Ingress: Improve port opening
Update nginx replica counts and rollout strategy.
What proxy-backend configmap changes and reload auto proxy nginx.
Make ingress optional.
Use <PREFIX>.<CLUSTER_NAME>.clusters.p.<DOMAIN> addresses for remote
cluster services.
Change-Id: Ideb146a8c0275822ee5cd28311c00a817f4202aa
diff --git a/core/installer/values-tmpl/private-network.cue b/core/installer/values-tmpl/private-network.cue
index 3ea3c03..1fcf783 100644
--- a/core/installer/values-tmpl/private-network.cue
+++ b/core/installer/values-tmpl/private-network.cue
@@ -9,6 +9,7 @@
ipSubnet: string // TODO(gio): use cidr type
}
sshPrivateKey: string
+ controllerReplicaCount: int | *3
}
name: "private-network"
@@ -97,29 +98,28 @@
serviceAccountName: "\(global.id)-nginx-private"
}
}
- "headscale-user": {
- chart: charts.headscaleUser
- values: {
- resourceName: "private-network-proxy-backend"
- username: "private-network-proxy"
- headscaleApiAddress: "http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local"
- preAuthKey: {
- enabled: true
- secretName: _clusterProxySecretName
- }
- }
- }
"ingress-nginx": {
chart: charts["ingress-nginx"]
values: {
fullnameOverride: "\(global.id)-nginx-private"
controller: {
+ replicaCount: input.controllerReplicaCount
+ updateStrategy: {
+ type: "RollingUpdate"
+ rollingUpdate: {
+ maxUnavailable: "30%"
+ }
+ }
service: {
enabled: true
type: "LoadBalancer"
annotations: {
"metallb.universe.tf/address-pool": _ingressPrivate
}
+ extraPorts: {
+ tcp: {}
+ udp: {}
+ }
}
ingressClassByName: true
ingressClassResource: {
@@ -143,7 +143,18 @@
configMap: {
name: _proxyBackendConfigName
}
+ }, {
+ name: "proxy-backend-pid"
+ emptyDir: {
+ size: "2Mi"
+ }
+ }, {
+ name: "ts-proxy-state"
+ emptyDir: {
+ size: "2Mi"
+ }
}]
+ shareProcessNamespace: true
extraContainers: [{
name: "proxy"
image: images.tailscale.fullNameWithTag
@@ -154,11 +165,15 @@
privileged: true
}
env: [{
- name: "TS_KUBE_SECRET"
- value: _clusterProxySecretName
+ name: "TS_STATE_DIR"
+ value: "/ts-state"
}, {
name: "TS_HOSTNAME"
- value: "cluster-proxy"
+ valueFrom: {
+ fieldRef: {
+ fieldPath: "metadata.name"
+ }
+ }
}, {
name: "TS_EXTRA_ARGS"
value: "--login-server=https://headscale.\(global.domain)"
@@ -166,6 +181,16 @@
name: "TS_USERSPACE"
value: "false"
}]
+ command: ["/bin/sh"]
+ args: [
+ "-c",
+ "TS_AUTHKEY=$(wget --post-data=\"\" -O /tmp/authkey http://headscale-api.\(global.namespacePrefix)app-headscale.svc.cluster.local/user/private-network-proxy/preauthkey > /dev/null 2>&1 && cat /tmp/authkey) /usr/local/bin/containerboot"
+ ],
+ volumeMounts: [{
+ mountPath: "/ts-state"
+ name: "ts-proxy-state"
+ readOnly: false
+ }]
}, {
name: "proxy-backend"
image: images.nginx.fullNameWithTag
@@ -179,7 +204,34 @@
name: _proxyBackendConfigName
mountPath: "/etc/nginx"
readOnly: true
+ }, {
+ name: "proxy-backend-pid"
+ mountPath: "/var/run/nginx"
+ readOnly: false
}]
+ }, {
+ name: "reload-config"
+ image: "giolekva/reload:latest"
+ imagePullPolicy: "Always"
+ command: [
+ "/usr/bin/reload",
+ "--watch=/etc/nginx/nginx.conf",
+ "--reload=/var/run/nginx/nginx.pid",
+ ]
+ volumeMounts: [{
+ name: "proxy-backend-config"
+ mountPath: "/etc/nginx"
+ readOnly: true
+ }, {
+ name: "proxy-backend-pid"
+ mountPath: "/var/run/nginx"
+ readOnly: true
+ }]
+ securityContext: {
+ capabilities: {
+ add: ["SYS_PTRACE"]
+ }
+ }
}]
admissionWebhooks: {
enabled: false
@@ -255,6 +307,7 @@
"nginx.conf": """
worker_processes 1;
worker_rlimit_nofile 8192;
+pid /var/run/nginx/nginx.pid;
events {
worker_connections 1024;
}
@@ -274,5 +327,4 @@
}
}
-_clusterProxySecretName: "cluster-proxy-preauthkey"
_proxyBackendConfigName: "proxy-backend-config"