Skip to content

Commit

Permalink
Merge pull request #702 from MetaCell/feature/701
Browse files Browse the repository at this point in the history 
Configure proxy timeouts and payload size
  • Loading branch information
@filippomc
filippomc authored Aug 23, 2023
2 parents 0a5af04 + a4c1e57 commit c35f8c3
Show file tree
Hide file tree
Showing 15 changed files with 1,001 additions and 852 deletions.
10 changes: 7 additions & 3 deletions deployment-configuration/helm/templates/auto-gatekeepers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ data:
enable-default-deny: {{ eq (.app.harness.secured | toString) "true" }}
listen: 0.0.0.0:8080
enable-refresh-tokens: true
server-write-timeout: 180s
upstream-response-header-timeout: 180s
server-write-timeout: {{ .app.harness.proxy.timeout.send | default .root.Values.proxy.timeout.send | default 180 }}s
upstream-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
upstream-response-header-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
upstream-expect-continue-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
server-read-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
upstream-keepalive-timeout: {{ .app.harness.proxy.timeout.keepalive | default .root.Values.proxy.timeout.keepalive | default 180 }}s
http-only-cookie: false
tls-cert:
tls-private-key:
Expand Down Expand Up @@ -65,7 +69,7 @@ data:
<h2 class="message">403 Permission Denied</h2>
<div class="error-details">
Sorry, you do not have access to this page, please contact your administrator.
If you have been assigned new authorizations try to <a href="/oauth/logout?redirect=/">login again</a>.
If you have been assigned new authorizations, try to refresh the page or to <a href="/oauth/logout?redirect=/">login again</a>.
</div>
</div>
</div>
Expand Down
5 changes: 4 additions & 1 deletion deployment-configuration/helm/templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,13 @@ metadata:
cert-manager.io/issuer: {{ printf "%s-%s" "letsencrypt" .Values.namespace }}
{{- end }}
nginx.ingress.kubernetes.io/ssl-redirect: {{ (and $tls .Values.ingress.ssl_redirect) | quote }}
nginx.ingress.kubernetes.io/proxy-body-size: '250m'
nginx.ingress.kubernetes.io/proxy-body-size: '{{ .Values.proxy.payload.max }}m'
nginx.ingress.kubernetes.io/proxy-buffer-size: '128k'
nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/auth-keepalive-timeout: {{ .Values.proxy.timeout.keepalive | quote }}
nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.proxy.timeout.read | quote }}
nginx.ingress.kubernetes.io/proxy-send-timeout: {{ .Values.proxy.timeout.send | quote }}
spec:
rules:
{{- range $app := .Values.apps }}
Expand Down
10 changes: 10 additions & 0 deletions deployment-configuration/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,13 @@ backup:
memory: "64Mi"
# -- K8s cpu resource definition.
cpu: "50m"
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send: 60
# -- Timeout for proxy responses in seconds.
read: 60
keepalive: 60
payload:
# -- Maximum size of payload in MB
max: 250
10 changes: 10 additions & 0 deletions deployment-configuration/value-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,13 @@ harness:
smoketest: true
ignoreConsoleErrors: false
ignoreRequestErrors: false
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send:
# -- Timeout for proxy responses in seconds.
read:
keepalive:
payload:
# -- Maximum size of payload in MB
max:
15 changes: 15 additions & 0 deletions docs/accounts.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,22 @@ harness:
secured: open
```

#### Proxy specific configurations
Proxy configurations can be personalized in the application in the case that we want to have more restrictive values than the global ones (see [here](./ingress-domains-proxies.md#proxy-configurations) for more )

```yaml
harness:
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send:
# -- Timeout for proxy responses in seconds.
read:
keepalive:
payload:
# -- Maximum size of payload in MB
max:
```
### Secure an enpoint with OpenAPI

In every api endpoint that you want to secure, add the bearerAuth security as in the example:
Expand Down
69 changes: 69 additions & 0 deletions docs/ingress-domains-proxies.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Ingress, domains and proxies

## Default configurations for domain and subdomains
Cloud Harness makes it very easy to configure domains and proxies, by making
an underlying assumption:

- Applications share a main base domain (say ch.org)
- Applications can define a subdomain (say myapp)

The main domain is configured in the [root values file](../deployment-configuration/values-template.yaml) and
it is usually overridden by the `harness-deployment` command, e.g.

```
harness-deployment ... -d ch.org
```

The subdomain is defined in the application's values.yaml file in
harness.subdomain (see for instance the [samples application configuration](../applications/samples/deploy/values.yaml))

For instance on applications/myapp/deploy/values.yaml:

```yaml
harness:
subdomain: myapp
```
The above configurations put together create an ingress configuration for https://myapp.ch.org and automatically configure letsencrypt to create and renew certificates.
Note:
that the tls and letsencrypt configurations are enabled by default but should usually be disabled locally with
```
harness-deployment ... -dtls -l
```

## Main application

The "main" application is deployed on the base domain.
In order to specify a main application, override the value in your `/deployment-configuration/values-template.yaml` file.

Example
```yaml
mainapp: myapp
```
This creates a reverse proxy to https://ch.org pointing to myapp
## Proxy configurations
Ingress is a reverse proxy and as such has some configurations to take into account.
The most common configurations are connection timeouts and payload size.
To configure it, override the following values in your `deployment-configuration/values-template.yaml` file.

```yaml
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send: 60
# -- Timeout for proxy responses in seconds.
read: 60
keepalive: 60
payload:
# -- Maximum size of payload in MB
max: 250
```

Note that in the case that gatekeepers are enabled, the same configurations are applied
to the gatekeepers, unless the application override them on `harness.proxy.*`.
See also the [gatekeepers documentation](./accounts.md#secure-and-enpoint-with-the-gatekeeper).
1 change: 1 addition & 0 deletions docs/model/ApplicationHarnessConfig.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ Key | Input Type | Accessed Type | Description | Notes
**jupyterhub** | [**JupyterHubConfig**](JupyterHubConfig.md) | [**JupyterHubConfig**](JupyterHubConfig.md) | | [optional]
**accounts** | [**ApplicationAccountsConfig**](ApplicationAccountsConfig.md) | [**ApplicationAccountsConfig**](ApplicationAccountsConfig.md) | | [optional]
**test** | [**ApplicationTestConfig**](ApplicationTestConfig.md) | [**ApplicationTestConfig**](ApplicationTestConfig.md) | | [optional]
**quotas** | [**Quota**](Quota.md) | [**Quota**](Quota.md) | | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

# aliases
Expand Down
2 changes: 1 addition & 1 deletion docs/model/HarnessMainConfig.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Key | Input Type | Accessed Type | Description | Notes
**backup** | [**BackupConfig**](BackupConfig.md) | [**BackupConfig**](BackupConfig.md) | | [optional]
**name** | str, | str, | Base name | [optional]
**task-images** | [**SimpleMap**](SimpleMap.md) | [**SimpleMap**](SimpleMap.md) | | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, int, float, bool, decimal.Decimal, None, list, tuple, bytes, io.FileIO, io.BufferedReader | frozendict.frozendict, str, BoolClass, decimal.Decimal, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

# env

Expand Down
2 changes: 1 addition & 1 deletion docs/model/Quota.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ dict, frozendict.frozendict, | frozendict.frozendict, | |
### Dictionary Keys
Key | Input Type | Accessed Type | Description | Notes
------------ | ------------- | ------------- | ------------- | -------------
**any_string_name** | str, | str, | any string name can be used but the value must be the correct type | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

[[Back to Model list]](../../README.md#documentation-for-models) [[Back to API list]](../../README.md#documentation-for-api-endpoints) [[Back to README]](../../README.md)

2 changes: 1 addition & 1 deletion docs/model/SimpleMap.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ dict, frozendict.frozendict, | frozendict.frozendict, | |
### Dictionary Keys
Key | Input Type | Accessed Type | Description | Notes
------------ | ------------- | ------------- | ------------- | -------------
**any_string_name** | str, | str, | any string name can be used but the value must be the correct type | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

[[Back to Model list]](../../README.md#documentation-for-models) [[Back to API list]](../../README.md#documentation-for-api-endpoints) [[Back to README]](../../README.md)

Loading

0 comments on commit c35f8c3

Please sign in to comment.