Skip to content

Instantly share code, notes, and snippets.

@jfblaine

jfblaine/template to demo routes and services

Last active May 4, 2020 19:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jfblaine/0e68e58240ae13df6b1e3dd92e667705 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jfblaine/0e68e58240ae13df6b1e3dd92e667705 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
template to demo routes and services
apiVersion: v1
kind: Template
labels:
template: "openshift-routes-and-services"
metadata:
name: httpd-cert-tests
annotations:
description: "Demo of secret signing for certs, routes, and service types"
tags: "httpd"
objects:
- apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.openshift.io/serving-cert-secret-name: service-certs-jhost
labels:
app: jhost
name: jhost
namespace: "${NAMESPACE}"
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
- name: 8443-tcp
port: 8443
protocol: TCP
targetPort: 8443
selector:
app: jhost
sessionAffinity: None
type: ClusterIP
- apiVersion: v1
kind: Service
metadata:
labels:
app: jhost
name: jhost-nodeport
namespace: "${NAMESPACE}"
spec:
type: NodePort
selector:
app: jhost
ports:
- port: 8443
targetPort: 8443
- apiVersion: v1
kind: Service
metadata:
name: jhost-loadbalancer
namespace: "${NAMESPACE}"
spec:
selector:
app: jhost
ports:
- protocol: TCP
port: 443
targetPort: 8443
type: LoadBalancer
- apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
labels:
app: jhost
name: jhost
namespace: "${NAMESPACE}"
spec:
progressDeadlineSeconds: 600
replicas: 3
revisionHistoryLimit: 0
selector:
matchLabels:
app: jhost
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: jhost
spec:
initContainers:
- name: pem-to-keystore
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
image: image-registry.openshift-image-registry.svc:5000/openshift/redhat-sso73-openshift:1.0
env:
- name: keyfile
value: /var/run/secrets/openshift.io/services_serving_certs/tls.key
- name: crtfile
value: /var/run/secrets/openshift.io/services_serving_certs/tls.crt
- name: keystore_pkcs12
value: /var/run/secrets/java.io/keystores/keystore.pkcs12
- name: keystore_jks
value: /var/run/secrets/java.io/keystores/keystore.jks
- name: password
value: changeit
command: ['/bin/bash']
args: ['-c', "openssl pkcs12 -export -inkey $keyfile -in $crtfile -out $keystore_pkcs12 -password pass:$password && keytool -importkeystore -noprompt -srckeystore $keystore_pkcs12 -srcstoretype pkcs12 -destkeystore $keystore_jks -storepass $password -srcstorepass $password"]
volumeMounts:
- name: keystore-volume
mountPath: /var/run/secrets/java.io/keystores
- name: service-certs
mountPath: /var/run/secrets/openshift.io/services_serving_certs
containers:
- image: docker.io/jblaine/jhost:latest
imagePullPolicy: Always
name: jhost
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 250m
memory: 250Mi
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 8778
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- name: keystore-volume
mountPath: /var/run/secrets/java.io/keystores
- name: service-certs
mountPath: /var/run/secrets/openshift.io/services_serving_certs
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: keystore-volume
emptyDir: {}
- name: service-certs
secret:
secretName: service-certs-jhost
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: jhost
name: jhost-http
namespace: "${NAMESPACE}"
spec:
host: jhost-http.${WILDCARD_DNS}
port:
targetPort: 8080
to:
kind: Service
name: jhost
weight: 100
wildcardPolicy: None
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: jhost
name: jhost-edge
namespace: "${NAMESPACE}"
spec:
host: jhost-edge.${WILDCARD_DNS}
port:
targetPort: 8080
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: jhost
weight: 100
wildcardPolicy: None
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: jhost
name: jhost-reencrypt
namespace: "${NAMESPACE}"
spec:
host: jhost-reencrypt.${WILDCARD_DNS}
port:
targetPort: 8443
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: jhost
weight: 100
wildcardPolicy: None
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/balance: leastconn
labels:
app: jhost
name: jhost-passthrough
namespace: "${NAMESPACE}"
spec:
host: jhost-passthrough.${WILDCARD_DNS}
port:
targetPort: 8443
tls:
termination: passthrough
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: jhost
weight: 100
wildcardPolicy: None
parameters:
- name: WILDCARD_DNS
displayName: Wildcard DNS
description: The wildcard dns entry for routes on this cluster
required: true
- name: NAMESPACE
displayName: Target Namespace
description: The target namespace for object creation
required: true
@jfblaine
Copy link
Author

jfblaine commented Apr 30, 2020

for ((i=1;i<=10;i++)); do curl -k -s "https://jhost-reencrypt.apps.ocp-dev.ocp4poc.jblaine.net"; done

@jfblaine
Copy link
Author

jfblaine commented Apr 30, 2020
edited
Loading

I am running on pod jhost-585b779779-hzrn5
I am running on pod jhost-585b779779-k7rwt
I am running on pod jhost-585b779779-97wzw
I am running on pod jhost-585b779779-k7rwt
I am running on pod jhost-585b779779-hzrn5
I am running on pod jhost-585b779779-k7rwt
I am running on pod jhost-585b779779-97wzw
I am running on pod jhost-585b779779-hzrn5
I am running on pod jhost-585b779779-k7rwt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment