From 05e9de3c97a8c32afaf2d0b7d85edd184936bb84 Mon Sep 17 00:00:00 2001
From: Leonard Cohnen <lc@edgeless.systems>
Date: Tue, 13 Feb 2024 11:54:24 +0100
Subject: [PATCH] service-mesh: add emojivoto example

---
 .../emojivoto-sm-egress/coordinator.yml       |  48 +++++++++
 deployments/emojivoto-sm-egress/emoji.yml     |  90 ++++++++++++++++
 deployments/emojivoto-sm-egress/ns.yml        |   4 +
 .../emojivoto-sm-egress/portforwarder.yml     |  59 +++++++++++
 deployments/emojivoto-sm-egress/vote-bot.yml  |  35 ++++++
 deployments/emojivoto-sm-egress/voting.yml    |  90 ++++++++++++++++
 deployments/emojivoto-sm-egress/web.yml       | 100 ++++++++++++++++++
 justfile                                      |   2 +-
 8 files changed, 427 insertions(+), 1 deletion(-)
 create mode 100644 deployments/emojivoto-sm-egress/coordinator.yml
 create mode 100644 deployments/emojivoto-sm-egress/emoji.yml
 create mode 100644 deployments/emojivoto-sm-egress/ns.yml
 create mode 100644 deployments/emojivoto-sm-egress/portforwarder.yml
 create mode 100644 deployments/emojivoto-sm-egress/vote-bot.yml
 create mode 100644 deployments/emojivoto-sm-egress/voting.yml
 create mode 100644 deployments/emojivoto-sm-egress/web.yml

diff --git a/deployments/emojivoto-sm-egress/coordinator.yml b/deployments/emojivoto-sm-egress/coordinator.yml
new file mode 100644
index 0000000000..2b698f4142
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/coordinator.yml
@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coordinator
+  namespace: edg-default
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: coordinator
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: coordinator
+      annotations:
+        nunki.edgeless.systems/pod-role: coordinator
+    spec:
+      runtimeClassName: kata-cc-isolation
+      containers:
+        - name: coordinator
+          image: "ghcr.io/edgelesssys/nunki/coordinator:latest"
+          ports:
+            - containerPort: 7777
+            - containerPort: 1313
+          env:
+            - name: NUNKI_LOG_LEVEL
+              value: "debug"
+          resources:
+            requests:
+              memory: 100Mi
+            limits:
+              memory: 100Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coordinator
+  namespace: edg-default
+spec:
+  ports:
+    - name: intercom
+      port: 7777
+      protocol: TCP
+    - name: coordapi
+      port: 1313
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: coordinator
diff --git a/deployments/emojivoto-sm-egress/emoji.yml b/deployments/emojivoto-sm-egress/emoji.yml
new file mode 100644
index 0000000000..8da5e46731
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/emoji.yml
@@ -0,0 +1,90 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: emoji
+  namespace: edg-default
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: emoji
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: emoji
+    app.kubernetes.io/part-of: emojivoto
+    app.kubernetes.io/version: v11
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: emoji-svc
+      version: v11
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: emoji-svc
+        version: v11
+    spec:
+      runtimeClassName: kata-cc-isolation
+      initContainers:
+        - name: initializer
+          image: "ghcr.io/edgelesssys/nunki/initializer:latest"
+          env:
+            - name: COORDINATOR_HOST
+              value: coordinator
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+          resources:
+            requests:
+              memory: 50Mi
+            limits:
+              memory: 50Mi
+      serviceAccountName: emoji
+      containers:
+        - env:
+            - name: GRPC_PORT
+              value: "8080"
+            - name: PROM_PORT
+              value: "8801"
+            - name: EDG_CERT_PATH
+              value: /tls-config/certChain.pem
+            - name: EDG_CA_PATH
+              value: /tls-config/MeshCACert.pem
+            - name: EDG_KEY_PATH
+              value: /tls-config/key.pem
+          image: ghcr.io/3u13r/emojivoto-emoji-svc:coco-1
+          name: emoji-svc
+          ports:
+            - containerPort: 8080
+              name: grpc
+            - containerPort: 8801
+              name: prom
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+            limits:
+              memory: 50Mi
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+      volumes:
+        - name: tls-certs
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: emoji-svc
+  namespace: edg-default
+spec:
+  selector:
+    app.kubernetes.io/name: emoji-svc
+  ports:
+    - name: grpc
+      port: 8080
+      targetPort: 8080
+    - name: prom
+      port: 8801
+      targetPort: 8801
diff --git a/deployments/emojivoto-sm-egress/ns.yml b/deployments/emojivoto-sm-egress/ns.yml
new file mode 100644
index 0000000000..ed2712cc89
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/ns.yml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: edg-default
diff --git a/deployments/emojivoto-sm-egress/portforwarder.yml b/deployments/emojivoto-sm-egress/portforwarder.yml
new file mode 100644
index 0000000000..a5adcf9c36
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/portforwarder.yml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: port-forwarder-coordinator
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: port-forwarder-coordinator
+spec:
+  containers:
+    - name: port-forwarder
+      image: "ghcr.io/edgelesssys/nunki/port-forwarder:latest"
+      env:
+        - name: LISTEN_PORT
+          value: "1313"
+        - name: FORWARD_HOST
+          value: coordinator
+        - name: FORWARD_PORT
+          value: "1313"
+      command:
+        - /bin/bash
+        - "-c"
+        - echo Starting port-forward with socat; exec socat -d -d TCP-LISTEN:${LISTEN_PORT},fork TCP:${FORWARD_HOST}:${FORWARD_PORT}
+      ports:
+        - containerPort: 1313
+      resources:
+        requests:
+          memory: 50Mi
+        limits:
+          memory: 50Mi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: port-forwarder-emojivoto-web
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: port-forwarder-emojivoto-web
+spec:
+  containers:
+    - name: port-forwarder
+      image: "ghcr.io/edgelesssys/nunki/port-forwarder:latest"
+      env:
+        - name: LISTEN_PORT
+          value: "8080"
+        - name: FORWARD_HOST
+          value: web-svc
+        - name: FORWARD_PORT
+          value: "443"
+      command:
+        - /bin/bash
+        - "-c"
+        - echo Starting port-forward with socat; exec socat -d -d TCP-LISTEN:${LISTEN_PORT},fork TCP:${FORWARD_HOST}:${FORWARD_PORT}
+      ports:
+        - containerPort: 8080
+      resources:
+        requests:
+          memory: 50Mi
+        limits:
+          memory: 50Mi
diff --git a/deployments/emojivoto-sm-egress/vote-bot.yml b/deployments/emojivoto-sm-egress/vote-bot.yml
new file mode 100644
index 0000000000..2149d7b470
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/vote-bot.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vote-bot
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: vote-bot
+    app.kubernetes.io/part-of: emojivoto
+    app.kubernetes.io/version: v11
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vote-bot
+      version: v11
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vote-bot
+        version: v11
+    spec:
+      containers:
+        - command:
+            - emojivoto-vote-bot
+          env:
+            - name: WEB_HOST
+              value: web-svc:443
+          image: docker.l5d.io/buoyantio/emojivoto-web:v11
+          name: vote-bot
+          resources:
+            requests:
+              cpu: 10m
+              memory: 25Mi
+            limits:
+              memory: 25Mi
diff --git a/deployments/emojivoto-sm-egress/voting.yml b/deployments/emojivoto-sm-egress/voting.yml
new file mode 100644
index 0000000000..a87963a857
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/voting.yml
@@ -0,0 +1,90 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: voting
+  namespace: edg-default
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: voting
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: voting
+    app.kubernetes.io/part-of: emojivoto
+    app.kubernetes.io/version: v11
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: voting-svc
+      version: v11
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: voting-svc
+        version: v11
+    spec:
+      runtimeClassName: kata-cc-isolation
+      initContainers:
+        - name: initializer
+          image: "ghcr.io/edgelesssys/nunki/initializer:latest"
+          env:
+            - name: COORDINATOR_HOST
+              value: coordinator
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+          resources:
+            requests:
+              memory: 50Mi
+            limits:
+              memory: 50Mi
+      serviceAccountName: voting
+      containers:
+        - env:
+            - name: GRPC_PORT
+              value: "8080"
+            - name: PROM_PORT
+              value: "8801"
+            - name: EDG_CERT_PATH
+              value: /tls-config/certChain.pem
+            - name: EDG_CA_PATH
+              value: /tls-config/MeshCACert.pem
+            - name: EDG_KEY_PATH
+              value: /tls-config/key.pem
+          image: ghcr.io/3u13r/emojivoto-voting-svc:coco-1
+          name: voting-svc
+          ports:
+            - containerPort: 8080
+              name: grpc
+            - containerPort: 8801
+              name: prom
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+            limits:
+              memory: 50Mi
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+      volumes:
+        - name: tls-certs
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: voting-svc
+  namespace: edg-default
+spec:
+  selector:
+    app.kubernetes.io/name: voting-svc
+  ports:
+    - name: grpc
+      port: 8080
+      targetPort: 8080
+    - name: prom
+      port: 8801
+      targetPort: 8801
diff --git a/deployments/emojivoto-sm-egress/web.yml b/deployments/emojivoto-sm-egress/web.yml
new file mode 100644
index 0000000000..4414f2d5a5
--- /dev/null
+++ b/deployments/emojivoto-sm-egress/web.yml
@@ -0,0 +1,100 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: web
+  namespace: edg-default
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: edg-default
+  labels:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/part-of: emojivoto
+    app.kubernetes.io/version: v11
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: web-svc
+      version: v11
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: web-svc
+        version: v11
+    spec:
+      runtimeClassName: kata-cc-isolation
+      initContainers:
+        - name: initializer
+          image: "ghcr.io/edgelesssys/nunki/initializer:latest"
+          env:
+            - name: COORDINATOR_HOST
+              value: coordinator
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+      serviceAccountName: web
+      containers:
+        - name: sidecar
+          image: "ghcr.io/edgelesssys/nunki/service-mesh-proxy:latest"
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+          env:
+            - name: EDG_PROXY_CONFIG
+              value: "emoji#127.137.0.1:8080#emoji-svc##voting#127.137.0.2:8080#voting-svc"
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_RAW
+        - env:
+            - name: WEB_PORT
+              value: "8080"
+            - name: EMOJISVC_HOST
+              value: 127.137.0.1:8080
+            - name: VOTINGSVC_HOST
+              value: 127.137.0.2:8080
+            - name: INDEX_BUNDLE
+              value: dist/index_bundle.js
+            - name: EDG_CERT_PATH
+              value: /tls-config/certChain.pem
+            - name: EDG_CA_PATH
+              value: /tls-config/MeshCACert.pem
+            - name: EDG_KEY_PATH
+              value: /tls-config/key.pem
+            - name: EDG_DISABLE_CLIENT_AUTH
+              value: "true"
+          image: docker.l5d.io/buoyantio/emojivoto-web:v11
+          name: web-svc
+          ports:
+            - containerPort: 8080
+              name: https
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+            limits:
+              memory: 50Mi
+          volumeMounts:
+            - name: tls-certs
+              mountPath: /tls-config
+      volumes:
+        - name: tls-certs
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: web-svc
+  namespace: edg-default
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: web-svc
+  ports:
+    - name: https
+      port: 443
+      targetPort: 8080
diff --git a/justfile b/justfile
index 7c2c0488e0..5fa7d71286 100644
--- a/justfile
+++ b/justfile
@@ -126,7 +126,7 @@ wait-for-workload target=default_deploy_target:
             nix run .#scripts.kubectl-wait-ready -- $ns openssl-client
             nix run .#scripts.kubectl-wait-ready -- $ns openssl-frontend
         ;;
-        "emojivoto")
+        "emojivoto" | "emojivoto-sm-egress")
             nix run .#scripts.kubectl-wait-ready -- $ns emoji-svc
             nix run .#scripts.kubectl-wait-ready -- $ns vote-bot
             nix run .#scripts.kubectl-wait-ready -- $ns voting-svc