-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathfeed-ingress-deployment-ssl.yml
172 lines (138 loc) · 5.62 KB
/
feed-ingress-deployment-ssl.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# Example deployment for launching feed-ingress, the NGINX ingress controller.
#
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: feed-ingress
namespace: kube-system
labels:
app: feed-ingress
spec:
replicas: 3
selector:
matchLabels:
app: feed-ingress
template:
metadata:
labels:
app: feed-ingress
spec:
# Listen directly on host interface, required so ELBs can contact NGINX.
hostNetwork: true
# Time to wait for requests to gracefully terminate when updating the deployment.
# Needs to be at least as long as the -drain-delay setting below, with a buffer for other teardown.
# Recommend to set this to 2x -drain-delay.
terminationGracePeriodSeconds: 60
# Always restart on death.
restartPolicy: Always
containers:
- image: skycirrus/feed-ingress:v2.0.0
name: feed-ingress
resources:
requests:
cpu: "1"
memory: 300Mi
limits:
memory: 300Mi
ports:
- hostPort: 8080
containerPort: 8080
name: ingress
protocol: TCP
- hostPort: 8081
containerPort: 8081
name: ingress-health
protocol: TCP
# Health port of the controller.
- containerPort: 12082
name: health
protocol: TCP
args:
- elb
# Ingress NGINX port that ELBs will direct traffic towards.
- --ingress-port=8080
# Ingress NGINX port for ssl traffic
- --ingress-https-port=8443
# Health port on NGINX, used by ELBs to determine health.
- --ingress-health-port=8081
# Default security whitelist for ingress. Can be overridden with the sky.uk/allow annotation.
- --ingress-allow=10.0.0.0/8
# Set default ssl path + name file without extension - expected default-ssl.crt and default-ssl.key into /etc/ssl/default-ssl/
- --ssl-path=/etc/ssl/default-ssl/default-ssl
# Health port for the controller to respond on.
- --health-port=12082
# Log level of nginx. Recommended to leave at error, or set to crit if too much spam.
- --nginx-loglevel=error
# How often to reload nginx if needed. Setting too low can cause 504s from the ELB in the case of heavy
# ingress updates.
- --nginx-update-period=5m
# Use pushgateway for prometheus metrics. Optional - metrics available at /metrics on health port.
- --pushgateway=mypushgateway.com
- --pushgateway-interval=20
- --pushgateway-label=k8s_cluster=dev
- --pushgateway-label=environment=dev
- --pushgateway-label=version=v1.0.2
# Set status to unhealthy if fewer than this number of matching ELBs are found
- --elb-expected-number=2
# Attach to the ELBs with label sky.uk/KubernetesClusterFrontend set to this value.
- --elb-frontend-tag-value=dev
# Attach to the ELBs with label sky.uk/KubernetesClusterIngressClass set to this value
# and adopt ingress resources with a matching kubernetes.io/ingress.class value
- --ingress-class=main
# Only consider ingresses in namespaces with this label. Optional.
- --ingress-controller-namespace-selector=app=myapp
# ELB drain time - time to wait while ELB drains requests from feed when stopping. Should be
# at least as long as the ELBs drain timeout.
- --drain-delay=30s
# Each worker uses a full cpu, so scale up vertically on a box by increasing this value.
- --nginx-workers=1
# Connections*workers needs to be less than available ephemeral ports. Linux default is 60999-32768=28231.
- --nginx-worker-connections=20000
# Needs to be greater than any frontend idle timeout.
- --nginx-keepalive-seconds=304
# CIDRs of the ELBs to trust X-Forwarded-For, for determining client IP allow/deny.
- --nginx-trusted-frontends=10.0.0.0/8
# Max number of idle connections to a backend.
- --nginx-backend-keepalive-count=1024
# Default max time for a request to a backend. Can be overridden by an annotation on the ingress resource.
- --nginx-default-backend-timeout-seconds=5
# Needs to be greater than 64 to support very large domain names.
- --nginx-server-names-hash-bucket-size=128
# Access logs turned on - add or remove the "-access-log" flag to turn them on/off.
- --access-log
- --access-log-dir=/var/log/nginx
# Add custom headers to the access logs.
- --nginx-log-headers=X-Amzn-Trace-Id
# Controller health determines readiness. This has no effect on ingress traffic from ELBs.
readinessProbe:
httpGet:
path: /health
port: 12082
scheme: HTTP
initialDelaySeconds: 1
timeoutSeconds: 1
periodSeconds: 1
failureThreshold: 1
# Only consider liveness of ingress itself, favouring uptime over controller health.
livenessProbe:
httpGet:
path: /health
port: 8081
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 1
periodSeconds: 10
failureThreshold: 3
# Access logs volume.
volumeMounts:
- name: nginx-log
mountPath: /var/log/nginx
- name: default-ingress-ssl
mountPath: "/etc/ssl/default-ssl/"
readOnly: true
volumes:
- name: nginx-log
emptyDir: {}
- name: default-ingress-ssl
secret:
secretName: default-ingress-ssl