Skip to content

Commit

Permalink
Merge pull request #7 from planetscale/joem/k8s-yaml-examples
Browse files Browse the repository at this point in the history
docs: add ./examples dir with k8s manifests
  • Loading branch information
joemiller authored Nov 13, 2024
2 parents 8b51c9d + 07ecca0 commit 35e9670
Show file tree
Hide file tree
Showing 7 changed files with 196 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
paths-ignore:
- README.md
- doc/**
- examples/**
- .github/**
- renovate.json5
workflow_dispatch:
Expand Down
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

A Kubernetes controller that watches Kubernetes Nodes and copies labels from the node to the cloud provider's VM as tags (AWS) or labels (GCP).

## Deployment

See the [./examples](./examples) directory for example manifests. These are just examples, please read them carefully and adjust if needed.

## Testing

- lint: `make lint`
Expand Down
54 changes: 54 additions & 0 deletions examples/ciliumnetworkpolicy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: k8s-node-tagger
specs:
- description: Allow access to AWS STS API
endpointSelector:
matchLabels:
app: k8s-node-tagger
egress:
- toFQDNs:
- matchName: sts.amazonaws.com
- matchPattern: sts.*.amazonaws.com
toPorts:
- ports:
- port: "443"
protocol: TCP

- description: Allow access to AWS EC2 API
endpointSelector:
matchLabels:
app: k8s-node-tagger
egress:
- toFQDNs:
- matchName: ec2.amazonaws.com
- matchPattern: ec2.*.amazonaws.com
toPorts:
- ports:
- port: "443"
protocol: TCP

- description: Allow access to GCP GCE instance metadata service
endpointSelector:
matchLabels:
app: k8s-node-tagger
egress:
- toCIDR:
- 169.254.169.254/32
toPorts:
- ports:
- port: "80"
protocol: TCP

- description: Allow access to GCP GCE API
endpointSelector:
matchLabels:
app: k8s-node-tagger
egress:
- toFQDNs:
- matchName: compute.googleapis.com
toPorts:
- ports:
- port: "443"
protocol: TCP
44 changes: 44 additions & 0 deletions examples/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-node-tagger
spec:
# NOTE: we could do replicas: 2 here. If so, add the '-enable-leader-election' flag
replicas: 1

selector:
matchLabels:
app: k8s-node-tagger
template:
metadata:
labels:
app: k8s-node-tagger
spec:
serviceAccountName: k8s-node-tagger
containers:
- name: k8s-node-tagger
image: ghcr.io/planetscale/k8s-node-tagger:v0.0.15@sha256:7e5074b10cc113afaf6ea17465ad8de2b9b08acf24cc55e98f4eb5aafe4e1982
imagePullPolicy: IfNotPresent
args:
- -cloud=aws
# - -cloud=gcp
- -labels=database-branch-id,psdb.co/shard,psdb.co/cluster,psdb.co/keyspace,psdb.co/component,psdb.co/size
- -json
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: metrics
containerPort: 8081
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: http
readinessProbe:
httpGet:
path: /healthz
port: http
resources:
requests:
memory: 64Mi
62 changes: 62 additions & 0 deletions examples/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-node-tagger

# clusterrole for k8s-node-tagger to read/watch nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-node-tagger
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-node-tagger
subjects:
- kind: ServiceAccount
name: k8s-node-tagger
namespace: k8s-node-tagger
roleRef:
kind: ClusterRole
name: k8s-node-tagger
apiGroup: rbac.authorization.k8s.io

# namespace role for k8s-node-tagger to use the lease API. Shouldn't be needed if leader election is disabled.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: k8s-node-tagger
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-node-tagger
subjects:
- kind: ServiceAccount
name: k8s-node-tagger
namespace: k8s-node-tagger
roleRef:
kind: Role
name: k8s-node-tagger
apiGroup: rbac.authorization.k8s.io
17 changes: 17 additions & 0 deletions examples/service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: k8s-node-tagger
labels:
app: k8s-node-tagger
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
- name: metrics
port: 8081
targetPort: metrics
selector:
app: k8s-node-tagger
14 changes: 14 additions & 0 deletions examples/servicemonitor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: k8s-node-tagger
spec:
endpoints:
- port: metrics
jobLabel: jobLabel
namespaceSelector:
matchNames:
- k8s-node-tagger
selector:
matchLabels:
app: k8s-node-tagger

0 comments on commit 35e9670

Please sign in to comment.