-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathproxy.yaml
151 lines (134 loc) · 6.6 KB
/
proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
prompts:
- $cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/common/cluster/core-prompts.yaml):
{}
- $cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/{{ $cndi.get_prompt_response(deployment_target_provider) }}/core-prompts.yaml):
{}
- name: host_to_proxy
message: What is the hostname of the service you wish to proxy?
type: Input
default: external-service.example.com
validators:
- hostname
- name: proxy_host
message: What is the hostname you wish to deploy the proxy to?
type: Input
default: proxy.example.com
validators:
- hostname
- name: rate_limit_rpm
message: How many requests per minute should be allowed from a single IP?
type: Number
default: 100
- name: rate_limit_burst
message: How many requests should be allowed to burst above the rate limit?
type: Number
default: 200
- name: rate_limit_status_code
message: What HTTP status code should be returned if the rate limit is exceeded?
type: Number
default: 429
outputs:
cndi_config:
cndi_version: v2
project_name: "{{ $cndi.get_prompt_response(project_name) }}"
provider: "{{ $cndi.get_prompt_response(deployment_target_provider) }}"
distribution: "{{ $cndi.get_prompt_response(deployment_target_distribution) }}"
infrastructure:
cndi:
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/common/cluster/observability-config.yaml):
condition:
- "{{ $cndi.get_prompt_response(deploy_grafana_ingress) }}"
- ==
- true
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/common/cluster/argocd-config.yaml):
condition:
- "{{ $cndi.get_prompt_response(deploy_argocd_ingress) }}"
- ==
- true
cert_manager:
email: "{{ $cndi.get_prompt_response(cert_manager_email) }}"
external_dns:
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/external-dns/config/{{ $cndi.get_prompt_response(dns_provider) }}.yaml):
condition:
- "{{ $cndi.get_prompt_response(enable_external_dns) }}"
- ==
- true
nodes:
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/{{ $cndi.get_prompt_response(deployment_target_provider) }}/basic-node-pool.yaml):
{}
cluster_manifests:
rate-limited-service:
apiVersion: v1
kind: Service
metadata:
name: rate-limited-service
namespace: rate-limiter
spec:
type: ExternalName
$cndi.comment(external_name): externalName is the service hostname you wish to proxy, should be the same value as specified for "nginx.ingress.kubernetes.io/upstream-vhost"
externalName: "{{ $cndi.get_prompt_response(host_to_proxy) }}"
rate-limiter:
apiVersion: v1
kind: Namespace
metadata:
name: rate-limiter
rate-limiter-ing:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rate-limiter-ingress
namespace: rate-limiter
annotations:
cert-manager.io/cluster-issuer: cluster-issuer
kubernetes.io/tls-acme: "true"
$cndi.comment(nginx_annotation_link): "to learn more about available nginx annotations checkout https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/limit-rpm: "{{ $cndi.get_prompt_response(rate_limit_rpm) }}" # rate limit in requests per minute
nginx.ingress.kubernetes.io/limit-burst-multiplier: "{{ $cndi.get_prompt_response(rate_limit_burst) }}" # burst multiplier
$cndi.comment(upstream_vhost): "upstream-vhost is the hostname of the external service to proxy"
nginx.ingress.kubernetes.io/upstream-vhost: "{{ $cndi.get_prompt_response(host_to_proxy) }}"
$cndi.comment(limit_req_status): "The status code returned if the rate limit is exceeded"
# the following string is printed without the required whitespace,
# the semi-colon can also be removed in similar expressions
nginx.ingress.kubernetes.io/configuration-snippet: limit_req_status {{ $cndi.get_prompt_response(rate_limit_status_code) }};
spec:
ingressClassName: public
tls:
- hosts:
- "{{ $cndi.get_prompt_response(proxy_host) }}" # domain to deploy proxy to
secretName: cluster-issuer-private-key
rules:
- host: "{{ $cndi.get_prompt_response(proxy_host) }}" # domain to deploy proxy to
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rate-limited-service
port:
number: 443
external-dns-secret:
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/external-dns/secret/{{ $cndi.get_prompt_response(dns_provider) }}.yaml):
condition:
- "{{ $cndi.get_prompt_response(enable_external_dns) }}"
- ==
- true
env:
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/common/git-credentials-{{ $cndi.get_prompt_response(git_credentials_mode) }}-env.yaml):
{}
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/{{ $cndi.get_prompt_response(deployment_target_provider) }}/env.yaml):
{}
$cndi.get_block(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/common/cluster/env.yaml):
{}
readme:
project_name: "# {{ $cndi.get_prompt_response(project_name) }}"
$cndi.get_string(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/common/cluster/core-readme.md):
{}
$cndi.get_string(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/{{ $cndi.get_prompt_response(deployment_target_provider) }}/core.md):
{}
$cndi.get_string(https://raw.githubusercontent.com/polyseam/cndi/main/blocks/{{ $cndi.get_prompt_response(deployment_target_provider) }}/{{ $cndi.get_prompt_response(deployment_target_distribution) }}.md):
{}
proxy: |
# proxy
This cluster hosts installs [ArgoCD](https://argo-cd.readthedocs.io) and [Ingress-Nginx Controller](https://kubernetes.github.io/ingress-nginx/) to proxy external services with features like rate limiting