Common Skiperator configuration

This is just a quick reference for the most common configurations in Skiperator. For a complete reference see the API docs.

Application

Ingress

An ingress is a way to expose your application to the outside world. It is a Kubernetes resource that manages external access to services in a cluster, typically HTTP. This sets up all the necessary configuration behind the scenes to route traffic to your application, and also sets up a lets encrypt certificate for your application.

Simple example of an ingress:

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: ingressapp
spec:
  image: image
  port: 8080
  ingresses:
    - ingressapp.atkv3-dev.kartverket-intern.cloud
  redirectToHTTPS: true

This sets up an ingress to your application that can be reached from Kartverkets internal network. The redirectToHTTPS field is optional and will redirect all incoming traffic to HTTPS. To make it publicly available you can remove the -intern part of the domain name.

If you want, or already have a different domain name for your application then we most likely need to set up a CNAME record in DNS. You can read more about domain names here.

Access policy

In SKIP we run istio as a service mesh. This means that all traffic between services is encrypted by default. All traffic is also blocked with network policies or istio policies by default. To allow traffic between services you need to set up an access policy. This is done by specifying spec.accessPolicy in your application.

allowing communication between two applications in the same namespace

creates rules to allow traffic between application app1 and app2 in the same namespace on service ports

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: app1
spec:
  image: image
  port: 8080
  accessPolicy:
    inbound:
      rules:
        - application: app2
    outbound:
      rules:
        - application: app2
---
apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: app2
spec:
  image: image
  port: 8080
  accessPolicy:
    inbound:
      rules:
        - application: app1
    outbound:
      rules:
        - application: app1

allowing in and outbound traffic to an application in a different namespace

creates network policy rules to allow inbound and outbound traffic on service port to application app2 in namespace namespace2

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: app1
spec:
  image: image
  port: 8080
  accessPolicy:
    inbound:
      rules:
        - application: app2
          namespace: namespace2
    outbound:
      rules:
        - application: app2
          namespace: namespace2

allowing outbound traffic to a job in namespaces with label

creates outbound rules to allow traffic to the skipjob job2 in all namespaces with label team: someteam on service port for app2 Note that all skipjobs must have the postfix -skipjob in the name when defining the application name in the access policy.

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: app1
spec:
  image: image
  port: 8080
  accessPolicy:
    outbound:
      rules:
        - application: job2-skipjob
          namespaceByLabel: 
            team: someteam

access policy to allow traffic to a public domain

creates istio policies to allow traffic to a public domain on port 443, and different public domain on port 80

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: app1
spec:
  image: image
  port: 8080
  accessPolicy:
    outbound:
      external:
        - host: kartverket.no
        - host: google.com
          ports:
            - name: http
              port: 80  
              protocol: HTTP

Replicas

you can either specify a fixed number of replicas or let the autoscaler handle it for you.

if not specified skiperator uses autoscaler by default:

minReplicas: 2
maxReplicas: 5

static:

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: static-replicas
spec:
  image: image
  port: 8080
  replicas: 2

autoscaler:

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: auto-replicas
spec:
  image: image
  port: 8080
  replicas:
    min: 3
    max: 6
    targetCpuUtilization: 60

This will always have minimum 3 pods running, and scale up to more pods (max 6) if cpu utilization hits 60%. Only minimum value is required.

Environment variables

Environment values can be set directly in the application spec with spec.env or by using a secret or config map with spec.envFrom.

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: auto-replicas
spec:
  image: image
  port: 8080
  env: 
    - name: ENV_VAR
      value: "value"
  envFrom:
    - configMap: config-map-name
    - configMap: config-map-name2
    - secret: secret-name

GCP

If your application needs to read a gcp bucket for example you need to set up a service account with the correct permissions and add it to the application spec. Best practice here is to create a service account with the same name as the application, for example myapp@some-project-id.iam.gserviceaccount.com, then give this service account minimal permissions in GCP Console.

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: auto-replicas
spec:
  image: image
  port: 8080
  gcp:
    auth: 
      serviceAccount: myapp@some-project-id.iam.gserviceaccount.com

SKIPJob

Cron - SkipJob

basic cron job that executes every minute

apiVersion: skiperator.kartverket.no/v1alpha1
kind: SKIPJob
metadata:
  name: myjob
spec:
  container:
    image: image:latest
  cron:
    schedule: "* * * * *"

Commands - SkipJob

a job that uses a command with a docker image

apiVersion: skiperator.kartverket.no/v1alpha1
kind: SKIPJob
metadata:
  name: myjob
spec:
  container:
    image: "perl:5.34.0"
    command:
      - "perl"
      - "-Mbignum=bpi"
      - "-wle"
      - "print bpi(2000)"

Access policy - SkipJob

This is the same as for applications, except we don't define inbound policies for jobs.

Routing

Frontend and backend services under the same domain

One thing that is important to remember with routes is that the order of the routes matters. The route that is defined first will be the one that is matched first.

If your backend service expects requests without the leading pathPrefix, you can configure rewriteUri to remove the prefix before it arrives at the backend.

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Routing
metadata:
    name: myrouting
spec:
    hostname: kartverket.com
    routes:
        - pathPrefix: /api          # Highest priority
          rewriteUri: true
          targetApp: backend-app
        - pathPrefix: /             # Lowest priority
          targetApp: frontend-app

Application​

Ingress​

Access policy​

allowing communication between two applications in the same namespace​

allowing in and outbound traffic to an application in a different namespace​

allowing outbound traffic to a job in namespaces with label​

access policy to allow traffic to a public domain​

Replicas​

Environment variables​

GCP​

SKIPJob​

Cron - SkipJob​

Commands - SkipJob​

Access policy - SkipJob​

Routing​

Frontend and backend services under the same domain​