def basic_vault_agent_architecture():
with Diagram(name="Vault Agent Architecture", show=False, direction="LR"):
with Cluster("Control Plane"):
apiserver = APIServer()
with Cluster("Vault"):
svc = Service(":8200")
certs_secret = Secret("Certs Secret")
vault_configmap = ConfigMap("Vault Config")
vault = Vault("Vault")
file_backend = PV("Encrypted Store")
vault >> file_backend
vault >> Edge() << svc
vault << certs_secret
vault << vault_configmap
with Cluster("Secure Pod"):
vault_agent = Custom("Vault Agent", crio_icon)
vault_init_agent = Custom("Init Vault Agent", crio_icon)
manual = [vault_init_agent, vault_agent]
app_container = Custom("App", crio_icon)
inMemory = Vol("In Memory")
manual >> inMemory
app_container << inMemory
manual << svc << manual >> Edge() << app_container
apiserver >> Edge() << vault
super(Vault, self).__init__(label, './img/vault.png')
class ExternalSecrets(Custom):
def __init__(self, label):
super(ExternalSecrets, self).__init__(label,
'./img/external-secrets.png')
with Diagram("Secret Management Flow",
graph_attr=graph_attr,
outformat="jpg",
show=False):
init_script = Python("vault_init.py")
init_secrets = Secret('Kubernetes secrets')
with Cluster("External-secrets components") as external_secrets_cluster:
external_service_account = ServiceAccount('Service account')
external_secrets = ExternalSecrets("Secret workers")
external_secrets_manifests = Secret('External secrets')
external_secrets << external_secrets_manifests
external_secrets << external_service_account
with Cluster("Vault components") as vault_cluster:
vault = Vault('vault')
vault_init_secrets = Secret('vault-init-secrets')
init_script >> vault >> external_secrets >> init_secrets
}
with Diagram("Setup a blog on k3s",
show=False,
graph_attr=graph_attr,
node_attr=node_attr,
direction="TB"):
users = Users("Users")
with Cluster("LetsEncrypt API Servers", graph_attr=graph_attr):
letsencrypt = LetsEncrypt("LE SSL Certificate")
with Cluster("BareMetal Server", graph_attr=graph_attr):
with Cluster("K8S Cluster", graph_attr=graph_attr):
with Cluster("NS Cert-Manager", graph_attr=graph_attr):
certificate_request = CertManager("mywebsite.com")
with Cluster("NS www", graph_attr=graph_attr):
website_secret = Secret("mywebsite.com")
with Cluster("Ingress", graph_attr=graph_attr):
ingress = Ingress("https")
with Cluster("Pods", graph_attr=graph_attr):
pod = Pod('website')
with Cluster("Deployment", graph_attr=graph_attr):
pod_deploy = Deployment("website")
with Cluster("RS", graph_attr=graph_attr):
pod_rs = RS("website")
letsencrypt >> website_secret >> ingress
certificate_request >> letsencrypt
users >> ingress >> pod
pod_rs >> pod
from diagrams.onprem.network import Internet
from diagrams.onprem.network import Internet
from diagrams.k8s.compute import Deploy
from diagrams.k8s.network import Ingress
from diagrams.k8s.podconfig import Secret
from diagrams.k8s.podconfig import ConfigMap
with Diagram("kubernetes deployment nodejs postgresql ingress", show=False):
with Cluster("Kubernetes Components"):
with Cluster("Services"):
service_internal_node = Service("Internal Node Service")
service_internal_postgres = Service("Internal Postgres Service")
with Cluster("Ingress"):
ingress = Ingress("Ingress")
with Cluster("Pods"):
postgresql = Pod("Postgresql")
nodejs = Pod("Nodejs")
with Cluster("configuration"):
deployment = Deploy("Deployment")
configmap = ConfigMap("ConfigMap")
secret = Secret("Secret")
deployment >> secret
deployment >> configmap
deployment >> Edge(label="defines") >> service_internal_node
deployment >> Edge(label="defines") >> service_internal_postgres
nodejs >> service_internal_postgres >> postgresql
inet = Internet("Internet")
inet >> ingress >> service_internal_node >> nodejs
}
with Diagram("Deployments",outformat="svg",filename="deployments_prow",show=True,
graph_attr=diagram_attrib,node_attr=node_attrib,edge_attr=edge_attrib,direction="TB"):
with Cluster("Deployments",graph_attr={"fontsize": "67"}):
ing_chartmuseum = Nginx("Ingress")
#ing_deck = Nginx("deck")
#ing_hook = Nginx("hook")
#ing_crier = Nginx("crier")
with Cluster("Registries",graph_attr={"fontsize": "47"}):
with Cluster("Nexus"):
svc_nexus = custom.Custom("Nexus","assets/img/logos/logo_nexus.png")
pod_nexus = Pod("nexus")
secret_nexus = Secret("nexus")
token_nexus = Secret("default-token")
sa_nexus = ServiceAccount("default")
data_volume = PVC("nexus-data-volume")
config_volume_nexus = PV("nexus")
configmap_nexus = ConfigMap("nexus")
pod_nexus - Edge(color="gray", style="dashed") - secret_nexus - Edge(color="gray", style="dashed") - token_nexus - Edge(color="gray", style="dashed") - sa_nexus
pod_nexus - Edge(color="gray", style="dashed") - config_volume_nexus
svc_nexus >> pod_nexus
with Cluster("Chartmusem"):
svc_chartmuseum = custom.Custom("Chartmuseum","assets/img/logos/logo_chartmuseum.png")
pod = Pod("chartmuseum")
from diagrams import Cluster, Diagram, Edge
from diagrams.k8s.compute import Deployment, Pod
from diagrams.k8s.controlplane import API
from diagrams.k8s.group import NS
from diagrams.k8s.podconfig import Secret
from diagrams.oci.compute import OCIR
with Diagram("regcred-injector", show=True):
api = API("Control Plane")
ocir = OCIR("DockerHub")
injector = None
with Cluster("kube-system"):
injector = Deployment("regcred-injector")
secret = Secret("Credential/Certs")
api << Edge(label="1 mutate webhook") << injector << Edge(
label="4 return mutated response") << api
injector >> Edge(label="2 fetch credential") >> secret
with Cluster("default"):
pod = Pod("new-pod")
secret = Secret("regcred")
api >> Edge(label="5 create pod") >> pod >> Edge(
label="6 use registry credential") >> secret
injector >> Edge(label="3 create registry credential") >> secret
pod >> Edge(label="7 authenticated pull") >> ocir
app_lb_int = LoadBalancing("App LB (TCP/internal)")
app_ingress_ext = Ingress("App Ingress (external)")
app_fw = FirewallRules("Firewall")
with Cluster("GKE"):
with Cluster("App Namespace"):
# Resources
app_dep = Deployment("App Deployment")
app_rs = ReplicaSet("App ReplicaSet")
app_replica_set_count = 3
app_pods = [
Pod("App Pod")
for pod in range(0, app_replica_set_count, 1)
]
app_secret = Secret(
"App Secret\n(contains DB credentials & host)")
app_svc_ext = Service("App Service (external)")
app_svc_int = Service("App Service (internal)")
# Relationships
app_dep >> app_rs >> app_pods << app_svc_ext << app_ingress_ext << app_lb_ext << app_fw
# app_pods << app_svc_int << app_lb_int << app_fw
app_secret << app_dep
with Cluster("DB Namespace"):
# Pgpool
# Resources
pgpool_dep = Deployment("Pgpool Deployment")
pgpool_rs = ReplicaSet("Pgpool ReplicaSet")
pgpool_replica_set_count = 1
pgpool_pods = [
node_attr=node_attrib,
edge_attr=edge_attrib,
direction="TB"):
with Cluster("Deployments", graph_attr={"fontsize": "67"}):
ing_chartmuseum = Nginx("Ingress")
#ing_deck = Nginx("deck")
#ing_hook = Nginx("hook")
#ing_crier = Nginx("crier")
with Cluster("Registries", graph_attr={"fontsize": "47"}):
with Cluster("Nexus"):
svc_nexus = custom.Custom("Nexus",
"assets/img/logos/logo_nexus.png")
pod_nexus = Pod("nexus")
secret_nexus = Secret("nexus")
token_nexus = Secret("default-token")
sa_nexus = ServiceAccount("default")
data_volume = PVC("nexus-data-volume")
config_volume_nexus = PV("nexus")
configmap_nexus = ConfigMap("nexus")
pod_nexus - Edge(
color="gray", style="dashed") - secret_nexus - Edge(
color="gray", style="dashed") - token_nexus - Edge(
color="gray", style="dashed") - sa_nexus
pod_nexus - Edge(color="gray",
style="dashed") - config_volume_nexus
svc_nexus >> pod_nexus
from diagrams.custom import Custom
from diagrams.k8s.compute import Pod
from diagrams.k8s.network import Service
from diagrams.k8s.podconfig import Secret, ConfigMap
from diagrams.oci.compute import Container
from diagrams.onprem.container import Docker
from diagrams.onprem.network import Gunicorn
from diagrams.programming.framework import Flask
with Diagram("Lorem Ipsum Cloud Native Books Service",
show=True,
filename='lorem_ipsum_cloud_native_books_service'):
with Cluster("Kube"):
svc = Service('svc')
pod = Pod('pod')
secrets = Secret('secrets')
cm = ConfigMap('cm')
with Cluster('Runtime'):
stats = Custom('stats', './resources/statsd.png')
app = Container('app')
statsd = Container('statsd')
docker = Docker('')
web = Flask('web')
wsgi = Gunicorn('wsgi')
app >> Edge(label='runs_on') >> docker
app >> Edge(label='runs') >> [wsgi]
app >> Edge(label='uses') >> [web]
wsgi >> stats
svc >> pod >> [app, statsd]
pod << [secrets, cm]