From c2525234be7ea169f6ab4b86d5aefcfefbe1710c Mon Sep 17 00:00:00 2001
From: "Antoine R. Dumont (@ardumont)" <ardumont@softwareheritage.org>
Date: Wed, 18 Oct 2023 16:12:34 +0200
Subject: [PATCH] web/ingress: Support for multiple hosts
Refs. swh/infra/sysadm-environment#5095
---
swh/templates/_helper_ingress.tpl | 10 ++++++++--
swh/templates/web/configmap.yaml | 7 +++++++
swh/templates/web/deployment.yaml | 4 ++--
swh/values/minikube.yaml | 18 +++++++++--------
swh/values/production/swh-cassandra.yaml | 9 ++++-----
swh/values/production/swh.yaml | 14 +++++++------
swh/values/staging/default.yaml | 4 ++--
.../overrides/swh-cassandra-next-version.yaml | 17 +++++++---------
swh/values/staging/swh-cassandra.yaml | 12 +++++------
swh/values/staging/swh.yaml | 20 +++++++++----------
10 files changed, 64 insertions(+), 51 deletions(-)
diff --git a/swh/templates/_helper_ingress.tpl b/swh/templates/_helper_ingress.tpl
index 3122a6d35..c656efcd8 100644
--- a/swh/templates/_helper_ingress.tpl
+++ b/swh/templates/_helper_ingress.tpl
@@ -1,9 +1,12 @@
+# -*- yaml -*-
+
{{/*
Create a Kind Ingress for service .serviceType
*/}}
{{- define "swh.ingress" -}}
{{- $serviceType := .serviceType }}
{{- $configuration := .configuration }}
+{{- $hosts := $configuration.hosts }}
{{- $defaultWhitelistSourceRangeRef := $configuration.ingress.whitelistSourceRangeRef -}}
{{- $defaultWhitelistSourceRange := get .Values $defaultWhitelistSourceRangeRef | default list -}}
{{- range $endpoint_definition, $endpoint_config := $configuration.ingress.endpoints -}}
@@ -11,7 +14,6 @@ Create a Kind Ingress for service .serviceType
{{- $whitelistSourceRange := join "," (concat $defaultWhitelistSourceRange $extraWhitelistSourceRange | uniq | sortAlpha) | default "" -}}
{{- $paths := get $endpoint_config "paths" -}}
{{- $authenticated := get $endpoint_config "authentication" -}}
-{{- $host := $configuration.ingress.host | default $configuration.host -}}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -41,6 +43,7 @@ spec:
ingressClassName: {{ $configuration.ingress.className }}
{{- end }}
rules:
+ {{- range $host := $hosts }}
- host: {{ $host }}
http:
paths:
@@ -54,10 +57,13 @@ spec:
port:
number: {{ $port }}
{{ end }}
- {{- if and $configuration.ingress.tlsEnabled $host $configuration.ingress.secretName }}
+ {{- end }}
+ {{- if and $configuration.ingress.tlsEnabled $configuration.ingress.secretName }}
tls:
- hosts:
+ {{- range $host := $hosts }}
- {{ $host }}
+ {{- end }}
secretName: {{ $configuration.ingress.secretName }}
{{- end }}
{{ end }}
diff --git a/swh/templates/web/configmap.yaml b/swh/templates/web/configmap.yaml
index b9448836a..dfa79a484 100644
--- a/swh/templates/web/configmap.yaml
+++ b/swh/templates/web/configmap.yaml
@@ -1,4 +1,6 @@
{{- if .Values.web.enabled -}}
+{{- $hosts := .Values.web.hosts }}
+{{- $allowed_instance := index $hosts 0 }}
---
apiVersion: v1
kind: ConfigMap
@@ -7,6 +9,11 @@ metadata:
name: web-configuration-template
data:
config.yml.template: |
+ instance_name: {{ $allowed_instance }}
+ allowed_hosts:
+ {{- range $host := $hosts }}
+ - {{ $host }}
+ {{- end }}
{{- include "swh.service.fromYaml" (dict "service" "storage"
"configurationRef" .Values.web.storageConfigurationRef
"Values" .Values) | nindent 4 }}
diff --git a/swh/templates/web/deployment.yaml b/swh/templates/web/deployment.yaml
index d4011d970..570f6c9f7 100644
--- a/swh/templates/web/deployment.yaml
+++ b/swh/templates/web/deployment.yaml
@@ -127,7 +127,7 @@ spec:
port: webapp
httpHeaders:
- name: Host
- value: {{ .Values.web.host }}
+ value: {{ index .Values.web.hosts 0 }}
initialDelaySeconds: 5
failureThreshold: 30
periodSeconds: 10
@@ -138,7 +138,7 @@ spec:
port: webapp
httpHeaders:
- name: Host
- value: {{ .Values.web.host }}
+ value: {{ index .Values.web.hosts 0 }}
initialDelaySeconds: 3
periodSeconds: 10
timeoutSeconds: 30
diff --git a/swh/values/minikube.yaml b/swh/values/minikube.yaml
index b54ddc9bc..9b75dfa3c 100644
--- a/swh/values/minikube.yaml
+++ b/swh/values/minikube.yaml
@@ -198,7 +198,8 @@ web:
depositConfigurationRef: fakeDepositConfiguration
giveConfigurationRef: giveConfiguration
throttlingConfigurationRef: webThrottling
- host: web.minikube.domain
+ hosts:
+ - webapp.internal.minikube
ingress:
enabled: true
tlsEnabled: true
@@ -238,9 +239,6 @@ web:
secretKeyName: web-sentry-dsn
extraConfig:
debug: false
- instance_name: webapp.internal.minikube
- allowed_hosts:
- - webapp.internal.minikube
keycloak:
server_url: https://auth.s.o/auth/
realm_name: SwhMinikube
@@ -332,9 +330,10 @@ scheduler:
# minReplicaCount: 4
# maxReplicaCount: 20
# cpuPercentageUsage: 150
+ hosts:
+ - myscheduler.minikube.domain
ingress:
enabled: false
- host: myscheduler.minikube.domain
# Default allowed ip ranges that can be extended per ingress definitions paths
whitelistSourceRangeRef: internalNetworkRanges
endpoints:
@@ -571,13 +570,14 @@ vault:
minReplicaCount: 2
maxReplicaCount: 10
cpuPercentageUsage: 100
+ hosts:
+ - vault.localdomain
ingress:
enabled: false
# Optional: the ingress classname to use
# className: nginx
# mandatory if ingress is enabled
# the hostname on which the storage must be reachable
- host: vault.localdomain
extraAnnotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "90"
nginx.ingress.kubernetes.io/proxy-send-timeout: "90"
@@ -617,9 +617,10 @@ indexerStorage:
requestedMemory: 512Mi
indexerStorageConfigurationRef: fakePostgresqlIndexerStorageConfiguration
journalWriterConfigurationRef: journalWriterConfiguration
+ hosts:
+ - indexer-storage.i.s.s.n
ingress:
enabled: true
- host: indexer-storage.i.s.s.n
gunicorn:
threads: 2
workers: 4
@@ -663,11 +664,12 @@ search:
minReplicaCount: 2
maxReplicaCount: 10
cpuPercentageUsage: 100
+ hosts:
+ - mysearch.minikube.domain
ingress:
enabled: true
# Optional: the ingress classname to use
# className: nginx
# mandatory if ingress is enabled
# the hostname on which the storage must be reachable
- host: mysearch.minikube.domain
whitelistSourceRangeRef: internalNetworkRanges
diff --git a/swh/values/production/swh-cassandra.yaml b/swh/values/production/swh-cassandra.yaml
index b667c0962..8a787925b 100644
--- a/swh/values/production/swh-cassandra.yaml
+++ b/swh/values/production/swh-cassandra.yaml
@@ -257,7 +257,8 @@ web:
minReplicaCount: 2
maxReplicaCount: 4
cpuPercentageUsage: 50
- host: webapp-cassandra.internal.softwareheritage.org
+ hosts:
+ - webapp-cassandra.internal.softwareheritage.org
ingress:
enabled: true
secretName: swh-web-crt
@@ -289,9 +290,6 @@ web:
giveConfigurationRef: giveConfiguration
throttlingConfigurationRef: webThrottling
extraConfig:
- instance_name: webapp-cassandra.internal.softwareheritage.org
- allowed_hosts:
- - webapp-cassandra.internal.softwareheritage.org
keycloak:
server_url: https://auth.softwareheritage.org/auth/
realm_name: SoftwareHeritage
@@ -325,9 +323,10 @@ graphql:
storageConfigurationRef: localRpcROStorageConfiguration
searchConfigurationRef: remoteSearchConfiguration
introspection: yes
+ hosts:
+ - webapp-cassandra.internal.softwareheritage.org
ingress:
enabled: true
- host: webapp-cassandra.internal.softwareheritage.org
whitelistSourceRangeRef: internalNetworkRanges
endpoints:
default:
diff --git a/swh/values/production/swh.yaml b/swh/values/production/swh.yaml
index 273e9189b..5c8c40539 100644
--- a/swh/values/production/swh.yaml
+++ b/swh/values/production/swh.yaml
@@ -66,9 +66,10 @@ graphql:
storageConfigurationRef: remoteROStorageConfiguration
searchConfigurationRef: remoteSearchConfiguration
introspection: yes
+ hosts:
+ - graphql.internal.softwareheritage.org
ingress:
enabled: true
- host: graphql.internal.softwareheritage.org
whitelistSourceRangeRef: internalNetworkRanges
endpoints:
default:
@@ -546,9 +547,10 @@ scheduler:
threads: 4
workers: 8
timeout: 3600
+ hosts:
+ - scheduler.internal.softwareheritage.org
ingress:
enabled: true
- host: scheduler.internal.softwareheritage.org
# TODO: Improve the authorization internal cluster ip range.
# Current internal range retrieved out of the `kubectl cluster-info dump`
# Default allowed ip ranges that can be extended per ingress definitions paths
@@ -614,9 +616,10 @@ indexerStorage:
requestedMemory: 512Mi
indexerStorageConfigurationRef: postgresqlIndexerStorageConfiguration
journalWriterConfigurationRef: journalWriterConfiguration
+ hosts:
+ - saam.internal.softwareheritage.org
ingress:
enabled: true
- host: saam.internal.softwareheritage.org
gunicorn:
threads: 2
workers: 4
@@ -639,10 +642,9 @@ search:
minReplicaCount: 2
maxReplicaCount: 4
cpuPercentageUsage: 75
+ hosts:
+ - search.internal.softwareheritage.org
ingress:
enabled: true
# Optional: the ingress classname to use
# className: nginx
- # mandatory if ingress is enabled
- # the hostname on which the storage must be reachable
- host: search.internal.softwareheritage.org
diff --git a/swh/values/staging/default.yaml b/swh/values/staging/default.yaml
index f425ec0b1..64f91e545 100644
--- a/swh/values/staging/default.yaml
+++ b/swh/values/staging/default.yaml
@@ -225,8 +225,8 @@ externalServices:
target: archive-staging-rke2-ingress-nginx-controller.ingress-nginx.svc.cluster.local
vault:
- ingress:
- host: vault-rpc-ingress
+ hosts:
+ - vault-rpc-ingress
memcached:
enabled: true
diff --git a/swh/values/staging/overrides/swh-cassandra-next-version.yaml b/swh/values/staging/overrides/swh-cassandra-next-version.yaml
index 42de28157..90bfac3d9 100644
--- a/swh/values/staging/overrides/swh-cassandra-next-version.yaml
+++ b/swh/values/staging/overrides/swh-cassandra-next-version.yaml
@@ -9,8 +9,8 @@ vault:
autoScaling:
minReplicaCount: 1
maxReplicaCount: 1
- ingress:
- host: vault-rpc-ingress-next-version
+ hosts:
+ - vault-rpc-ingress-next-version
loaders:
terminationGracePeriodSeconds: 60
@@ -223,8 +223,8 @@ storage:
minReplicaCount: 1
maxReplicaCount: 2
cpuPercentageUsage: 150
- ingress:
- host: storage-cassandra-next-version.internal.staging.swh.network
+ hosts:
+ - storage-cassandra-next-version.internal.staging.swh.network
postgresqlWebConfiguration:
host: db1.internal.staging.swh.network
@@ -242,16 +242,13 @@ web:
autoScaling:
minReplicaCount: 1
maxReplicaCount: 1
- host: webapp-cassandra-next-version.internal.staging.swh.network
- extraConfig:
- instance_name: webapp-cassandra-next-version.internal.staging.swh.network
- allowed_hosts:
+ hosts:
- webapp-cassandra-next-version.internal.staging.swh.network
graphql:
replicas: 1
- ingress:
- host: webapp-cassandra-next-version.internal.staging.swh.network
+ hosts:
+ - webapp-cassandra-next-version.internal.staging.swh.network
podPriority:
# This test environment should not impact the real staging environment
diff --git a/swh/values/staging/swh-cassandra.yaml b/swh/values/staging/swh-cassandra.yaml
index 2f466c2b3..67e852402 100644
--- a/swh/values/staging/swh-cassandra.yaml
+++ b/swh/values/staging/swh-cassandra.yaml
@@ -492,9 +492,10 @@ storage:
objstorageClass: remote
objstorageConfig:
url: http://storage1.internal.staging.swh.network:5003/
+ hosts:
+ - storage-cassandra.internal.staging.swh.network
ingress:
enabled: true
- host: storage-cassandra.internal.staging.swh.network
whitelistSourceRangeRef: stagingNetworkRanges
endpoints:
default:
@@ -523,7 +524,8 @@ web:
minReplicaCount: 2
maxReplicaCount: 3
cpuPercentageUsage: 50
- host: webapp-cassandra.internal.staging.swh.network
+ hosts:
+ - webapp-cassandra.internal.staging.swh.network
ingress:
enabled: true
secretName: swh-web-crt
@@ -564,9 +566,6 @@ web:
giveConfigurationRef: giveConfiguration
throttlingConfigurationRef: webThrottling
extraConfig:
- instance_name: webapp-cassandra.internal.staging.swh.network
- allowed_hosts:
- - webapp-cassandra.internal.staging.swh.network
keycloak:
server_url: https://auth.softwareheritage.org/auth/
realm_name: SoftwareHeritageStaging
@@ -607,9 +606,10 @@ graphql:
threads: 4
workers: 2
timeout: 3600
+ hosts:
+ - webapp-cassandra.internal.staging.swh.network
ingress:
enabled: true
- host: webapp-cassandra.internal.staging.swh.network
whitelistSourceRangeRef: stagingNetworkRanges
endpoints:
default:
diff --git a/swh/values/staging/swh.yaml b/swh/values/staging/swh.yaml
index 890cc40eb..b1df6a9d2 100644
--- a/swh/values/staging/swh.yaml
+++ b/swh/values/staging/swh.yaml
@@ -296,9 +296,10 @@ graphql:
threads: 4
workers: 2
timeout: 3600
+ hosts:
+ - graphql.internal.staging.swh.network
ingress:
enabled: true
- host: graphql.internal.staging.swh.network
whitelistSourceRangeRef: stagingNetworkRanges
endpoints:
default:
@@ -523,9 +524,10 @@ scheduler:
threads: 5
workers: 4
timeout: 60
+ hosts:
+ - scheduler.internal.staging.swh.network
ingress:
enabled: true
- host: scheduler.internal.staging.swh.network
# TODO: Improve the authorization internal cluster ip range.
# Default allowed ip ranges that can be extended per ingress definitions paths
whitelistSourceRangeRef: stagingNetworkRanges
@@ -594,9 +596,10 @@ indexerStorage:
requestedMemory: 512Mi
indexerStorageConfigurationRef: postgresqlIndexerStorageConfiguration
journalWriterConfigurationRef: journalWriterConfiguration
+ hosts:
+ - indexer-storage.internal.staging.swh.network
ingress:
enabled: true
- host: indexer-storage.internal.staging.swh.network
gunicorn:
threads: 2
workers: 4
@@ -619,13 +622,12 @@ search:
minReplicaCount: 2
maxReplicaCount: 4
cpuPercentageUsage: 75
+ hosts:
+ - search.internal.staging.swh.network
ingress:
enabled: true
# Optional: the ingress classname to use
# className: nginx
- # mandatory if ingress is enabled
- # the hostname on which the storage must be reachable
- host: search.internal.staging.swh.network
web:
enabled: true
@@ -636,7 +638,6 @@ web:
minReplicaCount: 2
maxReplicaCount: 3
cpuPercentageUsage: 50
- host: webapp-postgresql.internal.staging.swh.network
ingress:
enabled: true
secretName: swh-web-crt
@@ -680,11 +681,10 @@ web:
djangoConfigurationRef: djangoWebConfiguration
giveConfigurationRef: giveConfiguration
throttlingConfigurationRef: webThrottling
- extraConfig:
- instance_name: webapp-postgresql.internal.staging.swh.network
- allowed_hosts:
+ hosts:
- webapp-postgresql.internal.staging.swh.network
- webapp.staging.swh.network
+ extraConfig:
keycloak:
server_url: https://auth.softwareheritage.org/auth/
realm_name: SoftwareHeritageStaging
--
GitLab