helm/openwhisk/templates/nginx-cm.yaml - openwhisk-deploy-kube - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Release.Name }}-nginx
   labels:
 {{ include "openwhisk.label_boilerplate" . | indent 4 }}
 data:
   nginx.conf: |
     worker_processes {{ .Values.nginx.workerProcesses }};
     worker_rlimit_nofile 4096;

     events {
       worker_connections  4096;
     }

     http {
       client_max_body_size 50M;

       rewrite_log on;
       # change log format to display the upstream information
       log_format combined-upstream '$remote_addr - $remote_user [$time_local] '
           '[#tid_$request_id] $request $status $body_bytes_sent '
           '$http_referer $http_user_agent $upstream_addr';
       access_log /logs/nginx_access.log combined-upstream;
       error_log /logs/nginx_error.log error;

       # needed to enable keepalive to upstream controllers
       proxy_http_version 1.1;
       proxy_set_header Connection "";

       upstream controllers {
          # Mark the controller as unavailable after fail_timeout seconds, to not get any requests during restart.
          # Otherwise, nginx would dispatch requests when the container is up, but the backend in the container not.
          # From the docs:
          #  "normally, requests with a non-idempotent method (POST, LOCK, PATCH) are not passed to
          #   the next server if a request has been sent to an upstream server"
          server {{ include "openwhisk.controller_host" . }}:{{ .Values.controller.port }} fail_timeout=60s;

          keepalive 512;
       }

       server {
         listen 80;
 {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
         listen 443 default ssl;
 {{- end }}

         # match namespace, note while OpenWhisk allows a richer character set for a
         # namespace, not all those characters are permitted in the (sub)domain name;
         # if namespace does not match, no vanity URL rewriting takes place.
         server_name ~^(?<namespace>[0-9a-zA-Z-]+)\.{{ .Values.whisk.ingress.apiHostName }}$;

 {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
         ssl_session_cache    shared:SSL:1m;
         ssl_session_timeout  10m;
         ssl_certificate      /etc/nginx/certs/tls.crt;
         ssl_certificate_key  /etc/nginx/certs/tls.key;
         {{- if .Values.nginx.certificate.external }}
         {{- if ne .Values.nginx.certificate.sslPassword "" }}
         ssl_password_file "/etc/nginx/certs/sslPassword";
         {{- end }}
         {{- end }}
         ssl_verify_client off;
         ssl_protocols        TLSv1.2;
         ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
         ssl_prefer_server_ciphers on;
         proxy_ssl_session_reuse on;
         proxy_ssl_verify off;
 {{- end }}

         # Hack to convince nginx to dynamically resolve the dns entries.
         resolver {{ .Values.k8s.dns }};
 {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
         set $apigw {{ include "openwhisk.apigw_host" . }};
 {{ if or .Values.metrics.prometheusEnabled .Values.metrics.userMetricsEnabled }}
         set $grafana {{ include "openwhisk.grafana_host" . }};
 {{- end }}
 {{- end }}

 {{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
         location /api/v1/web {
             if ($namespace) {
                 rewrite    /(.*) /api/v1/web/${namespace}/$1 break;
             }
             proxy_pass http://controllers;
             proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
         }

         location /api/v1 {
             proxy_pass http://controllers;
             proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
         }

         location /api {
             proxy_pass http://$apigw:{{ .Values.apigw.mgmtPort }};
         }

         location /v1/health-check {
             proxy_pass http://$apigw:{{ .Values.apigw.apiPort }};
         }

         location /v2 {
             proxy_pass http://$apigw:{{ .Values.apigw.apiPort }};
         }

 {{ if or .Values.metrics.prometheusEnabled .Values.metrics.userMetricsEnabled }}
         location /monitoring {
             proxy_pass http://$grafana:{{ .Values.grafana.port }};
         }
 {{- end }}
 {{- end }}
         location / {
             if ($namespace) {
               rewrite    /(.*) /api/v1/web/${namespace}/$1 break;
             }
             proxy_pass http://controllers;
             proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
         }

         location /blackbox.tar.gz {
             return 301 https://github.com/apache/openwhisk-runtime-docker/releases/download/sdk%400.1.0/blackbox-0.1.0.tar.gz;
         }
         # leaving this for a while for clients out there to update to the new endpoint
         location /blackbox-0.1.0.tar.gz {
             return 301 /blackbox.tar.gz;
         }

         location /OpenWhiskIOSStarterApp.zip {
             return 301 https://github.com/openwhisk/openwhisk-client-swift/releases/download/0.2.3/starterapp-0.2.3.zip;
         }

         # redirect requests for specific binaries to the matching one from the latest openwhisk-cli release.
         location /cli/go/download/linux/amd64 {
             return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-linux-amd64.tgz;
         }
         location /cli/go/download/linux/386 {
             return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-linux-386.tgz;
         }
         location /cli/go/download/mac/amd64 {
             return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-mac-amd64.zip;
         }
         location /cli/go/download/mac/386 {
             return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-mac-386.zip;
         }
         location /cli/go/download/windows/amd64 {
             return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-windows-amd64.zip;
         }
         location /cli/go/download/windows/386 {
             return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-windows-386.zip;
         }

         # redirect top-level cli downloads to the latest openwhisk-cli release.
         location /cli/go/download {
             return 301 https://github.com/apache/openwhisk-cli/releases/latest;
         }
       }
     }
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: {{ .Release.Name }}-nginx
	labels:
	{{ include "openwhisk.label_boilerplate" . \| indent 4 }}
	data:
	nginx.conf: \|
	worker_processes {{ .Values.nginx.workerProcesses }};
	worker_rlimit_nofile 4096;

	events {
	worker_connections 4096;
	}

	http {
	client_max_body_size 50M;

	rewrite_log on;
	# change log format to display the upstream information
	log_format combined-upstream '$remote_addr - $remote_user [$time_local] '
	'[#tid_$request_id] $request $status $body_bytes_sent '
	'$http_referer $http_user_agent $upstream_addr';
	access_log /logs/nginx_access.log combined-upstream;
	error_log /logs/nginx_error.log error;

	# needed to enable keepalive to upstream controllers
	proxy_http_version 1.1;
	proxy_set_header Connection "";

	upstream controllers {
	# Mark the controller as unavailable after fail_timeout seconds, to not get any requests during restart.
	# Otherwise, nginx would dispatch requests when the container is up, but the backend in the container not.
	# From the docs:
	# "normally, requests with a non-idempotent method (POST, LOCK, PATCH) are not passed to
	# the next server if a request has been sent to an upstream server"
	server {{ include "openwhisk.controller_host" . }}:{{ .Values.controller.port }} fail_timeout=60s;

	keepalive 512;
	}

	server {
	listen 80;
	{{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
	listen 443 default ssl;
	{{- end }}

	# match namespace, note while OpenWhisk allows a richer character set for a
	# namespace, not all those characters are permitted in the (sub)domain name;
	# if namespace does not match, no vanity URL rewriting takes place.
	server_name ~^(?<namespace>[0-9a-zA-Z-]+)\.{{ .Values.whisk.ingress.apiHostName }}$;

	{{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 10m;
	ssl_certificate /etc/nginx/certs/tls.crt;
	ssl_certificate_key /etc/nginx/certs/tls.key;
	{{- if .Values.nginx.certificate.external }}
	{{- if ne .Values.nginx.certificate.sslPassword "" }}
	ssl_password_file "/etc/nginx/certs/sslPassword";
	{{- end }}
	{{- end }}
	ssl_verify_client off;
	ssl_protocols TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
	ssl_prefer_server_ciphers on;
	proxy_ssl_session_reuse on;
	proxy_ssl_verify off;
	{{- end }}

	# Hack to convince nginx to dynamically resolve the dns entries.
	resolver {{ .Values.k8s.dns }};
	{{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
	set $apigw {{ include "openwhisk.apigw_host" . }};
	{{ if or .Values.metrics.prometheusEnabled .Values.metrics.userMetricsEnabled }}
	set $grafana {{ include "openwhisk.grafana_host" . }};
	{{- end }}
	{{- end }}

	{{- if or (eq .Values.whisk.ingress.type "NodePort") (eq .Values.whisk.ingress.type "LoadBalancer") }}
	location /api/v1/web {
	if ($namespace) {
	rewrite /(.*) /api/v1/web/${namespace}/$1 break;
	}
	proxy_pass http://controllers;
	proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
	}

	location /api/v1 {
	proxy_pass http://controllers;
	proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
	}

	location /api {
	proxy_pass http://$apigw:{{ .Values.apigw.mgmtPort }};
	}

	location /v1/health-check {
	proxy_pass http://$apigw:{{ .Values.apigw.apiPort }};
	}

	location /v2 {
	proxy_pass http://$apigw:{{ .Values.apigw.apiPort }};
	}

	{{ if or .Values.metrics.prometheusEnabled .Values.metrics.userMetricsEnabled }}
	location /monitoring {
	proxy_pass http://$grafana:{{ .Values.grafana.port }};
	}
	{{- end }}
	{{- end }}
	location / {
	if ($namespace) {
	rewrite /(.*) /api/v1/web/${namespace}/$1 break;
	}
	proxy_pass http://controllers;
	proxy_read_timeout 75s; # 70+5 additional seconds to allow controller to terminate request
	}

	location /blackbox.tar.gz {
	return 301 https://github.com/apache/openwhisk-runtime-docker/releases/download/sdk%400.1.0/blackbox-0.1.0.tar.gz;
	}
	# leaving this for a while for clients out there to update to the new endpoint
	location /blackbox-0.1.0.tar.gz {
	return 301 /blackbox.tar.gz;
	}

	location /OpenWhiskIOSStarterApp.zip {
	return 301 https://github.com/openwhisk/openwhisk-client-swift/releases/download/0.2.3/starterapp-0.2.3.zip;
	}

	# redirect requests for specific binaries to the matching one from the latest openwhisk-cli release.
	location /cli/go/download/linux/amd64 {
	return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-linux-amd64.tgz;
	}
	location /cli/go/download/linux/386 {
	return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-linux-386.tgz;
	}
	location /cli/go/download/mac/amd64 {
	return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-mac-amd64.zip;
	}
	location /cli/go/download/mac/386 {
	return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-mac-386.zip;
	}
	location /cli/go/download/windows/amd64 {
	return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-windows-amd64.zip;
	}
	location /cli/go/download/windows/386 {
	return 301 https://github.com/apache/openwhisk-cli/releases/download/latest/OpenWhisk_CLI-latest-windows-386.zip;
	}

	# redirect top-level cli downloads to the latest openwhisk-cli release.
	location /cli/go/download {
	return 301 https://github.com/apache/openwhisk-cli/releases/latest;
	}
	}
	}