Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure proxy timeouts and payload size #702

Merged
merged 8 commits into from
Aug 23, 2023
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions deployment-configuration/helm/templates/auto-gatekeepers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ data:
enable-default-deny: {{ eq (.app.harness.secured | toString) "true" }}
listen: 0.0.0.0:8080
enable-refresh-tokens: true
server-write-timeout: 180s
upstream-response-header-timeout: 180s
server-write-timeout: {{ .app.harness.proxy.timeout.send | default .root.Values.proxy.timeout.send | default 180 }}s
upstream-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
upstream-response-header-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
upstream-expect-continue-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
server-read-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
upstream-keepalive-timeout: {{ .app.harness.proxy.timeout.keepalive | default .root.Values.proxy.timeout.keepalive | default 180 }}s
http-only-cookie: false
tls-cert:
tls-private-key:
Expand Down Expand Up @@ -65,7 +69,7 @@ data:
<h2 class="message">403 Permission Denied</h2>
<div class="error-details">
Sorry, you do not have access to this page, please contact your administrator.
If you have been assigned new authorizations try to <a href="/oauth/logout?redirect=/">login again</a>.
If you have been assigned new authorizations, try to refresh the page or to <a href="/oauth/logout?redirect=/">login again</a>.
</div>
</div>
</div>
Expand Down
5 changes: 4 additions & 1 deletion deployment-configuration/helm/templates/ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,13 @@ metadata:
cert-manager.io/issuer: {{ printf "%s-%s" "letsencrypt" .Values.namespace }}
{{- end }}
nginx.ingress.kubernetes.io/ssl-redirect: {{ (and $tls .Values.ingress.ssl_redirect) | quote }}
nginx.ingress.kubernetes.io/proxy-body-size: '250m'
zsinnema marked this conversation as resolved.
Show resolved Hide resolved
nginx.ingress.kubernetes.io/proxy-body-size: '{{ .Values.proxy.payload.max }}m'
nginx.ingress.kubernetes.io/proxy-buffer-size: '128k'
nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/auth-keepalive-timeout: {{ .Values.proxy.timeout.keepalive | quote }}
nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.proxy.timeout.read | quote }}
nginx.ingress.kubernetes.io/proxy-send-timeout: {{ .Values.proxy.timeout.send | quote }}
spec:
rules:
{{- range $app := .Values.apps }}
Expand Down
10 changes: 10 additions & 0 deletions deployment-configuration/helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,13 @@ backup:
memory: "64Mi"
# -- K8s cpu resource definition.
cpu: "50m"
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send: 60
# -- Timeout for proxy responses in seconds.
read: 60
keepalive: 60
payload:
# -- Maximum size of payload in MB
max: 250
10 changes: 10 additions & 0 deletions deployment-configuration/value-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,13 @@ harness:
smoketest: true
ignoreConsoleErrors: false
ignoreRequestErrors: false
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send:
# -- Timeout for proxy responses in seconds.
read:
keepalive:
payload:
# -- Maximum size of payload in MB
max:
15 changes: 15 additions & 0 deletions docs/accounts.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,22 @@ harness:
secured: open
```

#### Proxy specific configurations
Proxy configurations can be personalized in the application in the case that we want to have more restrictive values than the global ones (see [here] for more (./ingress-domains-proxies.md#proxy-configurations))
filippomc marked this conversation as resolved.
Show resolved Hide resolved

```yaml
harness:
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send:
# -- Timeout for proxy responses in seconds.
read:
keepalive:
payload:
# -- Maximum size of payload in MB
max:
```
### Secure an enpoint with OpenAPI

In every api endpoint that you want to secure, add the bearerAuth security as in the example:
Expand Down
69 changes: 69 additions & 0 deletions docs/ingress-domains-proxies.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Ingress, domains and proxies

## Default configurations for domain and subdomains
Cloud Harness makes it very easy to configure domains and proxies, by making
an underlying assumption:

- Applications share a main base domain (say ch.org)
- Applications can define a subdomain (say myapp)

The main domain is configured in the [root values file](../deployment-configuration/values-template.yaml) and
it is usually overridden by the `harness-deployment` command, e.g.

```
harness-deployment ... -d ch.org
```

The subdomain is defined in the application's values.yaml file in
harness.subdomain (see for instance the [samples application configuration](../applications/samples/deploy/values.yaml))

For instance on applications/myapp/deploy/values.yaml:

```yaml
harness:
subdomain: myapp
```

The above configurations put together create an ingress configuration for https://myapp.ch.org and automatically configure letsencrypt to create and renew certificates.

Note:
that the tls and letsencrypt configurations are enabled by default but should usually be disabled locally with

```
harness-deployment ... -dtls -l
```

## Main application

The "main" application is deployed on the base domain.
In order to specify a main application, override the value in your `/deployment-configuration/values-template.yaml` file.

Example
```yaml
mainapp: myapp
```
This creates a reverse proxy to https://ch.org pointing to myapp

## Proxy configurations

Ingress is a reverse proxy and as such has some configurations to take into account.
The most common configurations are connection timeouts and payload size.

To configure it, override the following values in your `deployment-configuration/values-template.yaml` file.

```yaml
proxy:
timeout:
# -- Timeout for proxy connections in seconds.
send: 60
# -- Timeout for proxy responses in seconds.
read: 60
keepalive: 60
payload:
# -- Maximum size of payload in MB
max: 250
```

Note that in the case that gatekeepers are enabled, the same configurations are applied
to the gatekeepers, unless the application override them on `harness.proxy.*`.
See also the [gatekeepers documentation](./accounts.md#secure-and-enpoint-with-the-gatekeeper).
1 change: 1 addition & 0 deletions docs/model/ApplicationHarnessConfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ Key | Input Type | Accessed Type | Description | Notes
**jupyterhub** | [**JupyterHubConfig**](JupyterHubConfig.md) | [**JupyterHubConfig**](JupyterHubConfig.md) | | [optional]
**accounts** | [**ApplicationAccountsConfig**](ApplicationAccountsConfig.md) | [**ApplicationAccountsConfig**](ApplicationAccountsConfig.md) | | [optional]
**test** | [**ApplicationTestConfig**](ApplicationTestConfig.md) | [**ApplicationTestConfig**](ApplicationTestConfig.md) | | [optional]
**quotas** | [**Quota**](Quota.md) | [**Quota**](Quota.md) | | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

# aliases
Expand Down
2 changes: 1 addition & 1 deletion docs/model/HarnessMainConfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Key | Input Type | Accessed Type | Description | Notes
**backup** | [**BackupConfig**](BackupConfig.md) | [**BackupConfig**](BackupConfig.md) | | [optional]
**name** | str, | str, | Base name | [optional]
**task-images** | [**SimpleMap**](SimpleMap.md) | [**SimpleMap**](SimpleMap.md) | | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, int, float, bool, decimal.Decimal, None, list, tuple, bytes, io.FileIO, io.BufferedReader | frozendict.frozendict, str, BoolClass, decimal.Decimal, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

# env

Expand Down
2 changes: 1 addition & 1 deletion docs/model/Quota.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ dict, frozendict.frozendict, | frozendict.frozendict, | |
### Dictionary Keys
Key | Input Type | Accessed Type | Description | Notes
------------ | ------------- | ------------- | ------------- | -------------
**any_string_name** | str, | str, | any string name can be used but the value must be the correct type | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

[[Back to Model list]](../../README.md#documentation-for-models) [[Back to API list]](../../README.md#documentation-for-api-endpoints) [[Back to README]](../../README.md)

2 changes: 1 addition & 1 deletion docs/model/SimpleMap.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ dict, frozendict.frozendict, | frozendict.frozendict, | |
### Dictionary Keys
Key | Input Type | Accessed Type | Description | Notes
------------ | ------------- | ------------- | ------------- | -------------
**any_string_name** | str, | str, | any string name can be used but the value must be the correct type | [optional]
**any_string_name** | dict, frozendict.frozendict, str, date, datetime, uuid.UUID, int, float, decimal.Decimal, bool, None, list, tuple, bytes, io.FileIO, io.BufferedReader, | frozendict.frozendict, str, decimal.Decimal, BoolClass, NoneClass, tuple, bytes, FileIO | any string name can be used but the value must be the correct type | [optional]

[[Back to Model list]](../../README.md#documentation-for-models) [[Back to API list]](../../README.md#documentation-for-api-endpoints) [[Back to README]](../../README.md)

Loading
Loading