gitea_admin/Online-Boutique
1
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Initial commit
Some checks failed
Continuous Integration - Pull Request / code-tests (pull_request) Has been cancelled
Details
Continuous Integration - Pull Request / deployment-tests (local-code) (pull_request) Has been cancelled
Details
helm-chart-ci / helm-chart-ci (pull_request) Has been cancelled
Details
kubevious-manifests-ci / kubevious-manifests-ci (pull_request) Has been cancelled
Details
kustomize-build-ci / kustomize-build-ci (pull_request) Has been cancelled
Details
terraform-validate-ci / terraform-validate-ci (pull_request) Has been cancelled
Details
Clean up deployment / cleanup-namespace (pull_request) Has been cancelled
Details
Continuous Integration - Main/Release / code-tests (push) Has been cancelled
Details
Continuous Integration - Main/Release / deployment-tests (local-code) (push) Has been cancelled
Details
helm-chart-ci / helm-chart-ci (push) Has been cancelled
Details
kubevious-manifests-ci / kubevious-manifests-ci (push) Has been cancelled
Details
kustomize-build-ci / kustomize-build-ci (push) Has been cancelled
Details
terraform-validate-ci / terraform-validate-ci (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Subodh
2026-02-04 20:47:56 +05:30
commit dafcd9777f
363 changed files with 52703 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
helm-chart/Chart.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v2
name: onlineboutique
description: A Helm chart for Kubernetes for Online Boutique
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.10.4
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "v0.10.4"

38
helm-chart/README.md Normal file
View File

@@ -0,0 +1,38 @@
# Helm chart for Online Boutique
If you'd like to deploy Online Boutique via its Helm chart, you could leverage the following instructions.
**Warning:** Online Boutique's Helm chart is currently experimental. If you have feedback or run into issues, let us know inside [GitHub Issue #1319](https://github.com/GoogleCloudPlatform/microservices-demo/issues/1319) or by creating a [new GitHub Issue](https://github.com/GoogleCloudPlatform/microservices-demo/issues/new/choose).
Deploy the default setup of Online Boutique:
```sh
helm upgrade onlineboutique oci://us-docker.pkg.dev/online-boutique-ci/charts/onlineboutique \
--install
```
Deploy advanced scenario of Online Boutique:
```sh
helm upgrade onlineboutique oci://us-docker.pkg.dev/online-boutique-ci/charts/onlineboutique \
--install \
--create-namespace \
--set images.repository=us-docker.pkg.dev/my-project/microservices-demo \
--set frontend.externalService=false \
--set redis.create=false \
--set cartservice.database.type=spanner \
--set cartservice.database.connectionString=projects/my-project/instances/onlineboutique/databases/carts \
--set serviceAccounts.create=true \
--set authorizationPolicies.create=true \
--set networkPolicies.create=true \
--set sidecars.create=true \
--set frontend.virtualService.create=true \
--set 'serviceAccounts.annotations.iam\.gke\.io/gcp-service-account=spanner-db-user@my-project.iam.gserviceaccount.com' \
--set serviceAccounts.annotationsOnlyForCartservice=true \
-n onlineboutique
```
For the full list of configurations, see [values.yaml](./values.yaml).
You could also find advanced scenarios with these blogs below:
- [Online Boutique samples Helm chart, to simplify the setup of advanced and secured scenarios with Service Mesh and GitOps](https://medium.com/google-cloud/246119e46d53)
- [gRPC health probes with Kubernetes 1.24+](https://medium.com/google-cloud/b5bd26253a4c)
- [Use Google Cloud Spanner with the Online Boutique sample](https://medium.com/google-cloud/f7248e077339)

15
helm-chart/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,15 @@
{{- if and .Values.frontend.create .Values.frontend.externalService }}
Note: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status of the frontend IP address with:
kubectl get --namespace {{ .Release.Namespace }} svc -w {{ .Values.frontend.name }}-external
Get the external IP address of the frontend:
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ .Values.frontend.name }}-external --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP
{{- end }}
{{- if .Values.frontend.virtualService.create }}
Get the external IP address of the ingress gateway:
export SERVICE_IP=$(kubectl get svc --namespace {{ .Values.frontend.virtualService.gateway.namespace }} {{ .Values.frontend.virtualService.gateway.name }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP
{{- end }}

178
helm-chart/templates/adservice.yaml Normal file
View File

@@ -0,0 +1,178 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.adService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.adService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.adService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.adService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.adService.name }}
template:
metadata:
labels:
app: {{ .Values.adService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.adService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.adService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 9555
env:
- name: PORT
value: "9555"
resources:
{{- toYaml .Values.adService.resources | nindent 10 }}
readinessProbe:
initialDelaySeconds: 20
periodSeconds: 15
grpc:
port: 9555
livenessProbe:
initialDelaySeconds: 20
periodSeconds: 15
grpc:
port: 9555
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.adService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.adService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.adService.name }}
ports:
- name: grpc
port: 9555
targetPort: 9555
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.adService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.adService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
ports:
- port: 9555
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.adService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.adService.name }}
egress:
- hosts:
- istio-system/*
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.adService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.adService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.AdService/GetAds
methods:
- POST
ports:
- "9555"
{{- end }}
{{- end }}

405
helm-chart/templates/cartservice.yaml Normal file
View File

@@ -0,0 +1,405 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.cartService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.cartService.name }}
namespace: {{.Release.Namespace}}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.cartService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.cartService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.cartService.name }}
template:
metadata:
{{- if .Values.cartDatabase.externalRedisTlsOrigination.enable }}
annotations:
sidecar.istio.io/userVolumeMount: '[{"name": "{{ .Values.cartDatabase.externalRedisTlsOrigination.name }}", "mountPath": "/etc/certs", "readonly": true}]'
sidecar.istio.io/userVolume: '[{"name": "{{ .Values.cartDatabase.externalRedisTlsOrigination.name }}", "secret": {"secretName": "{{ .Values.cartDatabase.externalRedisTlsOrigination.name }}"}}]'
proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}'
{{- end }}
labels:
app: {{ .Values.cartService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.cartService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- end }}
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.cartService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 7070
env:
{{- if eq .Values.cartDatabase.type "spanner" }}
- name: SPANNER_CONNECTION_STRING
{{- else }}
- name: REDIS_ADDR
{{- end }}
value: {{ .Values.cartDatabase.connectionString | quote }}
resources:
{{- toYaml .Values.cartService.resources | nindent 10 }}
readinessProbe:
initialDelaySeconds: 15
grpc:
port: 7070
livenessProbe:
initialDelaySeconds: 15
periodSeconds: 10
grpc:
port: 7070
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.cartService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.cartService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.cartService.name }}
ports:
- name: grpc
port: 7070
targetPort: 7070
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.cartService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.cartService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
ports:
- port: 7070
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.cartService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.cartService.name }}
egress:
- hosts:
- istio-system/*
{{- if eq .Values.cartDatabase.type "redis" }}
{{- if .Values.cartDatabase.externalRedisTlsOrigination.enable }}
- ./{{ .Values.cartDatabase.externalRedisTlsOrigination.name }}.{{ .Release.Namespace }}
{{- else }}
- ./{{ .Values.cartDatabase.inClusterRedis.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.cartService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.cartService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.CartService/AddItem
- /hipstershop.CartService/GetCart
- /hipstershop.CartService/EmptyCart
methods:
- POST
ports:
- "7070"
{{- end }}
{{- if .Values.cartDatabase.inClusterRedis.create }}
---
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.cartDatabase.inClusterRedis.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.cartDatabase.inClusterRedis.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.cartDatabase.inClusterRedis.name }}
template:
metadata:
labels:
app: {{ .Values.cartDatabase.inClusterRedis.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.cartDatabase.inClusterRedis.name }}
{{- else }}
serviceAccountName: default
{{- end }}
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: redis
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- if .Values.cartDatabase.inClusterRedis.publicRepository }}
image: redis:alpine@sha256:4eec4565e45aa0b3966554c866bc73211e281b0b3d89fe9a33c982e6faca809d
{{- else }}
image: {{ .Values.images.repository }}/redis:alpine
{{- end }}
ports:
- containerPort: 6379
readinessProbe:
periodSeconds: 5
tcpSocket:
port: 6379
livenessProbe:
periodSeconds: 5
tcpSocket:
port: 6379
volumeMounts:
- mountPath: /data
name: redis-data
resources:
limits:
memory: 256Mi
cpu: 125m
requests:
cpu: 70m
memory: 200Mi
volumes:
- name: redis-data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.cartDatabase.inClusterRedis.name }}
namespace: {{ .Release.Namespace }}
spec:
type: ClusterIP
selector:
app: {{ .Values.cartDatabase.inClusterRedis.name }}
ports:
- name: tcp-redis
port: 6379
targetPort: 6379
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.cartDatabase.inClusterRedis.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.cartDatabase.inClusterRedis.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.cartService.name }}
ports:
- port: 6379
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.cartDatabase.inClusterRedis.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.cartDatabase.inClusterRedis.name }}
egress:
- hosts:
- istio-system/*
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.cartDatabase.inClusterRedis.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.cartDatabase.inClusterRedis.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.cartService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
ports:
- "6379"
{{- end }}
{{- end }}
{{- if .Values.cartDatabase.externalRedisTlsOrigination.enable }}
---
apiVersion: v1
data:
{{ .Values.cartDatabase.externalRedisTlsOrigination.name }}.pem: {{ .Values.cartDatabase.externalRedisTlsOrigination.certificate | b64enc | quote }}
kind: Secret
metadata:
name: {{ .Values.cartDatabase.externalRedisTlsOrigination.name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: {{ .Values.cartDatabase.externalRedisTlsOrigination.name }}
namespace: {{ .Release.Namespace }}
spec:
exportTo:
- '.'
host: {{ .Values.cartDatabase.externalRedisTlsOrigination.name }}.{{ .Release.Namespace }}
trafficPolicy:
tls:
mode: SIMPLE
caCertificates: /etc/certs/{{ .Values.cartDatabase.externalRedisTlsOrigination.name }}.pem
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: {{ .Values.cartDatabase.externalRedisTlsOrigination.name }}
namespace: {{ .Release.Namespace }}
spec:
hosts:
- {{ .Values.cartDatabase.externalRedisTlsOrigination.name }}.{{ .Release.Namespace }}
addresses:
- {{ .Values.cartDatabase.externalRedisTlsOrigination.endpointAddress }}/32
endpoints:
- address: {{ .Values.cartDatabase.externalRedisTlsOrigination.endpointAddress }}
location: MESH_EXTERNAL
resolution: STATIC
ports:
- number: {{ .Values.cartDatabase.externalRedisTlsOrigination.endpointPort }}
name: tcp-redis
protocol: TCP
{{- end }}
{{- end }}

205
helm-chart/templates/checkoutservice.yaml Normal file
View File

@@ -0,0 +1,205 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.checkoutService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.checkoutService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.checkoutService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.checkoutService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.checkoutService.name }}
template:
metadata:
labels:
app: {{ .Values.checkoutService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.checkoutService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.checkoutService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 5050
readinessProbe:
grpc:
port: 5050
livenessProbe:
grpc:
port: 5050
env:
- name: PORT
value: "5050"
- name: PRODUCT_CATALOG_SERVICE_ADDR
value: "{{ .Values.productCatalogService.name }}:3550"
- name: SHIPPING_SERVICE_ADDR
value: "{{ .Values.shippingService.name }}:50051"
- name: PAYMENT_SERVICE_ADDR
value: "{{ .Values.paymentService.name }}:50051"
- name: EMAIL_SERVICE_ADDR
value: "{{ .Values.emailService.name }}:5000"
- name: CURRENCY_SERVICE_ADDR
value: "{{ .Values.currencyService.name }}:7000"
- name: CART_SERVICE_ADDR
value: "{{ .Values.cartService.name }}:7070"
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.checkoutService.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if .Values.googleCloudOperations.profiler }}
- name: ENABLE_PROFILER
value: "1"
{{- end }}
resources:
{{- toYaml .Values.checkoutService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.checkoutService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.checkoutService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.checkoutService.name }}
ports:
- name: grpc
port: 5050
targetPort: 5050
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.checkoutService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
ports:
- port: 5050
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.checkoutService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.checkoutService.name }}
egress:
- hosts:
- istio-system/*
- ./{{ .Values.cartService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.currencyService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.emailService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.paymentService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.productCatalogService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.shippingService.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.checkoutService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.checkoutService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.CheckoutService/PlaceOrder
methods:
- POST
ports:
- "5050"
{{- end }}
{{- end }}

35
helm-chart/templates/common.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.networkPolicies.create }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: {{ .Release.Namespace }}
spec: {}
{{- end }}

194
helm-chart/templates/currencyservice.yaml Normal file
View File

@@ -0,0 +1,194 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.currencyService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.currencyService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.currencyService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.currencyService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.currencyService.name }}
template:
metadata:
labels:
app: {{ .Values.currencyService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.currencyService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.currencyService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- name: grpc
containerPort: 7000
env:
- name: PORT
value: "7000"
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.currencyService.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if not .Values.googleCloudOperations.profiler }}
- name: DISABLE_PROFILER
value: "1"
{{- end }}
readinessProbe:
grpc:
port: 7000
livenessProbe:
grpc:
port: 7000
resources:
{{- toYaml .Values.currencyService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.currencyService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.currencyService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.currencyService.name }}
ports:
- name: grpc
port: 7000
targetPort: 7000
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.currencyService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.currencyService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
ports:
- port: 7000
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.currencyService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.currencyService.name }}
egress:
- hosts:
- istio-system/*
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.currencyService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.currencyService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.CurrencyService/Convert
- /hipstershop.CurrencyService/GetSupportedCurrencies
methods:
- POST
ports:
- "7000"
{{- end }}
{{- end }}

190
helm-chart/templates/emailservice.yaml Normal file
View File

@@ -0,0 +1,190 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.emailService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.emailService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.emailService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.emailService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.emailService.name }}
template:
metadata:
labels:
app: {{ .Values.emailService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.emailService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.emailService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 8080
env:
- name: PORT
value: "8080"
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.emailService.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if not .Values.googleCloudOperations.profiler }}
- name: DISABLE_PROFILER
value: "1"
{{- end }}
readinessProbe:
periodSeconds: 5
grpc:
port: 8080
livenessProbe:
periodSeconds: 5
grpc:
port: 8080
resources:
{{- toYaml .Values.emailService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.emailService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.emailService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.emailService.name }}
ports:
- name: grpc
port: 5000
targetPort: 8080
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.emailService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.emailService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
ports:
- port: 8080
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.emailService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.emailService.name }}
egress:
- hosts:
- istio-system/*
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.emailService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.emailService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.EmailService/SendOrderConfirmation
methods:
- POST
ports:
- "8080"
{{- end }}
{{- end }}

285
helm-chart/templates/frontend.yaml Normal file
View File

@@ -0,0 +1,285 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.frontend.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.frontend.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.frontend.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.frontend.name }}
spec:
selector:
matchLabels:
app: {{ .Values.frontend.name }}
template:
metadata:
labels:
app: {{ .Values.frontend.name }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.frontend.name }}
{{- else }}
serviceAccountName: default
{{- end }}
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.frontend.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 10
httpGet:
path: "/_healthz"
port: 8080
httpHeaders:
- name: "Cookie"
value: "shop_session-id=x-readiness-probe"
livenessProbe:
initialDelaySeconds: 10
httpGet:
path: "/_healthz"
port: 8080
httpHeaders:
- name: "Cookie"
value: "shop_session-id=x-liveness-probe"
env:
- name: PORT
value: "8080"
- name: PRODUCT_CATALOG_SERVICE_ADDR
value: "{{ .Values.productCatalogService.name }}:3550"
- name: CURRENCY_SERVICE_ADDR
value: "{{ .Values.currencyService.name }}:7000"
- name: CART_SERVICE_ADDR
value: "{{ .Values.cartService.name }}:7070"
- name: RECOMMENDATION_SERVICE_ADDR
value: "{{ .Values.recommendationService.name }}:8080"
- name: SHIPPING_SERVICE_ADDR
value: "{{ .Values.shippingService.name }}:50051"
- name: CHECKOUT_SERVICE_ADDR
value: "{{ .Values.checkoutService.name }}:5050"
- name: AD_SERVICE_ADDR
value: "{{ .Values.adService.name }}:9555"
- name: SHOPPING_ASSISTANT_SERVICE_ADDR
value: "{{ .Values.shoppingAssistantService.name }}:80"
- name: ENV_PLATFORM
value: {{ .Values.frontend.platform | quote }}
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.frontend.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if .Values.googleCloudOperations.profiler }}
- name: ENABLE_PROFILER
value: "1"
{{- end }}
- name: CYMBAL_BRANDING
value: {{ .Values.frontend.cymbalBranding | quote }}
- name: ENABLE_ASSISTANT
value: {{ .Values.shoppingAssistantService.create | quote }}
- name: ENABLE_SINGLE_SHARED_SESSION
value: {{ .Values.frontend.singleSharedSession | quote }}
resources:
{{- toYaml .Values.frontend.resources | nindent 12 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.frontend.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.frontend.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.frontend.name }}
ports:
- name: http
port: 80
targetPort: 8080
{{- if .Values.frontend.externalService }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.frontend.name }}-external
namespace: {{ .Release.Namespace }}
spec:
type: LoadBalancer
selector:
app: {{ .Values.frontend.name }}
ports:
- name: http
port: 80
targetPort: 8080
{{- end }}
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.frontend.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
policyTypes:
- Ingress
- Egress
ingress:
{{- if .Values.frontend.externalService }}
- {}
{{- else }}
- from:
- podSelector:
matchLabels:
app: {{ .Values.loadGenerator.name }}
{{- if .Values.frontend.virtualService.create }}
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Values.frontend.virtualService.gateway.namespace }}
podSelector:
matchLabels:
{{ .Values.frontend.virtualService.gateway.labelKey }}: {{ .Values.frontend.virtualService.gateway.labelValue }}
{{- end }}
ports:
- port: 8080
protocol: TCP
{{- end }}
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.frontend.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.frontend.name }}
egress:
- hosts:
- istio-system/*
- ./{{ .Values.adService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.cartService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.checkoutService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.currencyService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.productCatalogService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.recommendationService.name }}.{{ .Release.Namespace }}.svc.cluster.local
- ./{{ .Values.shippingService.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.frontend.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.frontend.name }}
rules:
{{- if .Values.frontend.externalService }}
- to:
{{- else }}
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.loadGenerator.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
{{- if .Values.frontend.virtualService.create }}
- cluster.local/ns/{{ .Values.frontend.virtualService.gateway.namespace }}/sa/{{ .Values.frontend.virtualService.gateway.name }}
{{- end }}
to:
{{- end }}
- operation:
methods:
- GET
- POST
ports:
- "8080"
{{- end }}
{{- if .Values.frontend.virtualService.create }}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ .Values.frontend.name }}
namespace: {{ .Release.Namespace }}
spec:
{{- with .Values.frontend.virtualService.hosts }}
hosts:
{{- toYaml . | nindent 2 }}
{{- end }}
gateways:
- {{ .Values.frontend.virtualService.gateway.namespace }}/{{ .Values.frontend.virtualService.gateway.name }}
http:
- route:
- destination:
host: {{ .Values.frontend.name }}
port:
number: 80
{{- end }}
{{- end }}

156
helm-chart/templates/loadgenerator.yaml Normal file
View File

@@ -0,0 +1,156 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.loadGenerator.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.loadGenerator.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.loadGenerator.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.loadGenerator.name }}
spec:
selector:
matchLabels:
app: {{ .Values.loadGenerator.name }}
replicas: 1
template:
metadata:
labels:
app: {{ .Values.loadGenerator.name }}
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.loadGenerator.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
restartPolicy: Always
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
{{- if .Values.loadGenerator.checkFrontendInitContainer }}
initContainers:
- command:
- /bin/sh
- -exc
- |
MAX_RETRIES=12
RETRY_INTERVAL=10
for i in $(seq 1 $MAX_RETRIES); do
echo "Attempt $i: Pinging frontend: ${FRONTEND_ADDR}..."
STATUSCODE=$(wget --server-response http://${FRONTEND_ADDR} 2>&1 | awk '/^ HTTP/{print $2}')
if [ $STATUSCODE -eq 200 ]; then
echo "Frontend is reachable."
exit 0
fi
echo "Error: Could not reach frontend - Status code: ${STATUSCODE}"
sleep $RETRY_INTERVAL
done
echo "Failed to reach frontend after $MAX_RETRIES attempts."
exit 1
name: frontend-check
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: busybox:latest@sha256:e226d6308690dbe282443c8c7e57365c96b5228f0fe7f40731b5d84d37a06839
env:
- name: FRONTEND_ADDR
value: "{{ .Values.frontend.name }}:80"
{{- end }}
containers:
- name: main
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.loadGenerator.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
env:
- name: FRONTEND_ADDR
value: "{{ .Values.frontend.name }}:80"
- name: USERS
value: "10"
- name: RATE
value: "1"
resources:
{{- toYaml .Values.loadGenerator.resources | nindent 10 }}
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.loadGenerator.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.loadGenerator.name }}
spec:
podSelector:
matchLabels:
app: {{ .Values.loadGenerator.name }}
policyTypes:
- Egress
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.loadGenerator.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.loadGenerator.name }}
egress:
- hosts:
- istio-system/*
- ./{{ .Values.frontend.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- end }}

262
helm-chart/templates/opentelemetry-collector.yaml Normal file
View File

@@ -0,0 +1,262 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.opentelemetryCollector.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.opentelemetryCollector.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.opentelemetryCollector.name }}
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.opentelemetryCollector.name }}
template:
metadata:
labels:
app: {{ .Values.opentelemetryCollector.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.opentelemetryCollector.name }}
{{- else }}
serviceAccountName: default
{{- end }}
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
{{- if eq .Values.opentelemetryCollector.projectId "PROJECT_ID" }}
initContainers:
# Init container retrieves the current cloud project id from the metadata server
# and inserts it into the collector config template
# https://cloud.google.com/compute/docs/storing-retrieving-metadata
- name: otel-gateway-init
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: busybox:latest@sha256:e226d6308690dbe282443c8c7e57365c96b5228f0fe7f40731b5d84d37a06839
command:
- '/bin/sh'
- '-c'
- |
sed "s/PROJECT_ID/$(curl -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/project/project-id)/" /template/collector-gateway-config-template.yaml >> /conf/collector-gateway-config.yaml
volumeMounts:
- name: collector-gateway-config-template
mountPath: /template
- name: collector-gateway-config
mountPath: /conf
{{- end }}
containers:
# This gateway container will receive traces and metrics from each microservice
# and forward it to GCP
- name: otel-gateway
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
args:
- --config=/conf/collector-gateway-config.yaml
image: otel/opentelemetry-collector-contrib:0.144.0@sha256:213886eb6407af91b87fa47551c3632be1a6419ff3a5114ef1e6fc364628496f
volumeMounts:
- name: collector-gateway-config
mountPath: /conf
volumes:
# Simple ConfigMap volume with template file
- name: collector-gateway-config-template
configMap:
items:
- key: collector-gateway-config-template.yaml
path: collector-gateway-config-template.yaml
name: collector-gateway-config-template
# Create a volume to store the expanded template (with correct cloud project ID)
- name: collector-gateway-config
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.opentelemetryCollector.name }}
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: grpc-otlp
port: 4317
protocol: TCP
targetPort: 4317
selector:
app: {{ .Values.opentelemetryCollector.name }}
type: ClusterIP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: collector-gateway-config-template
namespace: {{ .Release.Namespace }}
# Open Telemetry Collector config
# https://opentelemetry.io/docs/collector/configuration/
data:
collector-gateway-config-template.yaml: |
receivers:
otlp:
protocols:
grpc:
processors:
exporters:
googlecloud:
project: {{ .Values.opentelemetryCollector.projectId | quote }}
service:
pipelines:
traces:
receivers: [otlp] # Receive otlp-formatted data from other collector instances
processors: []
exporters: [googlecloud] # Export traces directly to Google Cloud
metrics:
receivers: [otlp]
processors: []
exporters: [googlecloud] # Export metrics to Google Cloud
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.opentelemetryCollector.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.opentelemetryCollector.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.adService.name }}
- podSelector:
matchLabels:
app: {{ .Values.cartService.name }}
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
- podSelector:
matchLabels:
app: {{ .Values.currencyService.name }}
- podSelector:
matchLabels:
app: {{ .Values.emailService.name }}
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
- podSelector:
matchLabels:
app: {{ .Values.loadGenerator.name }}
- podSelector:
matchLabels:
app: {{ .Values.paymentService.name }}
- podSelector:
matchLabels:
app: {{ .Values.productCatalogService.name }}
- podSelector:
matchLabels:
app: {{ .Values.recommendationService.name }}
- podSelector:
matchLabels:
app: {{ .Values.shippingService.name }}
ports:
- port: 4317
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.opentelemetryCollector.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.opentelemetryCollector.name }}
egress:
- hosts:
- istio-system/*
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.opentelemetryCollector.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.opentelemetryCollector.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.adService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.cartService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.currencyService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.emailService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.loadGenerator.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.paymentService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.productCatalogService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.recommendationService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.shippingService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
ports:
- "4317"
{{- end }}
{{- end }}

188
helm-chart/templates/paymentservice.yaml Normal file
View File

@@ -0,0 +1,188 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.paymentService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.paymentService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.paymentService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.paymentService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.paymentService.name }}
template:
metadata:
labels:
app: {{ .Values.paymentService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.paymentService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.paymentService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 50051
env:
- name: PORT
value: "50051"
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.paymentService.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if not .Values.googleCloudOperations.profiler }}
- name: DISABLE_PROFILER
value: "1"
{{- end }}
readinessProbe:
grpc:
port: 50051
livenessProbe:
grpc:
port: 50051
resources:
{{- toYaml .Values.paymentService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.paymentService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.paymentService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.paymentService.name }}
ports:
- name: grpc
port: 50051
targetPort: 50051
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.paymentService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.paymentService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
ports:
- port: 50051
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.paymentService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.paymentService.name }}
egress:
- hosts:
- istio-system/*
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.paymentService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.paymentService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.PaymentService/Charge
methods:
- POST
ports:
- "50051"
{{- end }}
{{- end }}

199
helm-chart/templates/productcatalogservice.yaml Normal file
View File

@@ -0,0 +1,199 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.productCatalogService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.productCatalogService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.productCatalogService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.productCatalogService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.productCatalogService.name }}
template:
metadata:
labels:
app: {{ .Values.productCatalogService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.productCatalogService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.productCatalogService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 3550
env:
- name: PORT
value: "3550"
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.productCatalogService.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if not .Values.googleCloudOperations.profiler }}
- name: DISABLE_PROFILER
value: "1"
{{- end }}
- name: EXTRA_LATENCY
value: {{ .Values.productCatalogService.extraLatency }}
readinessProbe:
grpc:
port: 3550
livenessProbe:
grpc:
port: 3550
resources:
{{- toYaml .Values.productCatalogService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.productCatalogService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.productCatalogService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.productCatalogService.name }}
ports:
- name: grpc
port: 3550
targetPort: 3550
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.productCatalogService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.productCatalogService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
- podSelector:
matchLabels:
app: {{ .Values.recommendationService.name }}
ports:
- port: 3550
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.productCatalogService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.productCatalogService.name }}
egress:
- hosts:
- istio-system/*
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.productCatalogService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.productCatalogService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.recommendationService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.ProductCatalogService/GetProduct
- /hipstershop.ProductCatalogService/ListProducts
methods:
- POST
ports:
- "3550"
{{- end }}
{{- end }}

193
helm-chart/templates/recommendationservice.yaml Normal file
View File

@@ -0,0 +1,193 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.recommendationService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.recommendationService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.recommendationService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.recommendationService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.recommendationService.name }}
template:
metadata:
labels:
app: {{ .Values.recommendationService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.recommendationService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
terminationGracePeriodSeconds: 5
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.recommendationService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 8080
readinessProbe:
periodSeconds: 5
grpc:
port: 8080
livenessProbe:
periodSeconds: 5
grpc:
port: 8080
env:
- name: PORT
value: "8080"
- name: PRODUCT_CATALOG_SERVICE_ADDR
value: "{{ .Values.productCatalogService.name }}:3550"
{{- if .Values.opentelemetryCollector.create }}
- name: COLLECTOR_SERVICE_ADDR
value: "{{ .Values.opentelemetryCollector.name }}:4317"
- name: OTEL_SERVICE_NAME
value: "{{ .Values.recommendationService.name }}"
{{- end }}
{{- if .Values.googleCloudOperations.tracing }}
- name: ENABLE_TRACING
value: "1"
{{- end }}
{{- if not .Values.googleCloudOperations.profiler }}
- name: DISABLE_PROFILER
value: "1"
{{- end }}
resources:
{{- toYaml .Values.recommendationService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.recommendationService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.recommendationService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.recommendationService.name }}
ports:
- name: grpc
port: 8080
targetPort: 8080
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.recommendationService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.recommendationService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
ports:
- port: 8080
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.recommendationService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.recommendationService.name }}
egress:
- hosts:
- istio-system/*
- ./{{ .Values.productCatalogService.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.recommendationService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.recommendationService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.RecommendationService/ListRecommendations
methods:
- POST
ports:
- "8080"
{{- end }}
{{- end }}

183
helm-chart/templates/shippingservice.yaml Normal file
View File

@@ -0,0 +1,183 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.shippingService.create }}
{{- if .Values.serviceAccounts.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.shippingService.name }}
namespace: {{.Release.Namespace}}
{{- if not .Values.serviceAccounts.annotationsOnlyForCartservice }}
{{- with .Values.serviceAccounts.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.shippingService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.shippingService.name }}
spec:
selector:
matchLabels:
app: {{ .Values.shippingService.name }}
template:
metadata:
labels:
app: {{ .Values.shippingService.name }}
spec:
{{- if .Values.serviceAccounts.create }}
serviceAccountName: {{ .Values.shippingService.name }}
{{- else }}
serviceAccountName: default
{{- end }}
{{- if .Values.securityContext.enable }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
{{- if .Values.seccompProfile.enable }}
seccompProfile:
type: {{ .Values.seccompProfile.type }}
{{- end }}
{{- end }}
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: {{ .Values.images.repository }}/{{ .Values.shippingService.name }}:{{ .Values.images.tag | default .Chart.AppVersion }}
ports:
- containerPort: 50051
env:
- name: PORT
value: "50051"
{{- if not .Values.googleCloudOperations.profiler }}
- name: DISABLE_PROFILER
value: "1"
{{- end }}
readinessProbe:
periodSeconds: 5
grpc:
port: 50051
livenessProbe:
grpc:
port: 50051
resources:
{{- toYaml .Values.shippingService.resources | nindent 10 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.shippingService.name }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.shippingService.name }}
spec:
type: ClusterIP
selector:
app: {{ .Values.shippingService.name }}
ports:
- name: grpc
port: 50051
targetPort: 50051
{{- if .Values.networkPolicies.create }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.shippingService.name }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: {{ .Values.shippingService.name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: {{ .Values.frontend.name }}
- podSelector:
matchLabels:
app: {{ .Values.checkoutService.name }}
ports:
- port: 50051
protocol: TCP
egress:
- {}
{{- end }}
{{- if .Values.sidecars.create }}
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: {{ .Values.shippingService.name }}
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
app: {{ .Values.shippingService.name }}
egress:
- hosts:
- istio-system/*
{{- if .Values.opentelemetryCollector.create }}
- ./{{ .Values.opentelemetryCollector.name }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}
{{- end }}
{{- if .Values.authorizationPolicies.create }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Values.shippingService.name }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ .Values.shippingService.name }}
rules:
- from:
- source:
principals:
{{- if .Values.serviceAccounts.create }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.frontend.name }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.checkoutService.name }}
{{- else }}
- cluster.local/ns/{{ .Release.Namespace }}/sa/default
{{- end }}
to:
- operation:
paths:
- /hipstershop.ShippingService/GetQuote
- /hipstershop.ShippingService/ShipOrder
methods:
- POST
ports:
- "50051"
{{- end }}
{{- end }}

220
helm-chart/values.yaml Normal file
View File

@@ -0,0 +1,220 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for onlineboutique.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
images:
repository: us-central1-docker.pkg.dev/google-samples/microservices-demo
# Overrides the image tag whose default is the chart appVersion.
tag: ""
serviceAccounts:
# Specifies whether service accounts should be created.
create: true
# Annotations to add to the service accounts.
annotations: {}
# Annotations to add only for the cartservice app. This allows to follow the least privilege principle where only cartservice needs to connect to external database for example via Workload Identity.
annotationsOnlyForCartservice: false
networkPolicies:
# Specifies if the NetworkPolicies are created or not. If true, one fine granular NetworkPolicy per app is created.
create: false
sidecars:
# Specifies if the Sidecars are created or not. If true, one fine granular Sidecar per app is created.
create: false
authorizationPolicies:
# Specifies if the AuthorizationPolicies are created or not. If true, one fine granular AuthorizationPolicy per app is created.
create: false
opentelemetryCollector:
create: false
name: opentelemetrycollector
# Specifies the project id for the otel collector. If set as "PROJECT_ID" (default value), an initContainer will automatically retrieve the project id value from the metadata server.
projectId: "PROJECT_ID"
googleCloudOperations:
profiler: false
tracing: false
metrics: false
seccompProfile:
enable: false
type: RuntimeDefault
securityContext:
enable: true
adService:
create: true
name: adservice
resources:
requests:
cpu: 200m
memory: 180Mi
limits:
cpu: 300m
memory: 300Mi
cartService:
create: true
name: cartservice
resources:
requests:
cpu: 200m
memory: 128Mi
limits:
cpu: 300m
memory: 256Mi
checkoutService:
create: true
name: checkoutservice
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
currencyService:
create: true
name: currencyservice
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
emailService:
create: true
name: emailservice
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
frontend:
create: true
name: frontend
externalService: true
cymbalBranding: false
# One of: local, gcp, aws, azure, onprem, alibaba. When not set, defaults to "local" unless running in GKE, otherwise auto-sets to gcp.
platform: local
singleSharedSession: false
virtualService:
create: false
hosts:
- "*"
gateway:
name: asm-ingressgateway
namespace: asm-ingress
labelKey: asm
labelValue: ingressgateway
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
loadGenerator:
create: true
name: loadgenerator
checkFrontendInitContainer: true
resources:
requests:
cpu: 300m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
paymentService:
create: true
name: paymentservice
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
productCatalogService:
create: true
name: productcatalogservice
# Specifies an extra latency to any request on productcatalogservice, by default no extra latency.
extraLatency: ""
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
recommendationService:
create: true
name: recommendationservice
resources:
requests:
cpu: 100m
memory: 220Mi
limits:
cpu: 200m
memory: 450Mi
shippingService:
create: true
name: shippingservice
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
cartDatabase:
# Specifies the type of the cartservice's database, could be either redis or spanner.
type: redis
connectionString: "redis-cart:6379"
inClusterRedis:
create: true
name: redis-cart
# Uses the public redis image from Docker Hub, otherwise will use the images.repository.
publicRepository: true
externalRedisTlsOrigination:
enable: false
name: exernal-redis-tls-origination
endpointAddress: ""
endpointPort: ""
certificate: ""
# @TODO: This service is not currently available in Helm.
# https://github.com/GoogleCloudPlatform/microservices-demo/tree/main/kustomize/components/shopping-assistant
shoppingAssistantService:
create: false
name: shoppingassistantservice