Skip to content

Commit 3bc6e44

Browse files
aledbfaledbf
committed
ref(router): use deis confd fork
1 parent 8c25a62 commit 3bc6e44

5 files changed

Lines changed: 73 additions & 77 deletions

File tree

router/image/Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ ENV DEBIAN_FRONTEND noninteractive
66
RUN apt-get update && apt-get install -y curl net-tools sudo
77

88
# install confd
9-
RUN curl -sSL -o /usr/local/bin/confd https://github.com/kelseyhightower/confd/releases/download/v0.9.0/confd-0.9.0-linux-amd64 \
10-
&& chmod +x /usr/local/bin/confd
9+
RUN curl -sSL -o /usr/local/bin/confd https://s3-us-west-2.amazonaws.com/opdemand/confd-git-73f7489 \
10+
&& chmod +x /usr/local/bin/confd
1111

1212
# install common packages
1313
RUN apt-get update && apt-get install -y libgeoip1 cron

router/image/templates/deis.cert

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{{ if exists "/deis/router/sslCert" }}{{ getv "/deis/router/sslCert" }}{{ end }}
1+
{{ getv "/deis/router/sslCert" }}

router/image/templates/deis.conf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
server_name_in_redirect off;
22
port_in_redirect off;
3-
listen 80{{ if .deis_router_proxyProtocol }} proxy_protocol{{ end }};
3+
listen 80{{ if exists "/deis/router/proxyProtocol" }} proxy_protocol{{ end }};
44

5-
{{ if .deis_router_sslCert }}
6-
listen 443 ssl spdy{{ if .deis_router_proxyProtocol }} proxy_protocol{{ end }};
5+
{{ if exists "/deis/router/sslCert" }}
6+
listen 443 ssl spdy{{ if exists "/deis/router/proxyProtocol" }} proxy_protocol{{ end }};
77
ssl_certificate /etc/ssl/deis.cert;
88
ssl_certificate_key /etc/ssl/deis.key;
99
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

router/image/templates/deis.key

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{{ if exists "/deis/router/sslKey" }}{{ getv "/deis/router/sslKey" }}{{ end }}
1+
{{ getv "/deis/router/sslKey" }}

router/image/templates/nginx.conf

Lines changed: 66 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,15 @@
22
daemon off;
33

44
user www-data;
5-
worker_processes {{ or (.deis_router_workerProcesses) "auto" }};
5+
worker_processes {{ or (getv "/deis/router/workerProcesses") "auto" }};
66
pid /run/nginx.pid;
77

88
events {
9-
worker_connections {{ or (.deis_router_maxWorkerConnections) "768" }};
9+
worker_connections {{ or (getv "/deis/router/maxWorkerConnections") "768" }};
1010
# multi_accept on;
1111
}
1212

13+
1314
http {
1415
# basic settings
1516
sendfile on;
@@ -18,45 +19,44 @@ http {
1819

1920
# The Timeout value must be greater than the front facing load balancers timeout value.
2021
# Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra.
21-
{{ $defaultTimeout := or (.deis_router_defaultTimeout) "1300" }}
22+
{{ $defaultTimeout := or (getv "/deis/router/defaultTimeout") "1300" }}
2223
keepalive_timeout {{ $defaultTimeout }};
2324

2425
types_hash_max_size 2048;
25-
server_names_hash_max_size {{ or (.deis_router_serverNameHashMaxSize) "512" }};
26-
server_names_hash_bucket_size {{ or (.deis_router_serverNameHashBucketSize) "64" }};
26+
server_names_hash_max_size {{ or (getv "/deis/router/serverNameHashMaxSize") "512" }};
27+
server_names_hash_bucket_size {{ or (getv "/deis/router/serverNameHashBucketSize") "64" }};
2728

2829
include /opt/nginx/conf/mime.types;
2930
default_type application/octet-stream;
30-
{{ if .deis_router_gzip }}
31-
gzip {{ .deis_router_gzip }};
32-
gzip_comp_level {{ or .deis_router_gzipCompLevel "5" }};
33-
gzip_disable {{ or .deis_router_gzipDisable "\"msie6\"" }};
34-
gzip_http_version {{ or .deis_router_gzipHttpVersion "1.1" }};
35-
gzip_min_length {{ or .deis_router_gzipMinLength "256" }};
36-
gzip_types {{ or .deis_router_gzipTypes "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" }};
37-
gzip_proxied {{ or .deis_router_gzipProxied "any" }};
38-
gzip_vary {{ or .deis_router_gzipVary "on" }};
31+
{{ if exists "/deis/router/gzip" }}
32+
gzip {{ getv "/deis/router/gzip" }};
33+
gzip_comp_level {{ or (getv "/deis/router/gzipCompLevel") "5" }};
34+
gzip_disable {{ or (getv "/deis/router/gzipDisable") "\"msie6\"" }};
35+
gzip_http_version {{ or (getv "/deis/router/gzipHttpVersion") "1.1" }};
36+
gzip_min_length {{ or (getv "/deis/router/gzipMinLength") "256" }};
37+
gzip_types {{ or (getv "/deis/router/gzipTypes") "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" }};
38+
gzip_proxied {{ or (getv "/deis/router/gzipProxied") "any" }};
39+
gzip_vary {{ or (getv "/deis/router/gzipVary") "on" }};
3940
{{ end }}
4041

41-
{{ $useFirewall := or .deis_router_firewall_enabled "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules
42+
{{ $useFirewall := or (getv "/deis/router/firewall/enabled") "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules
4243
include /opt/nginx/firewall/naxsi_core.rules;
4344
include /opt/nginx/firewall/web_apps.rules;
4445
include /opt/nginx/firewall/scanner.rules;
4546
include /opt/nginx/firewall/web_server.rules;{{ end }}
46-
{{ $firewallErrorCode := or (.deis_router_firewall_errorCode) "400" }}
47-
48-
client_max_body_size {{ or (.deis_router_bodySize) "1m" }};
47+
{{ $firewallErrorCode := or (getv "/deis/router/firewall/errorCode") "400" }}
48+
client_max_body_size "{{ or (getv "/deis/router/bodySize") "1m" }}";
4949

50-
{{ $useProxyProtocol := or (.deis_router_proxyProtocol) "false" }}{{ if ne $useProxyProtocol "false" }}
51-
set_real_ip_from {{ or (.deis_router_proxyRealIpCidr) "10.0.0.0/8" }};
50+
{{ $useProxyProtocol := or (getv "/deis/router/proxyProtocol") "false" }}{{ if ne $useProxyProtocol "false" }}
51+
set_real_ip_from {{ or (getv "/deis/router/proxyRealIpCidr") "10.0.0.0/8" }};
5252
real_ip_header proxy_protocol;
5353
{{ end }}
5454

55-
log_format upstreaminfo '[$time_local] - {{ if .deis_router_proxyProtocol }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time';
55+
log_format upstreaminfo '[$time_local] - {{ if ne $useProxyProtocol "false" }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time';
5656

5757
# send logs to STDOUT so they can be seen using 'docker logs'
5858
access_log /opt/nginx/logs/access.log upstreaminfo;
59-
error_log /opt/nginx/logs/error.log {{ or (.deis_router_errorLogLevel) "error" }};
59+
error_log /opt/nginx/logs/error.log {{ or (getv "/deis/router/errorLogLevel") "error" }};
6060

6161
map $http_upgrade $connection_upgrade {
6262
default upgrade;
@@ -69,20 +69,20 @@ http {
6969
'' $scheme;
7070
}
7171

72-
{{ $enforceHTTPS := or .deis_router_enforceHTTPS "false" }}
72+
{{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") "false" }}
7373

7474
## start deis-controller
75-
{{ if .deis_controller_host }}
75+
{{ if exists "/deis/controller/host" }}
7676
upstream deis-controller {
77-
server {{ .deis_controller_host }}:{{ .deis_controller_port }};
77+
server {{ getv "/deis/controller/host" }}:{{ getv "/deis/controller/port" }};
7878
}
7979
{{ end }}
8080

8181
server {
8282
server_name ~^deis\.(?<domain>.+)$;
8383
include deis.conf;
8484

85-
{{ if .deis_controller_host }}
85+
{{ if exists "/deis/controller/host" }}
8686
location / {
8787
{{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }}
8888
proxy_buffering off;
@@ -93,9 +93,9 @@ http {
9393
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
9494
{{ end }}
9595
proxy_redirect off;
96-
proxy_connect_timeout {{ or (.deis_router_controller_timeout_connect) "10s" }};
97-
proxy_send_timeout {{ or (.deis_router_controller_timeout_send) "20m" }};
98-
proxy_read_timeout {{ or (.deis_router_controller_timeout_read) "20m" }};
96+
proxy_connect_timeout {{ or (getv "/deis/router/controller/timeout/connect") "10s" }};
97+
proxy_send_timeout {{ or (getv "/deis/router/controller/timeout/send") "20m" }};
98+
proxy_read_timeout {{ or (getv "/deis/router/controller/timeout/read") "20m" }};
9999

100100
proxy_pass http://deis-controller;
101101
}
@@ -107,7 +107,8 @@ http {
107107

108108
{{ if eq $useFirewall "true" }}location /RequestDenied {
109109
return {{ $firewallErrorCode }};
110-
}{{ end }}
110+
}
111+
{{ end }}
111112

112113
{{ if eq $enforceHTTPS "true" }}
113114
if ($access_scheme != "https") {
@@ -118,9 +119,9 @@ http {
118119
## end deis-controller
119120

120121
## start deis-store-gateway
121-
{{ if .deis_store_gateway_host }}
122+
{{ if exists "/deis/store/gateway/host" }}
122123
upstream deis-store-gateway {
123-
server {{ .deis_store_gateway_host }}:{{ .deis_store_gateway_port }};
124+
server {{ getv "/deis/store/gateway/host" }}:{{ getv "/deis/store/gateway/port" }};
124125
}
125126
{{ end }}
126127

@@ -130,7 +131,7 @@ http {
130131

131132
client_max_body_size 0;
132133

133-
{{ if .deis_store_gateway_host }}
134+
{{ if exists "/deis/store/gateway/host" }}
134135
location / {
135136
{{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }}
136137
proxy_buffering off;
@@ -154,37 +155,34 @@ http {
154155
{{ end }}
155156
}
156157
## end deis-store-gateway
157-
158+
{{ $useSSL := or (getv "/deis/router/sslCert") "false" }}
159+
{{ $domains := ls "/deis/domains" }}
160+
{{ $certs := ls "/deis/certs" }}
158161
## start service definitions for each application
159-
{{ $affinityArg := .deis_router_affinityArg }}
160-
{{ $certs := .deis_certs }}
161-
{{ $domains := .deis_domains }}
162-
{{ $root := . }}
163-
{{ range $service := .deis_services }}{{ if $service.Nodes }}
164-
upstream {{ Base $service.Key }} {
165-
{{ if $affinityArg }}hash $arg_{{ $affinityArg }} consistent;
162+
{{ range $app := lsdir "/deis/services" }}
163+
{{ $upstreams := printf "/deis/services/%s/*" $app}}
164+
upstream {{ $app }} {
165+
{{ if exists "/deis/router/affinityArg" }}
166+
hash $arg_{{ getv "/deis/router/affinityArg" }} consistent;
166167
{{ end }}
167-
{{ range $upstream := $service.Nodes }}server {{ $upstream.Value }};
168+
{{ range gets $upstreams }}server {{ .Value }};
168169
{{ end }}
169170
}
170-
{{ end }}
171-
171+
{{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }}
172172
## server entries for custom domains
173-
{{ range $domain := $domains }}{{ if eq (Base $service.Key) $domain.Value }}
173+
{{ range $app_domain := $domains }}{{ if eq $app (getv (printf "/deis/domains/%s" $app_domain)) }}
174174
server {
175-
server_name {{ Base $domain.Key }};
175+
server_name {{ $app_domain }};
176176
{{/* if a SSL certificate is installed for this domain, use SSL */}}
177177
{{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}}
178178
{{/* so we can't rely on deis.conf as each domain is an island */}}
179-
{{/* FIXME (bacongobbler): confd turns hyphens to dashes, so we need to account */}}
180-
{{/* for that in domains */}}
181-
{{ if index $root (printf "deis_certs_%s_cert" (Replace (Base $domain.Key) "-" "_" -1)) }}
179+
{{ if exists (printf "/deis/certs/%s/cert" $app_domain) }}
182180
server_name_in_redirect off;
183181
port_in_redirect off;
184182
listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }};
185183
listen 443 ssl spdy{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }};
186-
ssl_certificate /etc/ssl/deis/certs/{{ Base $domain.Key }}.cert;
187-
ssl_certificate_key /etc/ssl/deis/keys/{{ Base $domain.Key }}.key;
184+
ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert;
185+
ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key;
188186
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
189187
{{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}}
190188
{{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}}
@@ -193,8 +191,7 @@ http {
193191
{{ else }}
194192
include deis.conf;
195193
{{ end }}
196-
197-
{{ if $service.Nodes }}
194+
{{ if ne $appContainerLen 0 }}
198195
location / {
199196
{{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }}
200197
proxy_buffering off;
@@ -229,26 +226,24 @@ http {
229226
}
230227
{{ end }}
231228

232-
proxy_pass http://{{ Base $service.Key }};
229+
proxy_pass http://{{ $app }};
233230
}
234231
{{ else }}
235232
location / {
236233
return 503;
237234
}
238235
{{ end }}
239-
240236
{{ if eq $useFirewall "true" }}location /RequestDenied {
241237
return {{ $firewallErrorCode }};
242-
}{{ end }}
243-
}
244-
{{ end }}{{ end }}
238+
}
239+
{{ end }}
240+
}{{ end }}{{ end }}
245241
## end entries for custom domains
246242

247243
server {
248-
server_name ~^{{ Base $service.Key }}\.(?<domain>.+)$;
244+
server_name ~^{{ $app }}\.(?<domain>.+)$;
249245
include deis.conf;
250-
251-
{{ if $service.Nodes }}
246+
{{ if ne $appContainerLen 0 }}
252247
location / {
253248
{{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }}
254249
proxy_buffering off;
@@ -283,7 +278,7 @@ http {
283278
}
284279
{{ end }}
285280

286-
proxy_pass http://{{ Base $service.Key }};
281+
proxy_pass http://{{ $app }};
287282
}
288283
{{ else }}
289284
location / {
@@ -292,14 +287,14 @@ http {
292287
{{ end }}
293288
{{ if eq $useFirewall "true" }}location /RequestDenied {
294289
return {{ $firewallErrorCode }};
295-
}{{ end }}
296-
}
297-
{{ end }}
290+
}
291+
{{ end }}
292+
}{{ end }}
298293
## end service definitions for each application
299294

300295
# healthcheck
301296
server {
302-
listen 80 default_server{{ if .deis_router_proxyProtocol }} proxy_protocol{{ end }};
297+
listen 80 default_server{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }};
303298
location /health-check {
304299
default_type 'text/plain';
305300
access_log off;
@@ -312,16 +307,17 @@ http {
312307
}
313308

314309
## start builder
315-
{{ if .deis_builder_host }}
310+
{{ if exists "/deis/builder/host" }}
316311
stream {
312+
317313
upstream builder {
318-
server {{ .deis_builder_host }}:{{ .deis_builder_port }};
314+
server {{ getv "/deis/builder/host" }}:{{ getv "/deis/builder/port" }};
319315
}
320316

321317
server {
322318
listen 2222;
323-
proxy_connect_timeout {{ or (.deis_router_builder_timeout_connect) "10000" }};
324-
proxy_timeout {{ or (.deis_router_builder_timeout_tcp) "1200000" }};
319+
proxy_connect_timeout {{ or (getv "/deis/router/builder/timeout/connect") "10000" }};
320+
proxy_timeout {{ or (getv "/deis/router/builder/timeout/tcp") "1200000" }};
325321
proxy_pass builder;
326322
}
327323
}{{ end }}

0 commit comments

Comments
 (0)