apiVersion: v1
kind: Namespace
metadata:
  name: yelb
  labels:
    appmesh.k8s.aws/sidecarInjectorWebhook: enabled
    mesh: yelb
    gateway: yelb-gw
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualGateway
metadata:
  name: yelb-gw
  namespace: yelb
spec:
  backendDefaults:
    clientPolicy:
      tls:
        validation:
          trust:
            file:
              certificateChain: /etc/keys/yelb/ca.crt
  namespaceSelector:
    matchLabels:
      gateway: yelb-gw
  podSelector:
    matchLabels:
      app: yelb-gw
  listeners:
    - portMapping:
        port: 8443
        protocol: http
      tls:
        certificate:
          file:
            certificateChain: /etc/keys/yelb/tls.crt
            privateKey: /etc/keys/yelb/tls.key
        mode: STRICT        
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: GatewayRoute
metadata:
  name: gateway-route
  namespace: yelb
spec:
  httpRoute:
    match:
      prefix: "/"
    action:
      target:
        virtualService:
          virtualServiceRef:
            name: yelb-ui
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: yelb-cert-gw
  namespace: yelb
spec:
  dnsNames:
    - "yelb-gw.yelb.svc.cluster.local"
  secretName: yelb-tls-gw
  issuerRef:
    name: ca-issuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: yelb-gw
  namespace: yelb
spec:
  replicas: 1
  selector:
    matchLabels:
      app: yelb-gw
  template:
    metadata:
      labels:
        app: yelb-gw
    spec:
      containers:
        - name: envoy
          image: {{ENVOY_IMAGE}}
          ports:
            - containerPort: 8443   
          volumeMounts:
           - mountPath: "/etc/keys/yelb"
             name: yelb-tls-gw
             readOnly: true
      volumes:
        - name: yelb-tls-gw
          secret:
            secretName: yelb-tls-gw
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualNode
metadata:
  name: yelb-ui
  namespace: yelb
spec:
  awsName: yelb-ui-virtual-node
  podSelector:
    matchLabels:
      app: yelb-ui
  listeners:
    - portMapping:
        port: 80
        protocol: http  
      tls:
        certificate:
          file:
            certificateChain: /etc/keys/yelb/tls.crt
            privateKey: /etc/keys/yelb/tls.key
        mode: STRICT         
  serviceDiscovery:
    dns:
      hostname: yelb-ui.yelb.svc.cluster.local
  backendDefaults:
    clientPolicy:
      tls:
        validation:
          trust:
            file:
              certificateChain: /etc/keys/yelb/ca.crt      
  backends:
    - virtualService:
       virtualServiceRef:
          name: yelb-appserver
---
apiVersion: v1
kind: Service
metadata:
  name: yelb-gw
  namespace: yelb
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{LB_CERT_ARN}}
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "ssl"
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 8443
      name: https
  selector:
    app: yelb-gw
---