mgudesblatart · March 24, 2024 16:30
diff --git a/child-ingress.yaml b/child-ingress.yaml
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
  name: ingress-{{ .Release.Name }}-frontend
  namespace: {{ .Release.Name }}
  annotations:
    kubernetes.io/ingress.class: "nginx-3"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: {{ .Release.Name }}/tls-secret
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"  # Important!
    nginx.ingress.kubernetes.io/configuration-snippet: |
      expires $expires;
 spec:
  tls:
  - hosts:
    - '{{ .Release.Name }}.example.com'
    secretName: tls-secret
  rules:
  - host: '{{ .Release.Name }}.example.com'
    http:
      paths:
      - path: /
        backend:
            serviceName: {{ .Release.Name }}-fe-service
            servicePort: http
diff --git a/deployment.yaml b/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ .Release.Name }}-fe
  namespace: {{ .Release.Name }}
  labels:
    applicationName: {{ .Release.Name }}-fe
 spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 0
  minReadySeconds: 5
  selector:
    matchLabels:
      app: {{ .Release.Name }}-fe
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}-fe
    spec:
      containers:
      - name: {{ .Release.Name }}-fe
        image: registry.gitlab.com/<our stuff>/dev:2.2.17
        imagePullPolicy: Always
        lifecycle:
          preStop:
            exec:
              command: ["/bin/sh","-c","sleep 3; nginx -s quit; while killall -0 nginx; do sleep 0.1; done"]
              # command: ["/bin/sh","-c","sleep 3; PID=$(cat /run/nginx.pid); nginx -s quit; while [ -d /proc/$PID ]; do sleep 0.1; done"]
        ports:
        - containerPort: 80
      imagePullSecrets:
      - name: regcred-frontend
diff --git a/nginx-ingress.yaml b/nginx-ingress.yaml
 controller:
  ingressClass: "nginx-3"
  extraArgs:
    v: 2
  config:
    http-snippet: |
      map $sent_http_content_type $expires {
          default                    off;
          text/html                  off;
          text/css                   max;
          application/javascript     max;
          ~image/                    max;
      }
      map $http_date $custom_date_header {
          # Set the $custom_date_header variable with the original
          # response header from the upstream server if it consists
          # of at least one character (. is a regular expression)
          "~."          $http_date;

          # Otherwise set it with this value
          default      $time_iso8601;
      }
      proxy_set_header Accept-Encoding "";
      proxy_set_header Content-Length "";
      proxy_set_header Content-Type "";
    enable-underscores-in-headers: "true"
    proxy-body-size: "2g"
    proxy-connect-timeout: "600"
    error-log-level: "info"
    http2-max-field-size: "64k"
    http2-max-header-size: "256k"
    keep-alive-requests: "10000"
    upstream-keepalive-connections: "200"
    max-worker-connections: "65536"
    use-gzip: "false"
    use-http2: "false"
  # additional tinkering gotten from https://intl.cloud.tencent.com/document/product/457/38300
  ## Annotations to be added to the controller config configuration configmap
  ##
  configAnnotations: {}

  # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers
  proxySetHeaders: {}

  # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
  addHeaders: {}

  extraInitContainers:
    - name: setsysctl
      image: busybox
      securityContext:
        privileged: true
      command:
        - sh
        - -c
        - |
          sysctl -w net.core.somaxconn=65535
          sysctl -w net.ipv4.ip_local_port_range="1024 65535"
          sysctl -w net.ipv4.tcp_tw_reuse=1
          sysctl -w fs.file-max=1048576
diff --git a/nginx.conf b/nginx.conf
 user  nginx;
 worker_processes  1;
 error_log  /var/log/nginx/error.log info;
 pid        /var/run/nginx.pid;
 events {
  worker_connections  1024;
 }
 http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  sendfile        on;
  keepalive_timeout  15;
  client_max_body_size 2G;
  gzip_vary on;
  gzip_proxied no-cache no-store private expired auth;
  gzip_comp_level 2;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_static on;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  server {
  	root /usr/share/nginx/html;
    listen       80  default_server;
    location / {
    	try_files $uri $uri/ @rewrites;
  	}
 		location @rewrites {
 			rewrite ^(.+)$ /index.html last;
 		}
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
      root   /usr/share/nginx/html;
    }
  }
 }
	apiVersion: networking.k8s.io/v1beta1
	kind: Ingress
	metadata:
	name: ingress-{{ .Release.Name }}-frontend
	namespace: {{ .Release.Name }}
	annotations:
	kubernetes.io/ingress.class: "nginx-3"
	nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
	nginx.ingress.kubernetes.io/auth-tls-secret: {{ .Release.Name }}/tls-secret
	nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
	nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
	nginx.ingress.kubernetes.io/proxy-buffering: "on" # Important!
	nginx.ingress.kubernetes.io/configuration-snippet: \|
	expires $expires;
	spec:
	tls:
	- hosts:
	- '{{ .Release.Name }}.example.com'
	secretName: tls-secret
	rules:
	- host: '{{ .Release.Name }}.example.com'
	http:
	paths:
	- path: /
	backend:
	serviceName: {{ .Release.Name }}-fe-service
	servicePort: http
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: {{ .Release.Name }}-fe
	namespace: {{ .Release.Name }}
	labels:
	applicationName: {{ .Release.Name }}-fe
	spec:
	replicas: 1
	strategy:
	type: RollingUpdate
	rollingUpdate:
	maxUnavailable: 0
	minReadySeconds: 5
	selector:
	matchLabels:
	app: {{ .Release.Name }}-fe
	template:
	metadata:
	labels:
	app: {{ .Release.Name }}-fe
	spec:
	containers:
	- name: {{ .Release.Name }}-fe
	image: registry.gitlab.com/<our stuff>/dev:2.2.17
	imagePullPolicy: Always
	lifecycle:
	preStop:
	exec:
	command: ["/bin/sh","-c","sleep 3; nginx -s quit; while killall -0 nginx; do sleep 0.1; done"]
	# command: ["/bin/sh","-c","sleep 3; PID=$(cat /run/nginx.pid); nginx -s quit; while [ -d /proc/$PID ]; do sleep 0.1; done"]
	ports:
	- containerPort: 80
	imagePullSecrets:
	- name: regcred-frontend
	controller:
	ingressClass: "nginx-3"
	extraArgs:
	v: 2
	config:
	http-snippet: \|
	map $sent_http_content_type $expires {
	default off;
	text/html off;
	text/css max;
	application/javascript max;
	~image/ max;
	}
	map $http_date $custom_date_header {
	# Set the $custom_date_header variable with the original
	# response header from the upstream server if it consists
	# of at least one character (. is a regular expression)
	"~." $http_date;

	# Otherwise set it with this value
	default $time_iso8601;
	}
	proxy_set_header Accept-Encoding "";
	proxy_set_header Content-Length "";
	proxy_set_header Content-Type "";
	enable-underscores-in-headers: "true"
	proxy-body-size: "2g"
	proxy-connect-timeout: "600"
	error-log-level: "info"
	http2-max-field-size: "64k"
	http2-max-header-size: "256k"
	keep-alive-requests: "10000"
	upstream-keepalive-connections: "200"
	max-worker-connections: "65536"
	use-gzip: "false"
	use-http2: "false"
	# additional tinkering gotten from https://intl.cloud.tencent.com/document/product/457/38300
	## Annotations to be added to the controller config configuration configmap
	##
	configAnnotations: {}

	# Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers
	proxySetHeaders: {}

	# Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
	addHeaders: {}

	extraInitContainers:
	- name: setsysctl
	image: busybox
	securityContext:
	privileged: true
	command:
	- sh
	- -c
	- \|
	sysctl -w net.core.somaxconn=65535
	sysctl -w net.ipv4.ip_local_port_range="1024 65535"
	sysctl -w net.ipv4.tcp_tw_reuse=1
	sysctl -w fs.file-max=1048576
	user nginx;
	worker_processes 1;
	error_log /var/log/nginx/error.log info;
	pid /var/run/nginx.pid;
	events {
	worker_connections 1024;
	}
	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log main;
	sendfile on;
	keepalive_timeout 15;
	client_max_body_size 2G;
	gzip_vary on;
	gzip_proxied no-cache no-store private expired auth;
	gzip_comp_level 2;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_min_length 256;
	gzip_static on;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	server {
	root /usr/share/nginx/html;
	listen 80 default_server;
	location / {
	try_files $uri $uri/ @rewrites;
	}
	location @rewrites {
	rewrite ^(.+)$ /index.html last;
	}
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}
	}
	}