Created
March 11, 2024 10:47
-
-
Save allamand/f056190fad9f01075552cd0917f5ed6a to your computer and use it in GitHub Desktop.
VPC Lattice setups
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: app1 | |
| labels: | |
| allow-attachment-to-infra-gw: "true" | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: app1-v1 | |
| namespace: app1 | |
| labels: | |
| app: app1-v1 | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: app1-v1 | |
| template: | |
| metadata: | |
| labels: | |
| app: app1-v1 | |
| spec: | |
| serviceAccountName: default | |
| # initContainers: # IPTables rules are updated in init container | |
| # - image: public.ecr.aws/d2c6w7a3/iptables | |
| # name: iptables-init | |
| # securityContext: | |
| # capabilities: | |
| # add: | |
| # - NET_ADMIN | |
| # command: # Adding --uid-owner 101 here to prevent traffic from aws-sigv4-proxy proxy itself from being redirected, which prevents an infinite loop | |
| # - /bin/sh | |
| # - -c | |
| # - > | |
| # iptables -t nat -N EGRESS_PROXY; | |
| # iptables -t nat -A OUTPUT -p tcp -d 169.254.171.0/24 -j EGRESS_PROXY; | |
| # iptables -t nat -A EGRESS_PROXY -m owner --uid-owner 101 -j RETURN; | |
| # iptables -t nat -A EGRESS_PROXY -p tcp -j REDIRECT --to-ports 8080; | |
| containers: | |
| - name: app1-v1 | |
| image: public.ecr.aws/seb-demo/http-server:v1.8 | |
| env: | |
| - name: PodName | |
| value: "Hello from app1-v1" | |
| - name: CA_ARN | |
| value: "arn:aws:acm-pca:eu-west-1:382076407153:certificate-authority/c2197927-6a82-4354-b8e9-c7e843f0a411" | |
| - name: envoy-sigv4 | |
| image: public.ecr.aws/seb-demo/envoy-sigv4:v0.2 | |
| env: | |
| - name: APP_DOMAIN | |
| value: "vpc-lattice-custom-domain.io" | |
| - name: CA_ARN | |
| value: "arn:aws:acm-pca:eu-west-1:382076407153:certificate-authority/c2197927-6a82-4354-b8e9-c7e843f0a411" | |
| args: [ | |
| "-l", "debug" | |
| ] | |
| ports: | |
| - containerPort: 8080 | |
| name: proxy | |
| protocol: TCP | |
| # securityContext: | |
| # runAsUser: 101 | |
| volumeMounts: | |
| - name: root-cert | |
| mountPath: /cert/ | |
| readOnly: true | |
| volumes: | |
| - name: root-cert | |
| configMap: | |
| name: app-root-cert | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: app1-v1 | |
| namespace: app1 | |
| spec: | |
| selector: | |
| app: app1-v1 | |
| ports: | |
| - protocol: TCP | |
| port: 80 | |
| targetPort: 8090 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: app1 | |
| labels: | |
| allow-attachment-to-infra-gw: "true" | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: app1-v1 | |
| namespace: app1 | |
| labels: | |
| app: app1-v1 | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: app1-v1 | |
| template: | |
| metadata: | |
| labels: | |
| app: app1-v1 | |
| spec: | |
| serviceAccountName: default | |
| initContainers: # IPTables rules are updated in init container | |
| - image: public.ecr.aws/d2c6w7a3/iptables | |
| name: iptables-init | |
| securityContext: | |
| capabilities: | |
| add: | |
| - NET_ADMIN | |
| command: # Adding --uid-owner 101 here to prevent traffic from aws-sigv4-proxy proxy itself from being redirected, which prevents an infinite loop | |
| - /bin/sh | |
| - -c | |
| - > | |
| iptables -t nat -N EGRESS_PROXY; | |
| iptables -t nat -A OUTPUT -p tcp -d 169.254.171.0/24 -j EGRESS_PROXY; | |
| iptables -t nat -A EGRESS_PROXY -m owner --uid-owner 101 -j RETURN; | |
| iptables -t nat -A EGRESS_PROXY -p tcp -j REDIRECT --to-ports 8080; | |
| containers: | |
| - name: app1-v1 | |
| image: public.ecr.aws/seb-demo/http-server:v1.8 | |
| env: | |
| - name: PodName | |
| value: "Hello from app1-v1" | |
| - name: CA_ARN | |
| value: "arn:aws:acm-pca:eu-west-1:382076407153:certificate-authority/c2197927-6a82-4354-b8e9-c7e843f0a411" | |
| volumeMounts: | |
| - name: root-cert | |
| mountPath: /cert/ | |
| readOnly: true | |
| - name: sigv4proxy | |
| image: public.ecr.aws/seb-demo/aws-sigv4-proxy:1 | |
| args: [ | |
| "--unsigned-payload", | |
| "--log-failed-requests", | |
| "-v", "--log-signing-process", | |
| "--name", "vpc-lattice-svcs", | |
| "--region", "eu-west-1", | |
| "--enable-tls", | |
| "--tls-cert-file", "/cert/server.crt", | |
| "--tls-key-file", "/cert/decrypted-server.key", | |
| "--upstream-url-scheme", "http" | |
| ] | |
| ports: | |
| - containerPort: 8080 | |
| name: proxy | |
| protocol: TCP | |
| securityContext: | |
| runAsUser: 101 | |
| volumeMounts: | |
| - name: root-cert | |
| mountPath: /cert/ | |
| readOnly: true | |
| volumes: | |
| - name: root-cert | |
| configMap: | |
| name: app-root-cert | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: app1-v1 | |
| namespace: app1 | |
| spec: | |
| selector: | |
| app: app1-v1 | |
| ports: | |
| - protocol: TCP | |
| port: 80 | |
| targetPort: 8090 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment