Modify implementation of -demo flag to use most recent hashicups and not presume transparent proxy

charts/demo/templates/frontend.yaml

@@ -1,11 +1,3 @@
-# WARNING: The HashiCups files have been copied directly from
-# https://github.com/hashicorp/learn-consul-kubernetes/tree/main/layer7-observability/hashicups
-# Any modifications begin with the comment # BEGIN CONSUL-K8S MODIFICATION
-# and end with the comment # BEGIN CONSUL-K8S MODIFICATION.
-# If keeping these files manually up to date with their upstream source,
-# the files will need to be copied from the above repo and transferred here.
-# Once transferred, all modifications will need to be reapplied.
----
 apiVersion: v1
 kind: Service
 metadata:
@@ -15,8 +7,8 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-    - port: 80
-      targetPort: 80
+    - port: 3000
+      targetPort: 3000
   selector:
     app: frontend
 ---
@@ -33,39 +25,6 @@ metadata:
 spec:
   protocol: "http"
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nginx-configmap
-data:
-  config: |
-    # /etc/nginx/conf.d/default.conf
-    server {
-        listen       80;
-        server_name  localhost;
-        #charset koi8-r;
-        #access_log  /var/log/nginx/host.access.log  main;
-        location / {
-            root   /usr/share/nginx/html;
-            index  index.html index.htm;
-        }
-        # Proxy pass the api location to save CORS
-        # Use location exposed by Consul connect
-        location /api {
-            # BEGIN CONSUL-K8S MODIFICATION
-            proxy_pass http://public-api.{{ .Release.Namespace }}.svc.cluster.local:8080;
-            # END CONSUL-K8S MODIFICATION
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
-            proxy_set_header Host $host;
-        }
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /usr/share/nginx/html;
-        }
-    }
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -81,36 +40,22 @@ spec:
       labels:
         service: frontend
         app: frontend
-      # BEGIN CONSUL-K8S MODIFICATION
       annotations:
-        'consul.hashicorp.com/connect-inject': 'true'
-      # END CONSUL-K8S MODIFICATION
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9102"
+        consul.hashicorp.com/connect-inject: "true"
     spec:
       serviceAccountName: frontend
-      volumes:
-      - name: config
-        configMap:
-          name: nginx-configmap
-          items:
-          - key: config
-            path: default.conf
       containers:
         - name: frontend
-          image: hashicorpdemoapp/frontend:v0.0.3
+          image: hashicorpdemoapp/frontend:v1.0.3
+          imagePullPolicy: Always
+          env:
+            - name: NEXT_PUBLIC_PUBLIC_API_URL
+              value: "/"
           ports:
-            - containerPort: 80
-          volumeMounts:
-            - name: config
-              mountPath: /etc/nginx/conf.d
-              readOnly: true
----
-apiVersion: consul.hashicorp.com/v1alpha1
-kind: ServiceIntentions
-metadata:
-  name: frontend-to-public-api
-spec:
-  destination:
-    name: public-api
-  sources:
-    - name: frontend
-      action: allow
+            - containerPort: 3000
+          # Added for debugging purposes - NOT RECOMMENDED
+          # securityContext:
+          #   allowPrivilegeEscalation: false
+          #   runAsUser: 0

charts/demo/templates/intentions.yaml

@@ -0,0 +1,65 @@
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: public-api
+spec:
+  sources:
+    - name: nginx
+      action: allow
+  destination:
+    name: public-api
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: products-api
+spec:
+  sources:
+    - name: public-api
+      action: allow
+  destination:
+    name: products-api
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: payments
+spec:
+  sources:
+    - name: public-api
+      action: allow
+  destination:
+    name: payments
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: postgres
+spec:
+  sources:
+    - name: products-api
+      action: allow
+  destination:
+    name: postgres
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: frontend
+spec:
+  sources:
+    - name: nginx
+      action: allow
+  destination:
+    name: frontend
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceIntentions
+metadata:
+  name: deny-all
+spec:
+  destination:
+    name: '*'
+  sources:
+    - name: '*'
+      action: deny

charts/demo/templates/nginx.yaml

@@ -0,0 +1,124 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+spec:
+  selector:
+    app: nginx
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx
+automountServiceAccountToken: true
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: nginx
+spec:
+  protocol: "http"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-configmap
+data:
+  config: |
+
+    # /etc/nginx/conf.d/default.conf
+      proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=7d use_temp_path=off;
+
+      upstream frontend_upstream {
+        server localhost:3000;
+      }
+
+      server {
+        listen 80;
+        server_name  localhost;
+
+        server_tokens off;
+
+        gzip on;
+        gzip_proxied any;
+        gzip_comp_level 4;
+        gzip_types text/css application/javascript image/svg+xml;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+
+        location /_next/static {
+          proxy_cache STATIC;
+          proxy_pass http://frontend_upstream;
+
+          # For testing cache - remove before deploying to production
+          # add_header X-Cache-Status $upstream_cache_status;
+        }
+
+        location /static {
+          proxy_cache STATIC;
+          proxy_ignore_headers Cache-Control;
+          proxy_cache_valid 60m;
+          proxy_pass http://frontend_upstream;
+
+          # For testing cache - remove before deploying to production
+          # add_header X-Cache-Status $upstream_cache_status;
+        }
+
+        location / {
+          proxy_pass http://frontend_upstream;
+        }
+
+        location /api {
+          proxy_pass http://localhost:8080;
+        }
+      }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+      annotations:
+        consul.hashicorp.com/connect-inject: "true"
+        # BEGIN CONSUL-K8S MODIFICATION
+        consul.hashicorp.com/connect-service-upstreams: 'public-api:8080, frontend:3000'
+        # END CONSUL-K8S MODIFICATION
+    spec:
+      serviceAccountName: nginx
+      volumes:
+        - name: config
+          configMap:
+            name: nginx-configmap
+            items:
+              - key: config
+                path: default.conf
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: config
+              mountPath: /etc/nginx/conf.d
+              readOnly: true

charts/demo/templates/payments.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: payments
+spec:
+  selector:
+    app: payments
+  ports:
+    - name: http
+      protocol: TCP
+      port: 1800
+      targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: payments
+automountServiceAccountToken: true
+---
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: payments
+spec:
+  protocol: "http"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: payments
+  labels:
+    app: payments
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: payments
+  template:
+    metadata:
+      labels:
+        app: payments
+      annotations:
+        consul.hashicorp.com/connect-inject: "true"
+    spec:
+      serviceAccountName: payments
+      containers:
+        - name: payments
+          image: hashicorpdemoapp/payments:v0.0.16
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8080