| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| apiVersion: v1 |
| kind: ConfigMap |
| metadata: |
| name: {{ .Release.Name }}-nginx |
| labels: |
| {{ include "openwhisk.label_boilerplate" . | indent 4 }} |
| data: |
| nginx.conf: | |
| worker_processes {{ .Values.nginx.workerProcesses }}; |
| worker_rlimit_nofile 4096; |
| |
| events { |
| worker_connections 4096; |
| } |
| |
| http { |
| client_max_body_size 50M; |
| |
| rewrite_log on; |
| # change log format to display the upstream information |
| log_format combined-upstream '$remote_addr - $remote_user [$time_local] ' |
| '[#tid_$request_id] $request $status $body_bytes_sent ' |
| '$http_referer $http_user_agent $upstream_addr'; |
| access_log /logs/nginx_access.log combined-upstream; |
| error_log /logs/nginx_error.log error; |
| |
| # needed to enable keepalive to upstream controllers |
| proxy_http_version 1.1; |
| proxy_set_header Connection ""; |
| |
| upstream controllers { |
| # Mark the controller as unavailable after fail_timeout seconds, to not get any requests during restart. |
| # Otherwise, nginx would dispatch requests when the container is up, but the backend in the container not. |
| # From the docs: |
| # "normally, requests with a non-idempotent method (POST, LOCK, PATCH) are not passed to |
| # the next server if a request has been sent to an upstream server" |
| server {{ include "openwhisk.controller_host" . }}:{{ .Values.controller.port }} fail_timeout=60s; |
| |
| keepalive 512; |
| } |
| |
| server { |
| listen 80; |
| {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }} |
| listen 443 default ssl; |
| {{- end }} |
| |
| # match namespace, note while OpenWhisk allows a richer character set for a |
| # namespace, not all those characters are permitted in the (sub)domain name; |
| # if namespace does not match, no vanity URL rewriting takes place. |
| server_name ~^(?<namespace>[0-9a-zA-Z-]+)\.{{ .Values.whisk.ingress.apiHostName }}$; |
| |
| {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }} |
| ssl_session_cache shared:SSL:1m; |
| ssl_session_timeout 10m; |
| ssl_certificate /etc/nginx/certs/tls.crt; |
| ssl_certificate_key /etc/nginx/certs/tls.key; |
| {{- if .Values.nginx.certificate.external }} |
| {{- if ne .Values.nginx.certificate.sslPassword "" }} |
| ssl_password_file "/etc/nginx/certs/sslPassword"; |
| {{- end }} |
| {{- end }} |
| ssl_verify_client off; |
| ssl_protocols TLSv1.2; |
| ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; |
| ssl_prefer_server_ciphers on; |
| proxy_ssl_session_reuse on; |
| proxy_ssl_verify off; |
| {{- end }} |
| |
| # Hack to convince nginx to dynamically resolve the dns entries. |
| resolver {{ .Values.k8s.dns }}; |
| {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }} |
| set $apigw {{ include "openwhisk.apigw_host" . }}; |
| {{ if or .Values.metrics.prometheusEnabled .Values.metrics.userMetricsEnabled }} |
| set $grafana {{ include "openwhisk.grafana_host" . }}; |
| {{- end }} |
| {{- end }} |
| |
| {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }} |
| location /api/v1/web { |
| if ($namespace) { |
| rewrite /(.*) /api/v1/web/${namespace}/$1 break; |
| } |
| proxy_pass http://controllers; |
| proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request |
| } |
| |
| location /api/v1 { |
| proxy_pass http://controllers; |
| proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request |
| } |
| |
| location /api { |
| proxy_pass http://$apigw:{{ .Values.apigw.mgmtPort }}; |
| } |
| |
| location /v1/health-check { |
| proxy_pass http://$apigw:{{ .Values.apigw.apiPort }}; |
| } |
| |
| location /v2 { |
| proxy_pass http://$apigw:{{ .Values.apigw.apiPort }}; |
| } |
| |
| {{ if or .Values.metrics.prometheusEnabled .Values.metrics.userMetricsEnabled }} |
| location /monitoring { |
| proxy_pass http://$grafana:{{ .Values.grafana.port }}; |
| } |
| {{- end }} |
| {{- end }} |
| location / { |
| if ($namespace) { |
| rewrite /(.*) /api/v1/web/${namespace}/$1 break; |
| } |
| proxy_pass http://controllers; |
| proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request |
| } |
| |
| location /blackbox.tar.gz { |
| return 301 https://github.com/apache/openwhisk-runtime-docker/releases/download/sdk%400.1.0/blackbox-0.1.0.tar.gz; |
| } |
| # leaving this for a while for clients out there to update to the new endpoint |
| location /blackbox-0.1.0.tar.gz { |
| return 301 /blackbox.tar.gz; |
| } |
| |
| location /OpenWhiskIOSStarterApp.zip { |
| return 301 https://github.com/openwhisk/openwhisk-client-swift/releases/download/0.2.3/starterapp-0.2.3.zip; |
| } |
| |
| # redirect requests for specific binaries to the matching one from the latest openwhisk-cli release. |
| location /cli/go/download/linux/amd64 { |
| return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-linux-amd64.tgz; |
| } |
| location /cli/go/download/linux/386 { |
| return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-linux-386.tgz; |
| } |
| location /cli/go/download/mac/amd64 { |
| return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-mac-amd64.zip; |
| } |
| location /cli/go/download/mac/386 { |
| return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-mac-386.zip; |
| } |
| location /cli/go/download/windows/amd64 { |
| return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-windows-amd64.zip; |
| } |
| location /cli/go/download/windows/386 { |
| return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-windows-386.zip; |
| } |
| |
| # redirect top-level cli downloads to the latest openwhisk-cli release. |
| location /cli/go/download { |
| return 301 https://github.com/apache/openwhisk-cli/releases/latest; |
| } |
| } |
| } |