# Secret named "ssh-keys" apiVersion: v1 kind: Secret metadata: name: ssh-keys namespace: backend data: id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== --- # Deployment named "api-server" # Listens on :9001 # Connects to "gateway-service" in "payments" namespace apiVersion: apps/v1 kind: Deployment metadata: name: api-server namespace: backend labels: app: api-server demo: roadshow spec: replicas: 1 selector: matchLabels: app: api-server template: metadata: labels: app: api-server spec: imagePullSecrets: - name: rhacs-demo-pull-pull-secret containers: - image: quay.io/rhacs-demo/netflow:latest command: ["/bin/entrypoint"] args: ["-listen", "9001", "-connect", "backend-atlas-service.backend.svc.cluster.local:8080,postgres-service.backend.svc.cluster.local:5432,gateway-service.payments.svc.cluster.local:7777"] imagePullPolicy: Always name: api-server ports: - containerPort: 9001 protocol: TCP --- # Service named "api-server-service" # Listens on :9001 apiVersion: v1 kind: Service metadata: labels: app: api-server name: api-server-service namespace: backend spec: ports: - port: 9001 protocol: TCP targetPort: 9001 name: http selector: app: api-server type: ClusterIP --- apiVersion: v1 kind: ServiceAccount metadata: name: backend-atlas namespace: backend labels: app: backend-atlas --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: backend-atlas namespace: backend labels: app: backend-atlas rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: backend-atlas namespace: backend labels: app: backend-atlas roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: backend-atlas subjects: - kind: ServiceAccount name: backend-atlas namespace: backend --- # Deployment named "backend-atlas" # Listens on :8080 # Vulnerable to struts apiVersion: apps/v1 kind: Deployment metadata: name: backend-atlas namespace: backend labels: app: backend-atlas spec: replicas: 1 selector: matchLabels: app: backend-atlas template: metadata: labels: app: backend-atlas spec: serviceAccountName: backend-atlas imagePullSecrets: - name: rhacs-demo-pull-pull-secret containers: - image: quay.io/rhacs-demo/backend-atlas:latest imagePullPolicy: Always name: backend-atlas ports: - containerPort: 8080 - image: quay.io/rhacs-demo/backend-atlas:sidecar-latest command: ["/bin/entrypoint"] name: log-collector --- # Service named "backend-atlas-service" # Listens on :8080 apiVersion: v1 kind: Service metadata: labels: app: backend-atlas name: backend-atlas-service namespace: backend spec: ports: - port: 8080 protocol: TCP targetPort: 8080 name: http selector: app: backend-atlas type: ClusterIP --- apiVersion: v1 kind: ServiceAccount metadata: name: postgres namespace: backend labels: app: postgres --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: postgres-cm namespace: backend labels: app: postgres rules: - apiGroups: [""] # core resources: ["configmaps"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: postgres namespace: backend labels: app: postgres roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: postgres-cm subjects: - kind: ServiceAccount name: postgres namespace: backend --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: postgres-secrets namespace: backend labels: app: postgres rules: - apiGroups: [""] # core resources: ["secrets"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: postgres-secrets namespace: backend labels: app: postgres roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: postgres-secrets subjects: - kind: ServiceAccount name: postgres namespace: backend --- # Deployment named "postgres" # Listens on :5432 # Has SSH keys mounted apiVersion: apps/v1 kind: Deployment metadata: name: postgres namespace: backend labels: app: postgres spec: replicas: 1 selector: matchLabels: app: postgres template: metadata: labels: app: postgres spec: imagePullSecrets: - name: rhacs-demo-pull-pull-secret volumes: - name: ssh-keys secret: secretName: ssh-keys containers: - image: quay.io/rhacs-demo/netflow:latest command: ["/bin/entrypoint"] args: ["-listen", "5432"] imagePullPolicy: Always name: postgres ports: - containerPort: 5432 protocol: TCP volumeMounts: - name: ssh-keys mountPath: "/root/.ssh" --- # Service named "postgres-service" # Listens on :5432 apiVersion: v1 kind: Service metadata: labels: app: postgres name: postgres-service namespace: backend spec: ports: - port: 5432 protocol: TCP targetPort: 5432 name: tcp selector: app: postgres type: ClusterIP --- # Deployment named "varnish" # Listens on :8080 apiVersion: apps/v1 kind: Deployment metadata: name: varnish namespace: backend labels: app: varnish spec: replicas: 1 selector: matchLabels: app: varnish template: metadata: labels: app: varnish spec: imagePullSecrets: - name: rhacs-demo-pull-pull-secret containers: - image: quay.io/rhacs-demo/netflow:latest command: ["/bin/entrypoint"] args: ["-listen", "8080", "-connect", "api-server-service.backend.svc.cluster.local:9001"] imagePullPolicy: Always name: varnish ports: - containerPort: 8080 protocol: TCP --- # Service named "varnish-service" # Listens on :8080 apiVersion: v1 kind: Service metadata: labels: app: varnish name: varnish-service namespace: backend spec: ports: - port: 8080 protocol: TCP targetPort: 8080 name: http selector: app: varnish type: ClusterIP