Ingress: Improve port opening Update nginx replica counts and rollout strategy. What proxy-backend configmap changes and reload auto proxy nginx. Make ingress optional. Use <PREFIX>.<CLUSTER_NAME>.clusters.p.<DOMAIN> addresses for remote cluster services. Change-Id: Ideb146a8c0275822ee5cd28311c00a817f4202aa

commit: f55ab36eb75967020b08fa078dfad313cd2ee449 [log] [tgz]
author: gio <gio@v1.dodo.cloud> Fri Apr 11 17:48:17 2025 +0400
committer: gio <gio@v1.dodo.cloud> Wed Apr 16 16:57:09 2025 +0400
tree: 0608dac568a5a637ef34b917d3bc3204814b2966
parent: cbd8909ed7d8f3bdb17abd679173c137ec62169b [diff]
diff --git a/core/installer/values-tmpl/ingress-public.cue b/core/installer/values-tmpl/ingress-public.cue
index fe6098e..119dd44 100644
--- a/core/installer/values-tmpl/ingress-public.cue
+++ b/core/installer/values-tmpl/ingress-public.cue

@@ -4,6 +4,7 @@
 
 input: {
 	sshPrivateKey: string
+	controllerReplicaCount: int | *3
 }
 
 name: "ingress-public"
@@ -48,7 +49,7 @@
 				fullnameOverride: "\(global.pcloudEnvName)-ingress-public"
 				controller: {
 					kind: "Deployment"
-					replicaCount: 1 // TODO(gio): configurable
+					replicaCount: input.controllerReplicaCount
 					topologySpreadConstraints: [{
 						labelSelector: {
 							matchLabels: {
@@ -64,7 +65,7 @@
 					updateStrategy: {
 						type: "RollingUpdate"
 						rollingUpdate: {
-							maxSurge: "100%"
+							maxSurge: "50%"
 							maxUnavailable: "30%"
 						}
 					}

diff --git a/core/installer/values-tmpl/private-network.cue b/core/installer/values-tmpl/private-network.cue
index 3ea3c03..1fcf783 100644
--- a/core/installer/values-tmpl/private-network.cue
+++ b/core/installer/values-tmpl/private-network.cue

@@ -9,6 +9,7 @@
 		ipSubnet: string // TODO(gio): use cidr type
 	}
 	sshPrivateKey: string
+	controllerReplicaCount: int | *3
 }
 
 name: "private-network"
@@ -97,29 +98,28 @@
 				serviceAccountName: "\(global.id)-nginx-private"
 			}
 		}
-		"headscale-user": {
-			chart: charts.headscaleUser
-			values: {
-				resourceName: "private-network-proxy-backend"
-				username: "private-network-proxy"
-				headscaleApiAddress: "http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local"
-				preAuthKey: {
-					enabled: true
-					secretName: _clusterProxySecretName
-				}
-			}
-		}
 		"ingress-nginx": {
 			chart: charts["ingress-nginx"]
 			values: {
 				fullnameOverride: "\(global.id)-nginx-private"
 				controller: {
+					replicaCount: input.controllerReplicaCount
+					updateStrategy: {
+						type: "RollingUpdate"
+						rollingUpdate: {
+							maxUnavailable: "30%"
+						}
+					}
 					service: {
 						enabled: true
 						type: "LoadBalancer"
 						annotations: {
 							"metallb.universe.tf/address-pool": _ingressPrivate
 						}
+						extraPorts: {
+							tcp: {}
+							udp: {}
+						}
 					}
 					ingressClassByName: true
 					ingressClassResource: {
@@ -143,7 +143,18 @@
 						configMap: {
 							name: _proxyBackendConfigName
 						}
+					}, {
+						name: "proxy-backend-pid"
+						emptyDir: {
+							size: "2Mi"
+						}
+					}, {
+						name: "ts-proxy-state"
+						emptyDir: {
+							size: "2Mi"
+						}
 					}]
+					shareProcessNamespace: true
 					extraContainers: [{
 						name: "proxy"
 						image: images.tailscale.fullNameWithTag
@@ -154,11 +165,15 @@
 							privileged: true
 						}
 						env: [{
-							name: "TS_KUBE_SECRET"
-							value: _clusterProxySecretName
+							name: "TS_STATE_DIR"
+							value: "/ts-state"
 						}, {
 							name: "TS_HOSTNAME"
-							value: "cluster-proxy"
+							valueFrom: {
+								fieldRef: {
+									fieldPath: "metadata.name"
+								}
+							}
 						}, {
 							name: "TS_EXTRA_ARGS"
 							value: "--login-server=https://headscale.\(global.domain)"
@@ -166,6 +181,16 @@
 							name: "TS_USERSPACE"
 							value: "false"
 						}]
+						command: ["/bin/sh"]
+						args: [
+							"-c",
+							"TS_AUTHKEY=$(wget --post-data=\"\" -O /tmp/authkey http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local/user/private-network-proxy/preauthkey > /dev/null 2>&1 && cat /tmp/authkey) /usr/local/bin/containerboot"
+						],
+						volumeMounts: [{
+							mountPath: "/ts-state"
+							name: "ts-proxy-state"
+							readOnly: false
+						}]
 					}, {
 						name: "proxy-backend"
 						image: images.nginx.fullNameWithTag
@@ -179,7 +204,34 @@
 							name: _proxyBackendConfigName
 							mountPath: "/etc/nginx"
 							readOnly: true
+						}, {
+							name: "proxy-backend-pid"
+							mountPath: "/var/run/nginx"
+							readOnly: false
 						}]
+					}, {
+						name: "reload-config"
+						image: "giolekva/reload:latest"
+						imagePullPolicy: "Always"
+						command: [
+							"/usr/bin/reload",
+							"--watch=/etc/nginx/nginx.conf",
+							"--reload=/var/run/nginx/nginx.pid",
+					    ]
+						volumeMounts: [{
+							name: "proxy-backend-config"
+							mountPath: "/etc/nginx"
+							readOnly: true
+						}, {
+							name: "proxy-backend-pid"
+							mountPath: "/var/run/nginx"
+							readOnly: true
+						}]
+						securityContext: {
+							capabilities: {
+								add: ["SYS_PTRACE"]
+							}
+						}
 					}]
 					admissionWebhooks: {
 						enabled: false
@@ -255,6 +307,7 @@
 			"nginx.conf": """
 worker_processes  1;
 worker_rlimit_nofile 8192;
+pid /var/run/nginx/nginx.pid;
 events {
 	worker_connections  1024;
 }
@@ -274,5 +327,4 @@
 	}
 }
 
-_clusterProxySecretName: "cluster-proxy-preauthkey"
 _proxyBackendConfigName: "proxy-backend-config"
commit	f55ab36eb75967020b08fa078dfad313cd2ee449	[log] [tgz]
author	gio <gio@v1.dodo.cloud>	Fri Apr 11 17:48:17 2025 +0400
committer	gio <gio@v1.dodo.cloud>	Wed Apr 16 16:57:09 2025 +0400
tree	0608dac568a5a637ef34b917d3bc3204814b2966
parent	cbd8909ed7d8f3bdb17abd679173c137ec62169b [diff]