Help:Toolforge/Kubernetes/Reverse proxy

From Wikitech
Any objects manually created in Kubernetes (as opposed to using toolforge clients) are not officially supported by the Toolforge admin team. They may stop working without notice following any Kubernetes software update or platform outage.
If you rely on this method, please add a note in the T337191 task so we can better focus our efforts.

Rationale

Imagine your webservice includes request to an external service named cdn.example.com. Instead of having the client web browser load the external content directly, you can use a proxyed endpoint like mytool.toolforge.org/external-cdn.

TODO: explain what this is, and why is needed.

How to do it

Create a new kubernetes Service and Ingress resources.

For that, put the following information on a reverse-proxy.yaml file in your tool home directory:

---
# Service object for routing requests to cdn.example.com
apiVersion: v1
kind: Service
metadata:
  name: cdn-example-com
  namespace: tool-mytool
spec:
  type: ExternalName
  externalName: cdn.example.com
---
# Ingress object for routing requests to cdn.example.com
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: proxy-cdn-example-com
  namespace: tool-mytool
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/upstream-vhost: cdn.example.com
    nginx.ingress.kubernetes.io/backend-protocol: https
    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
    nginx.ingress.kubernetes.io/proxy-ssl-name: cdn.example.com
spec:
  rules:
    - host: mytool.toolforge.org
      http:
        paths:
          - backend:
              service:
                name: cdn-example-com
                port:
                  number: 443
            path: /external-cdn(/|$)(.*)
            pathType: ImplementationSpecific

Load it in your tool account:

tools.mytool@tools-sgebastion-08:~$ kubectl apply -f reverse-proxy.yaml 
service/cdn-example-com configured
ingress.networking.k8s.io/proxy-cdn-example-com configured

Repeat the process for each external endpoint you want to reverse-proxy.

A quota bump is likely required to increase allowance for Service resources.

See also

TODO.