 | devtool: config.build.productionSourceMap ? '#source-map' : false, 22 | output: { 23 | path: config.build.assetsRoot, 24 | filename: utils.assetsPath('js/[name].[chunkhash].js'), 25 | chunkFilename: utils.assetsPath('js/[id].[chunkhash].js') 26 | }, 27 | plugins: [ 28 | // http://vuejs.github.io/vue-loader/en/workflow/production.html 29 | new webpack.DefinePlugin({ 30 | 'process.env': env 31 | }), 32 | new webpack.optimize.UglifyJsPlugin({ 33 | compress: { 34 | warnings: false 35 | }, 36 | sourceMap: true 37 | }), 38 | // extract css into its own file 39 | new ExtractTextPlugin({ 40 | filename: utils.assetsPath('css/[name].[contenthash].css') 41 | }), 42 | // Compress extracted CSS. We are using this plugin so that possible 43 | // duplicated CSS from different components can be deduped. 44 | new OptimizeCSSPlugin({ 45 | cssProcessorOptions: { 46 | safe: true 47 | } 48 | }), 49 | // generate dist index.html with correct asset hash for caching. 50 | // you can customize output by editing /index.html 51 | // see https://github.com/ampedandwired/html-webpack-plugin 52 | new HtmlWebpackPlugin({ 53 | filename: config.build.index, 54 | template: 'index.html', 55 | inject: true, 56 | minify: { 57 | removeComments: true, 58 | collapseWhitespace: true, 59 | removeAttributeQuotes: true 60 | // more options: 61 | // https://github.com/kangax/html-minifier#options-quick-reference 62 | }, 63 | // necessary to consistently work with multiple chunks via CommonsChunkPlugin 64 | chunksSortMode: 'dependency' 65 | }), 66 | // split vendor js into its own file 67 | new webpack.optimize.CommonsChunkPlugin({ 68 | name: 'vendor', 69 | minChunks: function (module, count) { 70 | // any required modules inside node_modules are extracted to vendor 71 | return ( 72 | module.resource && 73 | /\.js$/.test(module.resource) && 74 | module.resource.indexOf( 75 | path.join(__dirname, '../node_modules') 76 | ) === 0 77 | ) 78 | } 79 | }), 80 | // extract webpack runtime and module manifest to its own file in order to 81 | // prevent vendor hash from being updated whenever app bundle is updated 82 | new webpack.optimize.CommonsChunkPlugin({ 83 | name: 'manifest', 84 | chunks: ['vendor'] 85 | }), 86 | // copy custom static assets 87 | new CopyWebpackPlugin([ 88 | { 89 | from: path.resolve(__dirname, '../static'), 90 | to: config.build.assetsSubDirectory, 91 | ignore: ['.*'] 92 | } 93 | ]) 94 | ] 95 | }) 96 | 97 | if (config.build.productionGzip) { 98 | var CompressionWebpackPlugin = require('compression-webpack-plugin') 99 | 100 | webpackConfig.plugins.push( 101 | new CompressionWebpackPlugin({ 102 | asset: '[path].gz[query]', 103 | algorithm: 'gzip', 104 | test: new RegExp( 105 | '\\.(' + 106 | config.build.productionGzipExtensions.join('|') + 107 | ')$' 108 | ), 109 | threshold: 10240, 110 | minRatio: 0.8 111 | }) 112 | ) 113 | } 114 | 115 | if (config.build.bundleAnalyzerReport) { 116 | var BundleAnalyzerPlugin = require('webpack-bundle-analyzer').BundleAnalyzerPlugin 117 | webpackConfig.plugins.push(new BundleAnalyzerPlugin()) 118 | } 119 | 120 | module.exports = webpackConfig 121 | -------------------------------------------------------------------------------- /frontend/src/components/Login.vue: -------------------------------------------------------------------------------- 1 | 72 | 73 | -------------------------------------------------------------------------------- /frontend/src/auth.js: -------------------------------------------------------------------------------- 1 | import Vue from 'vue' 2 | import router from './router' 3 | import store from './store' 4 | import decode from 'jwt-decode' 5 | 6 | /** 7 | * @var{string} LOGIN_URL The endpoint for logging in. This endpoint should be proxied by Webpack dev server 8 | * and maybe nginx in production (cleaner calls and avoids CORS issues). 9 | */ 10 | const LOGIN_URL = window.location.protocol + '//' + window.location.host + '/login' 11 | const ROLE_ADMIN = 'ADMIN' 12 | 13 | /** 14 | * Auth Plugin 15 | * 16 | * (see https://vuejs.org/v2/guide/plugins.html for more info on Vue.js plugins) 17 | * 18 | * Handles login and token authentication using OAuth2. 19 | */ 20 | export default { 21 | 22 | /** 23 | * Install the Auth class. 24 | * 25 | * Creates a Vue-resource http interceptor to handle automatically adding auth headers 26 | * and refreshing tokens. Then attaches this object to the global Vue (as Vue.auth). 27 | * 28 | * @param {Object} Vue The global Vue. 29 | * @param {Object} options Any options we want to have in our plugin. 30 | * @return {void} 31 | */ 32 | install (Vue, options) { 33 | Vue.http.interceptors.push((request, next) => { 34 | const token = store.state.auth.accessToken 35 | const hasAuthHeader = request.headers.has('Authorization') 36 | 37 | if (token && !hasAuthHeader) { 38 | this.setAuthHeader(request) 39 | } 40 | 41 | next() 42 | }) 43 | 44 | Vue.prototype.$auth = Vue.auth = this 45 | }, 46 | 47 | /** 48 | * Login 49 | * 50 | * @param {Object.} creds The username and password for logging in. 51 | * @param {string|null} redirect The name of the Route to redirect to. 52 | * @return {Promise} 53 | */ 54 | login (creds, redirect) { 55 | const params = { 56 | username: creds.username, 57 | password: creds.password 58 | } 59 | 60 | return Vue.http.post(LOGIN_URL, params) 61 | .then((response) => { 62 | this._storeToken(response) 63 | 64 | if (redirect) { 65 | router.push({ name: redirect }) 66 | } 67 | 68 | return response 69 | }) 70 | .catch((errorResponse) => { 71 | return errorResponse 72 | }) 73 | }, 74 | 75 | /** 76 | * Logout 77 | * 78 | * Clear all data in our Vuex store (which resets logged-in status) and redirect back 79 | * to login form. 80 | * 81 | * @return {void} 82 | */ 83 | logout () { 84 | store.commit('CLEAR_ALL_DATA') 85 | router.push({ name: 'login' }) 86 | }, 87 | 88 | /** 89 | * Set the Authorization header on a Vue-resource Request. 90 | * 91 | * @param {Request} request The Vue-Resource Request instance to set the header on. 92 | * @return {void} 93 | */ 94 | setAuthHeader (request) { 95 | request.headers.set('Authorization', 'Bearer ' + store.state.auth.accessToken) 96 | }, 97 | 98 | isAdmin () { 99 | const user = store.state.user 100 | return user.role === ROLE_ADMIN 101 | }, 102 | 103 | isLoggedIn () { 104 | const auth = store.state.auth 105 | return auth.isLoggedIn 106 | }, 107 | 108 | /** 109 | * Retry the original request. 110 | * 111 | * Let's retry the user's original target request that had recieved a invalid token response 112 | * (which we fixed with a token refresh). 113 | * 114 | * @param {Request} request The Vue-resource Request instance to use to repeat an http call. 115 | * @return {Promise} 116 | */ 117 | _retry (request) { 118 | this.setAuthHeader(request) 119 | 120 | return Vue.http(request) 121 | .then((response) => { 122 | return response 123 | }) 124 | .catch((response) => { 125 | return response 126 | }) 127 | }, 128 | 129 | /** 130 | * Store tokens 131 | * 132 | * Update the Vuex store with the access/refresh tokens received from the response from 133 | * the Oauth2 server. 134 | * 135 | * @private 136 | * @param {Response} response Vue-resource Response instance from an OAuth2 server. 137 | * that contains our tokens. 138 | * @return {void} 139 | */ 140 | _storeToken (response) { 141 | const auth = store.state.auth 142 | auth.isLoggedIn = true 143 | auth.accessToken = response.body.accessToken 144 | 145 | var userData = decode(auth.accessToken) 146 | 147 | const user = store.state.user 148 | user.name = userData.name 149 | user.role = userData.role 150 | 151 | store.commit('UPDATE_AUTH', auth) 152 | store.commit('UPDATE_USER', user) 153 | } 154 | } 155 | -------------------------------------------------------------------------------- /users-api/mvnw.cmd: -------------------------------------------------------------------------------- 1 | @REM ---------------------------------------------------------------------------- 2 | @REM Licensed to the Apache Software Foundation (ASF) under one 3 | @REM or more contributor license agreements. See the NOTICE file 4 | @REM distributed with this work for additional information 5 | @REM regarding copyright ownership. The ASF licenses this file 6 | @REM to you under the Apache License, Version 2.0 (the 7 | @REM "License"); you may not use this file except in compliance 8 | @REM with the License. You may obtain a copy of the License at 9 | @REM 10 | @REM http://www.apache.org/licenses/LICENSE-2.0 11 | @REM 12 | @REM Unless required by applicable law or agreed to in writing, 13 | @REM software distributed under the License is distributed on an 14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | @REM KIND, either express or implied. See the License for the 16 | @REM specific language governing permissions and limitations 17 | @REM under the License. 18 | @REM ---------------------------------------------------------------------------- 19 | 20 | @REM ---------------------------------------------------------------------------- 21 | @REM Maven2 Start Up Batch script 22 | @REM 23 | @REM Required ENV vars: 24 | @REM JAVA_HOME - location of a JDK home dir 25 | @REM 26 | @REM Optional ENV vars 27 | @REM M2_HOME - location of maven2's installed home dir 28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands 29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending 30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven 31 | @REM e.g. to debug Maven itself, use 32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files 34 | @REM ---------------------------------------------------------------------------- 35 | 36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' 37 | @echo off 38 | @REM enable echoing my setting MAVEN_BATCH_ECHO to 'on' 39 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% 40 | 41 | @REM set %HOME% to equivalent of $HOME 42 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") 43 | 44 | @REM Execute a user defined script before this one 45 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre 46 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending 47 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" 48 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" 49 | :skipRcPre 50 | 51 | @setlocal 52 | 53 | set ERROR_CODE=0 54 | 55 | @REM To isolate internal variables from possible post scripts, we use another setlocal 56 | @setlocal 57 | 58 | @REM ==== START VALIDATION ==== 59 | if not "%JAVA_HOME%" == "" goto OkJHome 60 | 61 | echo. 62 | echo Error: JAVA_HOME not found in your environment. >&2 63 | echo Please set the JAVA_HOME variable in your environment to match the >&2 64 | echo location of your Java installation. >&2 65 | echo. 66 | goto error 67 | 68 | :OkJHome 69 | if exist "%JAVA_HOME%\bin\java.exe" goto init 70 | 71 | echo. 72 | echo Error: JAVA_HOME is set to an invalid directory. >&2 73 | echo JAVA_HOME = "%JAVA_HOME%" >&2 74 | echo Please set the JAVA_HOME variable in your environment to match the >&2 75 | echo location of your Java installation. >&2 76 | echo. 77 | goto error 78 | 79 | @REM ==== END VALIDATION ==== 80 | 81 | :init 82 | 83 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn". 84 | @REM Fallback to current working directory if not found. 85 | 86 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% 87 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir 88 | 89 | set EXEC_DIR=%CD% 90 | set WDIR=%EXEC_DIR% 91 | :findBaseDir 92 | IF EXIST "%WDIR%"\.mvn goto baseDirFound 93 | cd .. 94 | IF "%WDIR%"=="%CD%" goto baseDirNotFound 95 | set WDIR=%CD% 96 | goto findBaseDir 97 | 98 | :baseDirFound 99 | set MAVEN_PROJECTBASEDIR=%WDIR% 100 | cd "%EXEC_DIR%" 101 | goto endDetectBaseDir 102 | 103 | :baseDirNotFound 104 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR% 105 | cd "%EXEC_DIR%" 106 | 107 | :endDetectBaseDir 108 | 109 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig 110 | 111 | @setlocal EnableExtensions EnableDelayedExpansion 112 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a 113 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% 114 | 115 | :endReadAdditionalConfig 116 | 117 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" 118 | 119 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" 120 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 121 | 122 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* 123 | if ERRORLEVEL 1 goto error 124 | goto end 125 | 126 | :error 127 | set ERROR_CODE=1 128 | 129 | :end 130 | @endlocal & set ERROR_CODE=%ERROR_CODE% 131 | 132 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost 133 | @REM check for post script, once with legacy .bat ending and once with .cmd ending 134 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" 135 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" 136 | :skipRcPost 137 | 138 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' 139 | if "%MAVEN_BATCH_PAUSE%" == "on" pause 140 | 141 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% 142 | 143 | exit /B %ERROR_CODE% 144 | -------------------------------------------------------------------------------- /users-api/mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Maven2 Start Up Batch script 23 | # 24 | # Required ENV vars: 25 | # ------------------ 26 | # JAVA_HOME - location of a JDK home dir 27 | # 28 | # Optional ENV vars 29 | # ----------------- 30 | # M2_HOME - location of maven2's installed home dir 31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven 32 | # e.g. to debug Maven itself, use 33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files 35 | # ---------------------------------------------------------------------------- 36 | 37 | if [ -z "$MAVEN_SKIP_RC" ] ; then 38 | 39 | if [ -f /etc/mavenrc ] ; then 40 | . /etc/mavenrc 41 | fi 42 | 43 | if [ -f "$HOME/.mavenrc" ] ; then 44 | . "$HOME/.mavenrc" 45 | fi 46 | 47 | fi 48 | 49 | # OS specific support. $var _must_ be set to either true or false. 50 | cygwin=false; 51 | darwin=false; 52 | mingw=false 53 | case "`uname`" in 54 | CYGWIN*) cygwin=true ;; 55 | MINGW*) mingw=true;; 56 | Darwin*) darwin=true 57 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home 58 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html 59 | if [ -z "$JAVA_HOME" ]; then 60 | if [ -x "/usr/libexec/java_home" ]; then 61 | export JAVA_HOME="`/usr/libexec/java_home`" 62 | else 63 | export JAVA_HOME="/Library/Java/Home" 64 | fi 65 | fi 66 | ;; 67 | esac 68 | 69 | if [ -z "$JAVA_HOME" ] ; then 70 | if [ -r /etc/gentoo-release ] ; then 71 | JAVA_HOME=`java-config --jre-home` 72 | fi 73 | fi 74 | 75 | if [ -z "$M2_HOME" ] ; then 76 | ## resolve links - $0 may be a link to maven's home 77 | PRG="$0" 78 | 79 | # need this for relative symlinks 80 | while [ -h "$PRG" ] ; do 81 | ls=`ls -ld "$PRG"` 82 | link=`expr "$ls" : '.*-> \(.*\)$'` 83 | if expr "$link" : '/.*' > /dev/null; then 84 | PRG="$link" 85 | else 86 | PRG="`dirname "$PRG"`/$link" 87 | fi 88 | done 89 | 90 | saveddir=`pwd` 91 | 92 | M2_HOME=`dirname "$PRG"`/.. 93 | 94 | # make it fully qualified 95 | M2_HOME=`cd "$M2_HOME" && pwd` 96 | 97 | cd "$saveddir" 98 | # echo Using m2 at $M2_HOME 99 | fi 100 | 101 | # For Cygwin, ensure paths are in UNIX format before anything is touched 102 | if $cygwin ; then 103 | [ -n "$M2_HOME" ] && 104 | M2_HOME=`cygpath --unix "$M2_HOME"` 105 | [ -n "$JAVA_HOME" ] && 106 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"` 107 | [ -n "$CLASSPATH" ] && 108 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"` 109 | fi 110 | 111 | # For Migwn, ensure paths are in UNIX format before anything is touched 112 | if $mingw ; then 113 | [ -n "$M2_HOME" ] && 114 | M2_HOME="`(cd "$M2_HOME"; pwd)`" 115 | [ -n "$JAVA_HOME" ] && 116 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" 117 | # TODO classpath? 118 | fi 119 | 120 | if [ -z "$JAVA_HOME" ]; then 121 | javaExecutable="`which javac`" 122 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then 123 | # readlink(1) is not available as standard on Solaris 10. 124 | readLink=`which readlink` 125 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then 126 | if $darwin ; then 127 | javaHome="`dirname \"$javaExecutable\"`" 128 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" 129 | else 130 | javaExecutable="`readlink -f \"$javaExecutable\"`" 131 | fi 132 | javaHome="`dirname \"$javaExecutable\"`" 133 | javaHome=`expr "$javaHome" : '\(.*\)/bin'` 134 | JAVA_HOME="$javaHome" 135 | export JAVA_HOME 136 | fi 137 | fi 138 | fi 139 | 140 | if [ -z "$JAVACMD" ] ; then 141 | if [ -n "$JAVA_HOME" ] ; then 142 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 143 | # IBM's JDK on AIX uses strange locations for the executables 144 | JAVACMD="$JAVA_HOME/jre/sh/java" 145 | else 146 | JAVACMD="$JAVA_HOME/bin/java" 147 | fi 148 | else 149 | JAVACMD="`which java`" 150 | fi 151 | fi 152 | 153 | if [ ! -x "$JAVACMD" ] ; then 154 | echo "Error: JAVA_HOME is not defined correctly." >&2 155 | echo " We cannot execute $JAVACMD" >&2 156 | exit 1 157 | fi 158 | 159 | if [ -z "$JAVA_HOME" ] ; then 160 | echo "Warning: JAVA_HOME environment variable is not set." 161 | fi 162 | 163 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher 164 | 165 | # traverses directory structure from process work directory to filesystem root 166 | # first directory with .mvn subdirectory is considered project base directory 167 | find_maven_basedir() { 168 | 169 | if [ -z "$1" ] 170 | then 171 | echo "Path not specified to find_maven_basedir" 172 | return 1 173 | fi 174 | 175 | basedir="$1" 176 | wdir="$1" 177 | while [ "$wdir" != '/' ] ; do 178 | if [ -d "$wdir"/.mvn ] ; then 179 | basedir=$wdir 180 | break 181 | fi 182 | # workaround for JBEAP-8937 (on Solaris 10/Sparc) 183 | if [ -d "${wdir}" ]; then 184 | wdir=`cd "$wdir/.."; pwd` 185 | fi 186 | # end of workaround 187 | done 188 | echo "${basedir}" 189 | } 190 | 191 | # concatenates all lines of a file 192 | concat_lines() { 193 | if [ -f "$1" ]; then 194 | echo "$(tr -s '\n' ' ' < "$1")" 195 | fi 196 | } 197 | 198 | BASE_DIR=`find_maven_basedir "$(pwd)"` 199 | if [ -z "$BASE_DIR" ]; then 200 | exit 1; 201 | fi 202 | 203 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} 204 | echo $MAVEN_PROJECTBASEDIR 205 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" 206 | 207 | # For Cygwin, switch paths to Windows format before running java 208 | if $cygwin; then 209 | [ -n "$M2_HOME" ] && 210 | M2_HOME=`cygpath --path --windows "$M2_HOME"` 211 | [ -n "$JAVA_HOME" ] && 212 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` 213 | [ -n "$CLASSPATH" ] && 214 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"` 215 | [ -n "$MAVEN_PROJECTBASEDIR" ] && 216 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` 217 | fi 218 | 219 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 220 | 221 | exec "$JAVACMD" \ 222 | $MAVEN_OPTS \ 223 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ 224 | "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ 225 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" 226 | -------------------------------------------------------------------------------- /solution/installation/calico.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: DaemonSet 3 | apiVersion: apps/v1 4 | metadata: 5 | name: calico-node 6 | namespace: kube-system 7 | labels: 8 | k8s-app: calico-node 9 | spec: 10 | selector: 11 | matchLabels: 12 | k8s-app: calico-node 13 | updateStrategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxUnavailable: 1 17 | template: 18 | metadata: 19 | labels: 20 | k8s-app: calico-node 21 | spec: 22 | priorityClassName: system-node-critical 23 | nodeSelector: 24 | beta.kubernetes.io/os: linux 25 | hostNetwork: true 26 | serviceAccountName: calico-node 27 | # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 28 | # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 29 | terminationGracePeriodSeconds: 0 30 | containers: 31 | # Runs calico/node container on each Kubernetes node. This 32 | # container programs network policy and routes on each 33 | # host. 34 | - name: calico-node 35 | image: quay.io/calico/node:v3.15.1 36 | env: 37 | # Use Kubernetes API as the backing datastore. 38 | - name: DATASTORE_TYPE 39 | value: "kubernetes" 40 | # Use eni not cali for interface prefix 41 | - name: FELIX_INTERFACEPREFIX 42 | value: "eni" 43 | # Enable felix info logging. 44 | - name: FELIX_LOGSEVERITYSCREEN 45 | value: "info" 46 | # Don't enable BGP. 47 | - name: CALICO_NETWORKING_BACKEND 48 | value: "none" 49 | # Cluster type to identify the deployment type 50 | - name: CLUSTER_TYPE 51 | value: "k8s,ecs" 52 | # Disable file logging so `kubectl logs` works. 53 | - name: CALICO_DISABLE_FILE_LOGGING 54 | value: "true" 55 | - name: FELIX_TYPHAK8SSERVICENAME 56 | value: "calico-typha" 57 | # Set Felix endpoint to host default action to ACCEPT. 58 | - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 59 | value: "ACCEPT" 60 | # This will make Felix honor AWS VPC CNI's mangle table 61 | # rules. 62 | - name: FELIX_IPTABLESMANGLEALLOWACTION 63 | value: Return 64 | # Disable IPV6 on Kubernetes. 65 | - name: FELIX_IPV6SUPPORT 66 | value: "false" 67 | # Wait for the datastore. 68 | - name: WAIT_FOR_DATASTORE 69 | value: "true" 70 | - name: FELIX_LOGSEVERITYSYS 71 | value: "none" 72 | - name: FELIX_PROMETHEUSMETRICSENABLED 73 | value: "true" 74 | - name: FELIX_ROUTESOURCE 75 | value: "WorkloadIPs" 76 | - name: NO_DEFAULT_POOLS 77 | value: "true" 78 | # Set based on the k8s node name. 79 | - name: NODENAME 80 | valueFrom: 81 | fieldRef: 82 | fieldPath: spec.nodeName 83 | # No IP address needed. 84 | - name: IP 85 | value: "" 86 | - name: FELIX_HEALTHENABLED 87 | value: "true" 88 | securityContext: 89 | privileged: true 90 | livenessProbe: 91 | exec: 92 | command: 93 | - /bin/calico-node 94 | - -felix-live 95 | periodSeconds: 10 96 | initialDelaySeconds: 10 97 | failureThreshold: 6 98 | readinessProbe: 99 | exec: 100 | command: 101 | - /bin/calico-node 102 | - -felix-ready 103 | periodSeconds: 10 104 | volumeMounts: 105 | - mountPath: /lib/modules 106 | name: lib-modules 107 | readOnly: true 108 | - mountPath: /run/xtables.lock 109 | name: xtables-lock 110 | readOnly: false 111 | - mountPath: /var/run/calico 112 | name: var-run-calico 113 | readOnly: false 114 | - mountPath: /var/lib/calico 115 | name: var-lib-calico 116 | readOnly: false 117 | volumes: 118 | # Used to ensure proper kmods are installed. 119 | - name: lib-modules 120 | hostPath: 121 | path: /lib/modules 122 | - name: var-run-calico 123 | hostPath: 124 | path: /var/run/calico 125 | - name: var-lib-calico 126 | hostPath: 127 | path: /var/lib/calico 128 | - name: xtables-lock 129 | hostPath: 130 | path: /run/xtables.lock 131 | type: FileOrCreate 132 | tolerations: 133 | # Make sure calico/node gets scheduled on all nodes. 134 | - effect: NoSchedule 135 | operator: Exists 136 | # Mark the pod as a critical add-on for rescheduling. 137 | - key: CriticalAddonsOnly 138 | operator: Exists 139 | - effect: NoExecute 140 | operator: Exists 141 | 142 | --- 143 | 144 | # Create all the CustomResourceDefinitions needed for 145 | # Calico policy-only mode. 146 | 147 | apiVersion: apiextensions.k8s.io/v1beta1 148 | kind: CustomResourceDefinition 149 | metadata: 150 | name: felixconfigurations.crd.projectcalico.org 151 | spec: 152 | scope: Cluster 153 | group: crd.projectcalico.org 154 | versions: 155 | - name: v1 156 | served: true 157 | storage: true 158 | names: 159 | kind: FelixConfiguration 160 | plural: felixconfigurations 161 | singular: felixconfiguration 162 | 163 | --- 164 | 165 | apiVersion: apiextensions.k8s.io/v1beta1 166 | kind: CustomResourceDefinition 167 | metadata: 168 | name: ipamblocks.crd.projectcalico.org 169 | spec: 170 | scope: Cluster 171 | group: crd.projectcalico.org 172 | versions: 173 | - name: v1 174 | served: true 175 | storage: true 176 | names: 177 | kind: IPAMBlock 178 | plural: ipamblocks 179 | singular: ipamblock 180 | 181 | --- 182 | 183 | apiVersion: apiextensions.k8s.io/v1beta1 184 | kind: CustomResourceDefinition 185 | metadata: 186 | name: blockaffinities.crd.projectcalico.org 187 | spec: 188 | scope: Cluster 189 | group: crd.projectcalico.org 190 | versions: 191 | - name: v1 192 | served: true 193 | storage: true 194 | names: 195 | kind: BlockAffinity 196 | plural: blockaffinities 197 | singular: blockaffinity 198 | 199 | --- 200 | 201 | apiVersion: apiextensions.k8s.io/v1beta1 202 | kind: CustomResourceDefinition 203 | metadata: 204 | name: bgpconfigurations.crd.projectcalico.org 205 | spec: 206 | scope: Cluster 207 | group: crd.projectcalico.org 208 | versions: 209 | - name: v1 210 | served: true 211 | storage: true 212 | names: 213 | kind: BGPConfiguration 214 | plural: bgpconfigurations 215 | singular: bgpconfiguration 216 | 217 | --- 218 | apiVersion: apiextensions.k8s.io/v1beta1 219 | kind: CustomResourceDefinition 220 | metadata: 221 | name: bgppeers.crd.projectcalico.org 222 | spec: 223 | scope: Cluster 224 | group: crd.projectcalico.org 225 | versions: 226 | - name: v1 227 | served: true 228 | storage: true 229 | names: 230 | kind: BGPPeer 231 | plural: bgppeers 232 | singular: bgppeer 233 | --- 234 | 235 | apiVersion: apiextensions.k8s.io/v1beta1 236 | kind: CustomResourceDefinition 237 | metadata: 238 | name: ippools.crd.projectcalico.org 239 | spec: 240 | scope: Cluster 241 | group: crd.projectcalico.org 242 | versions: 243 | - name: v1 244 | served: true 245 | storage: true 246 | names: 247 | kind: IPPool 248 | plural: ippools 249 | singular: ippool 250 | 251 | --- 252 | 253 | apiVersion: apiextensions.k8s.io/v1beta1 254 | kind: CustomResourceDefinition 255 | metadata: 256 | name: hostendpoints.crd.projectcalico.org 257 | spec: 258 | scope: Cluster 259 | group: crd.projectcalico.org 260 | versions: 261 | - name: v1 262 | served: true 263 | storage: true 264 | names: 265 | kind: HostEndpoint 266 | plural: hostendpoints 267 | singular: hostendpoint 268 | 269 | --- 270 | 271 | apiVersion: apiextensions.k8s.io/v1beta1 272 | kind: CustomResourceDefinition 273 | metadata: 274 | name: clusterinformations.crd.projectcalico.org 275 | spec: 276 | scope: Cluster 277 | group: crd.projectcalico.org 278 | versions: 279 | - name: v1 280 | served: true 281 | storage: true 282 | names: 283 | kind: ClusterInformation 284 | plural: clusterinformations 285 | singular: clusterinformation 286 | 287 | --- 288 | 289 | apiVersion: apiextensions.k8s.io/v1beta1 290 | kind: CustomResourceDefinition 291 | metadata: 292 | name: globalnetworkpolicies.crd.projectcalico.org 293 | spec: 294 | scope: Cluster 295 | group: crd.projectcalico.org 296 | versions: 297 | - name: v1 298 | served: true 299 | storage: true 300 | names: 301 | kind: GlobalNetworkPolicy 302 | plural: globalnetworkpolicies 303 | singular: globalnetworkpolicy 304 | 305 | --- 306 | 307 | apiVersion: apiextensions.k8s.io/v1beta1 308 | kind: CustomResourceDefinition 309 | metadata: 310 | name: globalnetworksets.crd.projectcalico.org 311 | spec: 312 | scope: Cluster 313 | group: crd.projectcalico.org 314 | versions: 315 | - name: v1 316 | served: true 317 | storage: true 318 | names: 319 | kind: GlobalNetworkSet 320 | plural: globalnetworksets 321 | singular: globalnetworkset 322 | 323 | --- 324 | 325 | apiVersion: apiextensions.k8s.io/v1beta1 326 | kind: CustomResourceDefinition 327 | metadata: 328 | name: networkpolicies.crd.projectcalico.org 329 | spec: 330 | scope: Namespaced 331 | group: crd.projectcalico.org 332 | versions: 333 | - name: v1 334 | served: true 335 | storage: true 336 | names: 337 | kind: NetworkPolicy 338 | plural: networkpolicies 339 | singular: networkpolicy 340 | 341 | --- 342 | 343 | apiVersion: apiextensions.k8s.io/v1beta1 344 | kind: CustomResourceDefinition 345 | metadata: 346 | name: networksets.crd.projectcalico.org 347 | spec: 348 | scope: Namespaced 349 | group: crd.projectcalico.org 350 | versions: 351 | - name: v1 352 | served: true 353 | storage: true 354 | names: 355 | kind: NetworkSet 356 | plural: networksets 357 | singular: networkset 358 | 359 | --- 360 | 361 | # Create the ServiceAccount and roles necessary for Calico. 362 | 363 | apiVersion: v1 364 | kind: ServiceAccount 365 | metadata: 366 | name: calico-node 367 | namespace: kube-system 368 | 369 | --- 370 | 371 | kind: ClusterRole 372 | apiVersion: rbac.authorization.k8s.io/v1 373 | metadata: 374 | name: calico-node 375 | rules: 376 | # The CNI plugin needs to get pods, nodes, configmaps and namespaces. 377 | - apiGroups: [""] 378 | resources: 379 | - pods 380 | - nodes 381 | - configmaps 382 | - namespaces 383 | verbs: 384 | - get 385 | - apiGroups: [""] 386 | resources: 387 | - endpoints 388 | - services 389 | verbs: 390 | # Used to discover service IPs for advertisement. 391 | - watch 392 | - list 393 | # Used to discover Typhas. 394 | - get 395 | - apiGroups: [""] 396 | resources: 397 | - nodes/status 398 | verbs: 399 | # Needed for clearing NodeNetworkUnavailable flag. 400 | - patch 401 | # Calico stores some configuration information in node annotations. 402 | - update 403 | # Watch for changes to Kubernetes NetworkPolicies. 404 | - apiGroups: ["networking.k8s.io"] 405 | resources: 406 | - networkpolicies 407 | verbs: 408 | - watch 409 | - list 410 | # Used by Calico for policy information. 411 | - apiGroups: [""] 412 | resources: 413 | - pods 414 | - namespaces 415 | - serviceaccounts 416 | verbs: 417 | - list 418 | - watch 419 | # The CNI plugin patches pods/status. 420 | - apiGroups: [""] 421 | resources: 422 | - pods/status 423 | verbs: 424 | - patch 425 | # Calico monitors various CRDs for config. 426 | - apiGroups: ["crd.projectcalico.org"] 427 | resources: 428 | - globalfelixconfigs 429 | - felixconfigurations 430 | - bgppeers 431 | - globalbgpconfigs 432 | - bgpconfigurations 433 | - ippools 434 | - ipamblocks 435 | - globalnetworkpolicies 436 | - globalnetworksets 437 | - networkpolicies 438 | - networksets 439 | - clusterinformations 440 | - hostendpoints 441 | - blockaffinities 442 | verbs: 443 | - get 444 | - list 445 | - watch 446 | # Calico must create and update some CRDs on startup. 447 | - apiGroups: ["crd.projectcalico.org"] 448 | resources: 449 | - ippools 450 | - felixconfigurations 451 | - clusterinformations 452 | verbs: 453 | - create 454 | - update 455 | # Calico stores some configuration information on the node. 456 | - apiGroups: [""] 457 | resources: 458 | - nodes 459 | verbs: 460 | - get 461 | - list 462 | - watch 463 | # These permissions are only requried for upgrade from v2.6, and can 464 | # be removed after upgrade or on fresh installations. 465 | - apiGroups: ["crd.projectcalico.org"] 466 | resources: 467 | - bgpconfigurations 468 | - bgppeers 469 | verbs: 470 | - create 471 | - update 472 | # These permissions are required for Calico CNI to perform IPAM allocations. 473 | - apiGroups: ["crd.projectcalico.org"] 474 | resources: 475 | - blockaffinities 476 | - ipamblocks 477 | - ipamhandles 478 | verbs: 479 | - get 480 | - list 481 | - create 482 | - update 483 | - delete 484 | - apiGroups: ["crd.projectcalico.org"] 485 | resources: 486 | - ipamconfigs 487 | verbs: 488 | - get 489 | # Block affinities must also be watchable by confd for route aggregation. 490 | - apiGroups: ["crd.projectcalico.org"] 491 | resources: 492 | - blockaffinities 493 | verbs: 494 | - watch 495 | # The Calico IPAM migration needs to get daemonsets. These permissions can be 496 | # removed if not upgrading from an installation using host-local IPAM. 497 | - apiGroups: ["apps"] 498 | resources: 499 | - daemonsets 500 | verbs: 501 | - get 502 | 503 | --- 504 | 505 | apiVersion: rbac.authorization.k8s.io/v1 506 | kind: ClusterRoleBinding 507 | metadata: 508 | name: calico-node 509 | roleRef: 510 | apiGroup: rbac.authorization.k8s.io 511 | kind: ClusterRole 512 | name: calico-node 513 | subjects: 514 | - kind: ServiceAccount 515 | name: calico-node 516 | namespace: kube-system 517 | 518 | --- 519 | 520 | apiVersion: apps/v1 521 | kind: Deployment 522 | metadata: 523 | name: calico-typha 524 | namespace: kube-system 525 | labels: 526 | k8s-app: calico-typha 527 | spec: 528 | revisionHistoryLimit: 2 529 | selector: 530 | matchLabels: 531 | k8s-app: calico-typha 532 | template: 533 | metadata: 534 | labels: 535 | k8s-app: calico-typha 536 | annotations: 537 | cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' 538 | spec: 539 | priorityClassName: system-cluster-critical 540 | nodeSelector: 541 | beta.kubernetes.io/os: linux 542 | tolerations: 543 | # Mark the pod as a critical add-on for rescheduling. 544 | - key: CriticalAddonsOnly 545 | operator: Exists 546 | hostNetwork: true 547 | serviceAccountName: calico-node 548 | # fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573 549 | securityContext: 550 | fsGroup: 65534 551 | containers: 552 | - image: quay.io/calico/typha:v3.15.1 553 | name: calico-typha 554 | ports: 555 | - containerPort: 5473 556 | name: calico-typha 557 | protocol: TCP 558 | env: 559 | # Use eni not cali for interface prefix 560 | - name: FELIX_INTERFACEPREFIX 561 | value: "eni" 562 | - name: TYPHA_LOGFILEPATH 563 | value: "none" 564 | - name: TYPHA_LOGSEVERITYSYS 565 | value: "none" 566 | - name: TYPHA_LOGSEVERITYSCREEN 567 | value: "info" 568 | - name: TYPHA_PROMETHEUSMETRICSENABLED 569 | value: "true" 570 | - name: TYPHA_CONNECTIONREBALANCINGMODE 571 | value: "kubernetes" 572 | - name: TYPHA_PROMETHEUSMETRICSPORT 573 | value: "9093" 574 | - name: TYPHA_DATASTORETYPE 575 | value: "kubernetes" 576 | - name: TYPHA_MAXCONNECTIONSLOWERLIMIT 577 | value: "1" 578 | - name: TYPHA_HEALTHENABLED 579 | value: "true" 580 | # This will make Felix honor AWS VPC CNI's mangle table 581 | # rules. 582 | - name: FELIX_IPTABLESMANGLEALLOWACTION 583 | value: Return 584 | livenessProbe: 585 | httpGet: 586 | path: /liveness 587 | port: 9098 588 | host: localhost 589 | periodSeconds: 30 590 | initialDelaySeconds: 30 591 | securityContext: 592 | runAsNonRoot: true 593 | allowPrivilegeEscalation: false 594 | readinessProbe: 595 | httpGet: 596 | path: /readiness 597 | port: 9098 598 | host: localhost 599 | periodSeconds: 10 600 | 601 | --- 602 | 603 | # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict 604 | apiVersion: policy/v1beta1 605 | kind: PodDisruptionBudget 606 | metadata: 607 | name: calico-typha 608 | namespace: kube-system 609 | labels: 610 | k8s-app: calico-typha 611 | spec: 612 | maxUnavailable: 1 613 | selector: 614 | matchLabels: 615 | k8s-app: calico-typha 616 | 617 | --- 618 | apiVersion: rbac.authorization.k8s.io/v1 619 | kind: ClusterRoleBinding 620 | metadata: 621 | name: typha-cpha 622 | roleRef: 623 | apiGroup: rbac.authorization.k8s.io 624 | kind: ClusterRole 625 | name: typha-cpha 626 | subjects: 627 | - kind: ServiceAccount 628 | name: typha-cpha 629 | namespace: kube-system 630 | 631 | --- 632 | 633 | apiVersion: rbac.authorization.k8s.io/v1 634 | kind: ClusterRole 635 | metadata: 636 | name: typha-cpha 637 | rules: 638 | - apiGroups: [""] 639 | resources: ["nodes"] 640 | verbs: ["watch", "list"] 641 | 642 | --- 643 | 644 | kind: ConfigMap 645 | apiVersion: v1 646 | metadata: 647 | name: calico-typha-horizontal-autoscaler 648 | namespace: kube-system 649 | data: 650 | ladder: |- 651 | { 652 | "coresToReplicas": [], 653 | "nodesToReplicas": 654 | [ 655 | [1, 1], 656 | [10, 2], 657 | [100, 3], 658 | [250, 4], 659 | [500, 5], 660 | [1000, 6], 661 | [1500, 7], 662 | [2000, 8] 663 | ] 664 | } 665 | 666 | --- 667 | 668 | apiVersion: apps/v1 669 | kind: Deployment 670 | metadata: 671 | name: calico-typha-horizontal-autoscaler 672 | namespace: kube-system 673 | labels: 674 | k8s-app: calico-typha-autoscaler 675 | spec: 676 | selector: 677 | matchLabels: 678 | k8s-app: calico-typha-autoscaler 679 | replicas: 1 680 | template: 681 | metadata: 682 | labels: 683 | k8s-app: calico-typha-autoscaler 684 | spec: 685 | priorityClassName: system-cluster-critical 686 | nodeSelector: 687 | beta.kubernetes.io/os: linux 688 | containers: 689 | - image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.7.1 690 | name: autoscaler 691 | command: 692 | - /cluster-proportional-autoscaler 693 | - --namespace=kube-system 694 | - --configmap=calico-typha-horizontal-autoscaler 695 | - --target=deployment/calico-typha 696 | - --logtostderr=true 697 | - --v=2 698 | resources: 699 | requests: 700 | cpu: 10m 701 | limits: 702 | cpu: 10m 703 | serviceAccountName: typha-cpha 704 | 705 | --- 706 | 707 | apiVersion: rbac.authorization.k8s.io/v1 708 | kind: Role 709 | metadata: 710 | name: typha-cpha 711 | namespace: kube-system 712 | rules: 713 | - apiGroups: [""] 714 | resources: ["configmaps"] 715 | verbs: ["get"] 716 | - apiGroups: ["extensions", "apps"] 717 | resources: ["deployments/scale"] 718 | verbs: ["get", "update"] 719 | 720 | --- 721 | 722 | apiVersion: v1 723 | kind: ServiceAccount 724 | metadata: 725 | name: typha-cpha 726 | namespace: kube-system 727 | 728 | --- 729 | 730 | apiVersion: rbac.authorization.k8s.io/v1 731 | kind: RoleBinding 732 | metadata: 733 | name: typha-cpha 734 | namespace: kube-system 735 | roleRef: 736 | apiGroup: rbac.authorization.k8s.io 737 | kind: Role 738 | name: typha-cpha 739 | subjects: 740 | - kind: ServiceAccount 741 | name: typha-cpha 742 | namespace: kube-system 743 | 744 | --- 745 | 746 | apiVersion: v1 747 | kind: Service 748 | metadata: 749 | name: calico-typha 750 | namespace: kube-system 751 | labels: 752 | k8s-app: calico-typha 753 | spec: 754 | ports: 755 | - port: 5473 756 | protocol: TCP 757 | targetPort: calico-typha 758 | name: calico-typha 759 | selector: 760 | k8s-app: calico-typha 761 | -------------------------------------------------------------------------------- /solution/installation/ingress-controller.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ingress-nginx 6 | labels: 7 | app.kubernetes.io/name: ingress-nginx 8 | app.kubernetes.io/instance: ingress-nginx 9 | 10 | --- 11 | # Source: ingress-nginx/templates/controller-serviceaccount.yaml 12 | apiVersion: v1 13 | kind: ServiceAccount 14 | metadata: 15 | labels: 16 | helm.sh/chart: ingress-nginx-3.19.0 17 | app.kubernetes.io/name: ingress-nginx 18 | app.kubernetes.io/instance: ingress-nginx 19 | app.kubernetes.io/version: 0.43.0 20 | app.kubernetes.io/managed-by: Helm 21 | app.kubernetes.io/component: controller 22 | name: ingress-nginx 23 | namespace: ingress-nginx 24 | --- 25 | # Source: ingress-nginx/templates/controller-configmap.yaml 26 | apiVersion: v1 27 | kind: ConfigMap 28 | metadata: 29 | labels: 30 | helm.sh/chart: ingress-nginx-3.19.0 31 | app.kubernetes.io/name: ingress-nginx 32 | app.kubernetes.io/instance: ingress-nginx 33 | app.kubernetes.io/version: 0.43.0 34 | app.kubernetes.io/managed-by: Helm 35 | app.kubernetes.io/component: controller 36 | name: ingress-nginx-controller 37 | namespace: ingress-nginx 38 | data: 39 | --- 40 | # Source: ingress-nginx/templates/clusterrole.yaml 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | kind: ClusterRole 43 | metadata: 44 | labels: 45 | helm.sh/chart: ingress-nginx-3.19.0 46 | app.kubernetes.io/name: ingress-nginx 47 | app.kubernetes.io/instance: ingress-nginx 48 | app.kubernetes.io/version: 0.43.0 49 | app.kubernetes.io/managed-by: Helm 50 | name: ingress-nginx 51 | rules: 52 | - apiGroups: 53 | - '' 54 | resources: 55 | - configmaps 56 | - endpoints 57 | - nodes 58 | - pods 59 | - secrets 60 | verbs: 61 | - list 62 | - watch 63 | - apiGroups: 64 | - '' 65 | resources: 66 | - nodes 67 | verbs: 68 | - get 69 | - apiGroups: 70 | - '' 71 | resources: 72 | - services 73 | verbs: 74 | - get 75 | - list 76 | - update 77 | - watch 78 | - apiGroups: 79 | - extensions 80 | - networking.k8s.io # k8s 1.14+ 81 | resources: 82 | - ingresses 83 | verbs: 84 | - get 85 | - list 86 | - watch 87 | - apiGroups: 88 | - '' 89 | resources: 90 | - events 91 | verbs: 92 | - create 93 | - patch 94 | - apiGroups: 95 | - extensions 96 | - networking.k8s.io # k8s 1.14+ 97 | resources: 98 | - ingresses/status 99 | verbs: 100 | - update 101 | - apiGroups: 102 | - networking.k8s.io # k8s 1.14+ 103 | resources: 104 | - ingressclasses 105 | verbs: 106 | - get 107 | - list 108 | - watch 109 | --- 110 | # Source: ingress-nginx/templates/clusterrolebinding.yaml 111 | apiVersion: rbac.authorization.k8s.io/v1 112 | kind: ClusterRoleBinding 113 | metadata: 114 | labels: 115 | helm.sh/chart: ingress-nginx-3.19.0 116 | app.kubernetes.io/name: ingress-nginx 117 | app.kubernetes.io/instance: ingress-nginx 118 | app.kubernetes.io/version: 0.43.0 119 | app.kubernetes.io/managed-by: Helm 120 | name: ingress-nginx 121 | roleRef: 122 | apiGroup: rbac.authorization.k8s.io 123 | kind: ClusterRole 124 | name: ingress-nginx 125 | subjects: 126 | - kind: ServiceAccount 127 | name: ingress-nginx 128 | namespace: ingress-nginx 129 | --- 130 | # Source: ingress-nginx/templates/controller-role.yaml 131 | apiVersion: rbac.authorization.k8s.io/v1 132 | kind: Role 133 | metadata: 134 | labels: 135 | helm.sh/chart: ingress-nginx-3.19.0 136 | app.kubernetes.io/name: ingress-nginx 137 | app.kubernetes.io/instance: ingress-nginx 138 | app.kubernetes.io/version: 0.43.0 139 | app.kubernetes.io/managed-by: Helm 140 | app.kubernetes.io/component: controller 141 | name: ingress-nginx 142 | namespace: ingress-nginx 143 | rules: 144 | - apiGroups: 145 | - '' 146 | resources: 147 | - namespaces 148 | verbs: 149 | - get 150 | - apiGroups: 151 | - '' 152 | resources: 153 | - configmaps 154 | - pods 155 | - secrets 156 | - endpoints 157 | verbs: 158 | - get 159 | - list 160 | - watch 161 | - apiGroups: 162 | - '' 163 | resources: 164 | - services 165 | verbs: 166 | - get 167 | - list 168 | - update 169 | - watch 170 | - apiGroups: 171 | - extensions 172 | - networking.k8s.io # k8s 1.14+ 173 | resources: 174 | - ingresses 175 | verbs: 176 | - get 177 | - list 178 | - watch 179 | - apiGroups: 180 | - extensions 181 | - networking.k8s.io # k8s 1.14+ 182 | resources: 183 | - ingresses/status 184 | verbs: 185 | - update 186 | - apiGroups: 187 | - networking.k8s.io # k8s 1.14+ 188 | resources: 189 | - ingressclasses 190 | verbs: 191 | - get 192 | - list 193 | - watch 194 | - apiGroups: 195 | - '' 196 | resources: 197 | - configmaps 198 | resourceNames: 199 | - ingress-controller-leader-nginx 200 | verbs: 201 | - get 202 | - update 203 | - apiGroups: 204 | - '' 205 | resources: 206 | - configmaps 207 | verbs: 208 | - create 209 | - apiGroups: 210 | - '' 211 | resources: 212 | - endpoints 213 | verbs: 214 | - create 215 | - get 216 | - update 217 | - apiGroups: 218 | - '' 219 | resources: 220 | - events 221 | verbs: 222 | - create 223 | - patch 224 | --- 225 | # Source: ingress-nginx/templates/controller-rolebinding.yaml 226 | apiVersion: rbac.authorization.k8s.io/v1 227 | kind: RoleBinding 228 | metadata: 229 | labels: 230 | helm.sh/chart: ingress-nginx-3.19.0 231 | app.kubernetes.io/name: ingress-nginx 232 | app.kubernetes.io/instance: ingress-nginx 233 | app.kubernetes.io/version: 0.43.0 234 | app.kubernetes.io/managed-by: Helm 235 | app.kubernetes.io/component: controller 236 | name: ingress-nginx 237 | namespace: ingress-nginx 238 | roleRef: 239 | apiGroup: rbac.authorization.k8s.io 240 | kind: Role 241 | name: ingress-nginx 242 | subjects: 243 | - kind: ServiceAccount 244 | name: ingress-nginx 245 | namespace: ingress-nginx 246 | --- 247 | # Source: ingress-nginx/templates/controller-service-webhook.yaml 248 | apiVersion: v1 249 | kind: Service 250 | metadata: 251 | labels: 252 | helm.sh/chart: ingress-nginx-3.19.0 253 | app.kubernetes.io/name: ingress-nginx 254 | app.kubernetes.io/instance: ingress-nginx 255 | app.kubernetes.io/version: 0.43.0 256 | app.kubernetes.io/managed-by: Helm 257 | app.kubernetes.io/component: controller 258 | name: ingress-nginx-controller-admission 259 | namespace: ingress-nginx 260 | spec: 261 | type: ClusterIP 262 | ports: 263 | - name: https-webhook 264 | port: 443 265 | targetPort: webhook 266 | selector: 267 | app.kubernetes.io/name: ingress-nginx 268 | app.kubernetes.io/instance: ingress-nginx 269 | app.kubernetes.io/component: controller 270 | --- 271 | # Source: ingress-nginx/templates/controller-service.yaml 272 | apiVersion: v1 273 | kind: Service 274 | metadata: 275 | annotations: 276 | service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp 277 | service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' 278 | service.beta.kubernetes.io/aws-load-balancer-type: nlb 279 | labels: 280 | helm.sh/chart: ingress-nginx-3.19.0 281 | app.kubernetes.io/name: ingress-nginx 282 | app.kubernetes.io/instance: ingress-nginx 283 | app.kubernetes.io/version: 0.43.0 284 | app.kubernetes.io/managed-by: Helm 285 | app.kubernetes.io/component: controller 286 | name: ingress-nginx-controller 287 | namespace: ingress-nginx 288 | spec: 289 | type: LoadBalancer 290 | externalTrafficPolicy: Local 291 | ports: 292 | - name: http 293 | port: 80 294 | protocol: TCP 295 | targetPort: http 296 | - name: https 297 | port: 443 298 | protocol: TCP 299 | targetPort: https 300 | selector: 301 | app.kubernetes.io/name: ingress-nginx 302 | app.kubernetes.io/instance: ingress-nginx 303 | app.kubernetes.io/component: controller 304 | --- 305 | # Source: ingress-nginx/templates/controller-deployment.yaml 306 | apiVersion: apps/v1 307 | kind: Deployment 308 | metadata: 309 | labels: 310 | helm.sh/chart: ingress-nginx-3.19.0 311 | app.kubernetes.io/name: ingress-nginx 312 | app.kubernetes.io/instance: ingress-nginx 313 | app.kubernetes.io/version: 0.43.0 314 | app.kubernetes.io/managed-by: Helm 315 | app.kubernetes.io/component: controller 316 | name: ingress-nginx-controller 317 | namespace: ingress-nginx 318 | spec: 319 | selector: 320 | matchLabels: 321 | app.kubernetes.io/name: ingress-nginx 322 | app.kubernetes.io/instance: ingress-nginx 323 | app.kubernetes.io/component: controller 324 | revisionHistoryLimit: 10 325 | minReadySeconds: 0 326 | template: 327 | metadata: 328 | labels: 329 | app.kubernetes.io/name: ingress-nginx 330 | app.kubernetes.io/instance: ingress-nginx 331 | app.kubernetes.io/component: controller 332 | spec: 333 | dnsPolicy: ClusterFirst 334 | containers: 335 | - name: controller 336 | image: k8s.gcr.io/ingress-nginx/controller:v0.43.0@sha256:9bba603b99bf25f6d117cf1235b6598c16033ad027b143c90fa5b3cc583c5713 337 | imagePullPolicy: IfNotPresent 338 | lifecycle: 339 | preStop: 340 | exec: 341 | command: 342 | - /wait-shutdown 343 | args: 344 | - /nginx-ingress-controller 345 | - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller 346 | - --election-id=ingress-controller-leader 347 | - --ingress-class=nginx 348 | - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller 349 | - --validating-webhook=:8443 350 | - --validating-webhook-certificate=/usr/local/certificates/cert 351 | - --validating-webhook-key=/usr/local/certificates/key 352 | securityContext: 353 | capabilities: 354 | drop: 355 | - ALL 356 | add: 357 | - NET_BIND_SERVICE 358 | runAsUser: 101 359 | allowPrivilegeEscalation: true 360 | env: 361 | - name: POD_NAME 362 | valueFrom: 363 | fieldRef: 364 | fieldPath: metadata.name 365 | - name: POD_NAMESPACE 366 | valueFrom: 367 | fieldRef: 368 | fieldPath: metadata.namespace 369 | - name: LD_PRELOAD 370 | value: /usr/local/lib/libmimalloc.so 371 | livenessProbe: 372 | httpGet: 373 | path: /healthz 374 | port: 10254 375 | scheme: HTTP 376 | initialDelaySeconds: 10 377 | periodSeconds: 10 378 | timeoutSeconds: 1 379 | successThreshold: 1 380 | failureThreshold: 5 381 | readinessProbe: 382 | httpGet: 383 | path: /healthz 384 | port: 10254 385 | scheme: HTTP 386 | initialDelaySeconds: 10 387 | periodSeconds: 10 388 | timeoutSeconds: 1 389 | successThreshold: 1 390 | failureThreshold: 3 391 | ports: 392 | - name: http 393 | containerPort: 80 394 | protocol: TCP 395 | - name: https 396 | containerPort: 443 397 | protocol: TCP 398 | - name: webhook 399 | containerPort: 8443 400 | protocol: TCP 401 | volumeMounts: 402 | - name: webhook-cert 403 | mountPath: /usr/local/certificates/ 404 | readOnly: true 405 | resources: 406 | requests: 407 | cpu: 100m 408 | memory: 90Mi 409 | nodeSelector: 410 | kubernetes.io/os: linux 411 | serviceAccountName: ingress-nginx 412 | terminationGracePeriodSeconds: 300 413 | volumes: 414 | - name: webhook-cert 415 | secret: 416 | secretName: ingress-nginx-admission 417 | --- 418 | # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml 419 | # before changing this value, check the required kubernetes version 420 | # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites 421 | apiVersion: admissionregistration.k8s.io/v1 422 | kind: ValidatingWebhookConfiguration 423 | metadata: 424 | labels: 425 | helm.sh/chart: ingress-nginx-3.19.0 426 | app.kubernetes.io/name: ingress-nginx 427 | app.kubernetes.io/instance: ingress-nginx 428 | app.kubernetes.io/version: 0.43.0 429 | app.kubernetes.io/managed-by: Helm 430 | app.kubernetes.io/component: admission-webhook 431 | name: ingress-nginx-admission 432 | webhooks: 433 | - name: validate.nginx.ingress.kubernetes.io 434 | matchPolicy: Equivalent 435 | rules: 436 | - apiGroups: 437 | - networking.k8s.io 438 | apiVersions: 439 | - v1beta1 440 | operations: 441 | - CREATE 442 | - UPDATE 443 | resources: 444 | - ingresses 445 | failurePolicy: Fail 446 | sideEffects: None 447 | admissionReviewVersions: 448 | - v1 449 | - v1beta1 450 | clientConfig: 451 | service: 452 | namespace: ingress-nginx 453 | name: ingress-nginx-controller-admission 454 | path: /networking/v1beta1/ingresses 455 | --- 456 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml 457 | apiVersion: v1 458 | kind: ServiceAccount 459 | metadata: 460 | name: ingress-nginx-admission 461 | annotations: 462 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade 463 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 464 | labels: 465 | helm.sh/chart: ingress-nginx-3.19.0 466 | app.kubernetes.io/name: ingress-nginx 467 | app.kubernetes.io/instance: ingress-nginx 468 | app.kubernetes.io/version: 0.43.0 469 | app.kubernetes.io/managed-by: Helm 470 | app.kubernetes.io/component: admission-webhook 471 | namespace: ingress-nginx 472 | --- 473 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml 474 | apiVersion: rbac.authorization.k8s.io/v1 475 | kind: ClusterRole 476 | metadata: 477 | name: ingress-nginx-admission 478 | annotations: 479 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade 480 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 481 | labels: 482 | helm.sh/chart: ingress-nginx-3.19.0 483 | app.kubernetes.io/name: ingress-nginx 484 | app.kubernetes.io/instance: ingress-nginx 485 | app.kubernetes.io/version: 0.43.0 486 | app.kubernetes.io/managed-by: Helm 487 | app.kubernetes.io/component: admission-webhook 488 | rules: 489 | - apiGroups: 490 | - admissionregistration.k8s.io 491 | resources: 492 | - validatingwebhookconfigurations 493 | verbs: 494 | - get 495 | - update 496 | --- 497 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml 498 | apiVersion: rbac.authorization.k8s.io/v1 499 | kind: ClusterRoleBinding 500 | metadata: 501 | name: ingress-nginx-admission 502 | annotations: 503 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade 504 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 505 | labels: 506 | helm.sh/chart: ingress-nginx-3.19.0 507 | app.kubernetes.io/name: ingress-nginx 508 | app.kubernetes.io/instance: ingress-nginx 509 | app.kubernetes.io/version: 0.43.0 510 | app.kubernetes.io/managed-by: Helm 511 | app.kubernetes.io/component: admission-webhook 512 | roleRef: 513 | apiGroup: rbac.authorization.k8s.io 514 | kind: ClusterRole 515 | name: ingress-nginx-admission 516 | subjects: 517 | - kind: ServiceAccount 518 | name: ingress-nginx-admission 519 | namespace: ingress-nginx 520 | --- 521 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml 522 | apiVersion: rbac.authorization.k8s.io/v1 523 | kind: Role 524 | metadata: 525 | name: ingress-nginx-admission 526 | annotations: 527 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade 528 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 529 | labels: 530 | helm.sh/chart: ingress-nginx-3.19.0 531 | app.kubernetes.io/name: ingress-nginx 532 | app.kubernetes.io/instance: ingress-nginx 533 | app.kubernetes.io/version: 0.43.0 534 | app.kubernetes.io/managed-by: Helm 535 | app.kubernetes.io/component: admission-webhook 536 | namespace: ingress-nginx 537 | rules: 538 | - apiGroups: 539 | - '' 540 | resources: 541 | - secrets 542 | verbs: 543 | - get 544 | - create 545 | --- 546 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml 547 | apiVersion: rbac.authorization.k8s.io/v1 548 | kind: RoleBinding 549 | metadata: 550 | name: ingress-nginx-admission 551 | annotations: 552 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade 553 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 554 | labels: 555 | helm.sh/chart: ingress-nginx-3.19.0 556 | app.kubernetes.io/name: ingress-nginx 557 | app.kubernetes.io/instance: ingress-nginx 558 | app.kubernetes.io/version: 0.43.0 559 | app.kubernetes.io/managed-by: Helm 560 | app.kubernetes.io/component: admission-webhook 561 | namespace: ingress-nginx 562 | roleRef: 563 | apiGroup: rbac.authorization.k8s.io 564 | kind: Role 565 | name: ingress-nginx-admission 566 | subjects: 567 | - kind: ServiceAccount 568 | name: ingress-nginx-admission 569 | namespace: ingress-nginx 570 | --- 571 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml 572 | apiVersion: batch/v1 573 | kind: Job 574 | metadata: 575 | name: ingress-nginx-admission-create 576 | annotations: 577 | helm.sh/hook: pre-install,pre-upgrade 578 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 579 | labels: 580 | helm.sh/chart: ingress-nginx-3.19.0 581 | app.kubernetes.io/name: ingress-nginx 582 | app.kubernetes.io/instance: ingress-nginx 583 | app.kubernetes.io/version: 0.43.0 584 | app.kubernetes.io/managed-by: Helm 585 | app.kubernetes.io/component: admission-webhook 586 | namespace: ingress-nginx 587 | spec: 588 | template: 589 | metadata: 590 | name: ingress-nginx-admission-create 591 | labels: 592 | helm.sh/chart: ingress-nginx-3.19.0 593 | app.kubernetes.io/name: ingress-nginx 594 | app.kubernetes.io/instance: ingress-nginx 595 | app.kubernetes.io/version: 0.43.0 596 | app.kubernetes.io/managed-by: Helm 597 | app.kubernetes.io/component: admission-webhook 598 | spec: 599 | containers: 600 | - name: create 601 | image: docker.io/jettech/kube-webhook-certgen:v1.5.0 602 | imagePullPolicy: IfNotPresent 603 | args: 604 | - create 605 | - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc 606 | - --namespace=$(POD_NAMESPACE) 607 | - --secret-name=ingress-nginx-admission 608 | env: 609 | - name: POD_NAMESPACE 610 | valueFrom: 611 | fieldRef: 612 | fieldPath: metadata.namespace 613 | restartPolicy: OnFailure 614 | serviceAccountName: ingress-nginx-admission 615 | securityContext: 616 | runAsNonRoot: true 617 | runAsUser: 2000 618 | --- 619 | # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml 620 | apiVersion: batch/v1 621 | kind: Job 622 | metadata: 623 | name: ingress-nginx-admission-patch 624 | annotations: 625 | helm.sh/hook: post-install,post-upgrade 626 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 627 | labels: 628 | helm.sh/chart: ingress-nginx-3.19.0 629 | app.kubernetes.io/name: ingress-nginx 630 | app.kubernetes.io/instance: ingress-nginx 631 | app.kubernetes.io/version: 0.43.0 632 | app.kubernetes.io/managed-by: Helm 633 | app.kubernetes.io/component: admission-webhook 634 | namespace: ingress-nginx 635 | spec: 636 | template: 637 | metadata: 638 | name: ingress-nginx-admission-patch 639 | labels: 640 | helm.sh/chart: ingress-nginx-3.19.0 641 | app.kubernetes.io/name: ingress-nginx 642 | app.kubernetes.io/instance: ingress-nginx 643 | app.kubernetes.io/version: 0.43.0 644 | app.kubernetes.io/managed-by: Helm 645 | app.kubernetes.io/component: admission-webhook 646 | spec: 647 | containers: 648 | - name: patch 649 | image: docker.io/jettech/kube-webhook-certgen:v1.5.0 650 | imagePullPolicy: IfNotPresent 651 | args: 652 | - patch 653 | - --webhook-name=ingress-nginx-admission 654 | - --namespace=$(POD_NAMESPACE) 655 | - --patch-mutating=false 656 | - --secret-name=ingress-nginx-admission 657 | - --patch-failure-policy=Fail 658 | env: 659 | - name: POD_NAMESPACE 660 | valueFrom: 661 | fieldRef: 662 | fieldPath: metadata.namespace 663 | restartPolicy: OnFailure 664 | serviceAccountName: ingress-nginx-admission 665 | securityContext: 666 | runAsNonRoot: true 667 | runAsUser: 2000 668 | --------------------------------------------------------------------------------