diff --git a/gnomad-ingress/README.md b/gnomad-ingress/README.md new file mode 100644 index 0000000..e67f0b9 --- /dev/null +++ b/gnomad-ingress/README.md @@ -0,0 +1,89 @@ +# gnomAD ingress configuration + +This set of kustomizations configures the ingress object for the gnomAD browser. Because the ingress sits in front of several different services and changes with a much different frequency than our app deployments, we manage it as a separate deployment. + +This directory contains a definition for the prod ingress, and a demo base to use for putting an ingress in front front of your demo browser deployments. + +## Creating a new demo ingress + +Create a new directory at the same level as `demo/`, cd into it, and then run a `kustomize init`: + +```bash +mkdir new-feature-ingress && cd new-feature-ingress +kustomize init --resources ../demo +``` + +In the kustomization.yaml file, you should: +- Add a nameSuffix or namePrefix to identify your ingress +- supply a patch to set an appropriate domain name +- the name of your browser Service object +- add any specific routes that your ingress needs to serve. + - For example, the default demo kustomization serves all traffic to a single service. You may want to specify a `/reads` route if you need to serve reads data from your demo. The [Common Patches](#common-patches) section has details on how to add this functionality. + +## Creating or updating the prod ingress + +At the moment, we only have one prod ingress. You can view its configuration by running `kustomize build prod`. The deployment is automated via ArgoCD. If you need to make a change to the prod ingress, create a Pull Request with your changes, and coordinate a deployment through Argo once it's reviewed ang merged. + +## Common Patches + +Here's some examples of patches that could be placed in your kustomization.yaml file. Each `-op:` element here could be used individually, or you can combine multiple operations into a single `-patch:` objects. A complete example that changes the hostname, adds reads URL paths, and sets custom service names can be found in the `example-demo-reads/` folder. + +### Setting a domain name for a demo: + +```yaml +patches: + - patch: |- + - op: replace + path: /spec/rules/0/host + value: new-feature.gnomad.the-tgg.dev + target: + group: networking.k8s.io + version: v1 + kind: Ingress + name: demo-ingress +``` + +### Setting a service name to point at a specific service + +```yaml + - patch: |- + - op: replace + path: /spec/rules/0/http/paths/0/backend/service/name + value: demo-browser-newfeature + target: + group: networking.k8s.io + version: v1 + kind: Ingress + name: demo-ingress +``` + +### Adding reads paths to your demo ingress: + +```yaml + - patch: |- + - op: add + path: /spec/rules/0/http/paths/- + value: + path: "/reads" + backend: + service: + name: demo-reads-service + port: + number: 80 + pathType: ImplementationSpecific + - op: add + path: /spec/rules/0/http/paths/- + value: + path: "/reads/*" + backend: + service: + name: demo-reads-service + port: + number: 80 + pathType: ImplementationSpecific + target: + group: networking.k8s.io + version: v1 + kind: Ingress + name: demo-ingress +``` diff --git a/gnomad-ingress/demo/frontendconfig.yaml b/gnomad-ingress/demo/frontendconfig.yaml new file mode 100644 index 0000000..c67a0d0 --- /dev/null +++ b/gnomad-ingress/demo/frontendconfig.yaml @@ -0,0 +1,7 @@ +apiVersion: networking.gke.io/v1beta1 +kind: FrontendConfig +metadata: + name: demo-frontendconfig +spec: + redirectToHttps: + enabled: true diff --git a/gnomad-ingress/demo/ingress.yaml b/gnomad-ingress/demo/ingress.yaml new file mode 100644 index 0000000..cee538e --- /dev/null +++ b/gnomad-ingress/demo/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: demo-ingress + annotations: + networking.gke.io/managed-certificates: demo-certificate + networking.gke.io/v1beta1.FrontendConfig: demo-frontendconfig +spec: + rules: + - host: my-demo.gnomad.the-tgg.dev + http: + paths: + - backend: + service: + name: demo-browser + port: + number: 80 + pathType: ImplementationSpecific diff --git a/gnomad-ingress/demo/kustomization.yaml b/gnomad-ingress/demo/kustomization.yaml new file mode 100644 index 0000000..6b3b079 --- /dev/null +++ b/gnomad-ingress/demo/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ingress.yaml + - frontendconfig.yaml + - managedcertificate.yaml +labels: + - pairs: + tier: demo + environment: dev diff --git a/gnomad-ingress/demo/managedcertificate.yaml b/gnomad-ingress/demo/managedcertificate.yaml new file mode 100644 index 0000000..c3d7547 --- /dev/null +++ b/gnomad-ingress/demo/managedcertificate.yaml @@ -0,0 +1,7 @@ +apiVersion: networking.gke.io/v1 +kind: ManagedCertificate +metadata: + name: demo-certificate +spec: + domains: + - my-demo.gnomad.the-tgg.dev diff --git a/gnomad-ingress/example-demo-reads/kustomization.yaml b/gnomad-ingress/example-demo-reads/kustomization.yaml new file mode 100644 index 0000000..eb83cb8 --- /dev/null +++ b/gnomad-ingress/example-demo-reads/kustomization.yaml @@ -0,0 +1,48 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../demo +nameSuffix: -newfeature +patches: + - patch: |- + - op: replace + path: /spec/rules/0/http/paths/0/backend/service/name + value: demo-browser-newfeature + - op: add + path: /spec/rules/0/http/paths/- + value: + path: "/reads" + backend: + service: + name: demo-reads-service + port: + number: 80 + pathType: ImplementationSpecific + - op: add + path: /spec/rules/0/http/paths/- + value: + path: "/reads/*" + backend: + service: + name: demo-reads-service + port: + number: 80 + pathType: ImplementationSpecific + - op: replace + path: /spec/rules/0/host + value: new-feature.gnomad.the-tgg.dev + target: + group: networking.k8s.io + version: v1 + kind: Ingress + name: demo-ingress + - patch: |- + - op: replace + path: /spec/domains + value: + - new-feature.gnomad.the-tgg.dev + target: + group: networking.gke.io + version: v1 + kind: ManagedCertificate + name: demo-certificate diff --git a/gnomad-ingress/prod/backendconfig.yaml b/gnomad-ingress/prod/backendconfig.yaml new file mode 100644 index 0000000..a611166 --- /dev/null +++ b/gnomad-ingress/prod/backendconfig.yaml @@ -0,0 +1,8 @@ +apiVersion: cloud.google.com/v1 +kind: BackendConfig +metadata: + name: gnomad-backend-config +spec: + timeoutSec: 60 + securityPolicy: + name: 'deny-problematic-requests' diff --git a/gnomad-ingress/prod/frontendconfig.yaml b/gnomad-ingress/prod/frontendconfig.yaml new file mode 100644 index 0000000..d7dbfb1 --- /dev/null +++ b/gnomad-ingress/prod/frontendconfig.yaml @@ -0,0 +1,7 @@ +apiVersion: networking.gke.io/v1beta1 +kind: FrontendConfig +metadata: + name: gnomad-frontend-config +spec: + redirectToHttps: + enabled: true diff --git a/gnomad-ingress/prod/ingress.yaml b/gnomad-ingress/prod/ingress.yaml new file mode 100644 index 0000000..7caad61 --- /dev/null +++ b/gnomad-ingress/prod/ingress.yaml @@ -0,0 +1,77 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gnomad-ingress + labels: + tier: production + annotations: + kubernetes.io/ingress.global-static-ip-name: gnomad-prod-global-ip + networking.gke.io/managed-certificates: gnomad-prod-certificate + networking.gke.io/v1beta1.FrontendConfig: 'gnomad-frontend-config' +spec: + rules: + - host: gnomad.broadinstitute.org + http: + paths: + - backend: + service: + name: reads-bluegreen-active + port: + number: 80 + path: /reads + pathType: ImplementationSpecific + - backend: + service: + name: reads-bluegreen-active + port: + number: 80 + path: /reads/* + pathType: ImplementationSpecific + - backend: + service: + name: reads-bluegreen-preview + port: + number: 80 + path: /preview-reads + pathType: ImplementationSpecific + - backend: + service: + name: reads-bluegreen-preview + port: + number: 80 + path: /preview-reads/* + pathType: ImplementationSpecific + - backend: + service: + name: gnomad-blog + port: + number: 80 + path: /blog + pathType: ImplementationSpecific + - backend: + service: + name: gnomad-blog + port: + number: 80 + path: /blog/* + pathType: ImplementationSpecific + - backend: + service: + name: gnomad-blog + port: + number: 80 + path: /news + pathType: ImplementationSpecific + - backend: + service: + name: gnomad-blog + port: + number: 80 + path: /news/* + pathType: ImplementationSpecific + - backend: + service: + name: gnomad-browser + port: + number: 80 + pathType: ImplementationSpecific diff --git a/gnomad-ingress/prod/kustomization.yaml b/gnomad-ingress/prod/kustomization.yaml index a700ed3..ede8aec 100644 --- a/gnomad-ingress/prod/kustomization.yaml +++ b/gnomad-ingress/prod/kustomization.yaml @@ -1,5 +1,7 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://github.com/broadinstitute/gnomad-browser//deploy/manifests/ingress?timeout=120&ref=a74e10c606912738f14fe7ffca8ec05d9f9c732d + - ingress.yaml + - backendconfig.yaml + - frontendconfig.yaml + - managedcertificate.yaml diff --git a/gnomad-ingress/prod/managedcertificate.yaml b/gnomad-ingress/prod/managedcertificate.yaml new file mode 100644 index 0000000..636ecdd --- /dev/null +++ b/gnomad-ingress/prod/managedcertificate.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.gke.io/v1 +kind: ManagedCertificate +metadata: + name: gnomad-prod-certificate + labels: + tier: production +spec: + domains: + - gnomad.broadinstitute.org