-
-
Notifications
You must be signed in to change notification settings - Fork 3k
k8s istio config
John McLear edited this page May 27, 2026
·
2 revisions
# Sample Istio config for Etherpad
#
# Three resources: Gateway (TLS + hostname), VirtualService (routing +
# websocket-friendly timeouts), DestinationRule (sticky sessions via the
# socket.io `io` cookie).
#
# Assumes:
# - Istio >= 1.18
# - A Service named `etherpad` in the `etherpad` namespace, port 9001
# - A TLS secret `etherpad-tls` already provisioned in the gateway namespace
# - Hostname etherpad.wikimedia.org — replace as needed
#
# IMPORTANT: sticky sessions are necessary but not sufficient for multi-replica
# Etherpad. Multi-replica also needs the socket.io Redis adapter so pad state
# is shared across pods. Without it, two clients on the same pad routed to
# different pods will see divergent state. See ether/etherpad-lite#3680.
# Recommendation: start with replicas: 1 + good failover, only go multi-replica
# once Redis adapter is wired up.
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: etherpad
namespace: etherpad
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: etherpad-tls
hosts:
- etherpad.wikimedia.org
- port:
number: 80
name: http
protocol: HTTP
hosts:
- etherpad.wikimedia.org
tls:
httpsRedirect: true
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: etherpad
namespace: etherpad
spec:
hosts:
- etherpad.wikimedia.org
gateways:
- etherpad
http:
- match:
- uri:
prefix: /
route:
- destination:
host: etherpad
port:
number: 9001
# No per-request timeout — websockets and long-polling sit on the
# connection indefinitely. Default is 15s, which kills WS upgrades.
timeout: 0s
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: etherpad
namespace: etherpad
spec:
host: etherpad
trafficPolicy:
loadBalancer:
# Sticky sessions on the socket.io session cookie. Required so
# long-polling fallback requests land on the same pod that owns the
# session state. Pure-websocket clients don't need this, but you can't
# rely on every client being able to upgrade.
consistentHash:
httpCookie:
name: io
ttl: 0s # session cookie, expires with the browser tab
connectionPool:
tcp:
maxConnections: 10000
http:
# Must exceed socket.io's pingInterval (25s) + pingTimeout (20s) by
# a comfortable margin. 1h is conservative.
idleTimeout: 3600s
h2UpgradePolicy: UPGRADE
http1MaxPendingRequests: 1000
- Docs
- Translating
- HTTP API
- Plugin framework (API hooks)
- Plugins (available)
- Plugins (list)
- Plugins (wishlist)
- Etherpad URIs / URLs to specific resources IE export
- Etherpad Full data export
- Introduction to the source
- Release Procedure
- Etherpad Developer guidelines
- Project to-do list
- Changeset Library documentation
- Alternative Etherpad-Clients
- Contribution guidelines
- Installing Etherpad
- Deploying Etherpad as a service
- Deploying Etherpad on CloudFoundry
- Deploying Etherpad on Heroku
- Running Etherpad on Phusion Passenger
- Putting Etherpad behind a reverse Proxy (HTTPS/SSL)
- How to setup Etherpad on Ubuntu 12.04 using Ansible
- Migrating from old Etherpad to Etherpad
- Using Etherpad with MySQL
- Customizing the Etherpad web interface
- Enable import/export functionality with AbiWord
- Getting a list of all pads
- Providing encrypted web access to Etherpad using SSL certificates
- Optimizing Etherpad performance including faster page loads
- Getting to know the tools and scripts in the Etherpad /bin/ folder
- Embedding a pad using the jQuery plugin
- Using Embed Parameters
- Integrating Etherpad in a third party app (Drupal, MediaWiki, WordPress, Atlassian, PmWiki)
- HTTP API client libraries