Update nginx configuration to capture all traffic to the static IP
Right now we have only one service we need to serve. I kept cert manager config for now in the case we want to get a hostname in the near future. Updated doc + minor doc / setup fixes. fixes #242
This commit is contained in:
parent
89a70c7b05
commit
381b1bf1a6
4 changed files with 18 additions and 24 deletions
|
@ -1,6 +1,8 @@
|
||||||
# Status
|
# Status
|
||||||
|
|
||||||
:exclamation: We have ongoing [issue](https://github.com/google/llvm-premerge-checks/issues/243) with windows build taking more that 2 hours to complete.
|
:exclamation: We have ongoing [issue](
|
||||||
|
https://github.com/google/llvm-premerge-checks/issues/243) with windows build
|
||||||
|
taking more that 2 hours to complete.
|
||||||
That also causes follow up builds to fail. Thus **windows builds are temporary disabled**.
|
That also causes follow up builds to fail. Thus **windows builds are temporary disabled**.
|
||||||
|
|
||||||
# Overview
|
# Overview
|
||||||
|
|
|
@ -90,23 +90,20 @@ combined result to Phabricator.
|
||||||
|
|
||||||
## Ingress and public addresses
|
## Ingress and public addresses
|
||||||
|
|
||||||
https://build.llvm-merge-guard.org/ URL points to [phabricator
|
We use NGINX ingress for Kubernetes. Right now it's only used to provide basic
|
||||||
proxy](../phabricator-proxy) application.
|
HTTP authentication and forwards all requests from load balancer to
|
||||||
|
[phabricator proxy](../phabricator-proxy) application.
|
||||||
|
|
||||||
We use NGINX ingress for Kubernetes and Let's Encrypt certificate manager.
|
|
||||||
Follow up to date docs to install [reverse
|
Follow up to date docs to install [reverse
|
||||||
proxy](https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke) and
|
proxy](https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke).
|
||||||
[certificate
|
|
||||||
manager](http://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html).
|
We also have [certificate manager](
|
||||||
|
http://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) and
|
||||||
|
[lets-encrypt configuration](../kubernetes/cert-issuer.yaml) in place, but they are
|
||||||
|
not used at the moment and should be removed if we decide to live with static IP.
|
||||||
|
|
||||||
[lets-encrypt configuration](../kubernetes/cert-issuer.yaml).
|
HTTP auth is configured with k8s secret 'http-auth' in 'buildkite' namespace
|
||||||
|
(see [how to update auth](playbooks.md#update-http-auth-credentials)).
|
||||||
Access to the service is restricted with basic HTTP auth. It's configured with
|
|
||||||
k8s secret 'http-auth' in 'buildkite' namespace (see [how to update
|
|
||||||
auth](playbooks.md#update-http-auth-credentials))
|
|
||||||
|
|
||||||
llvm-merge-guard.org domain is managed by [Google
|
|
||||||
Domains](https://domains.google.com/).
|
|
||||||
|
|
||||||
## Linux agents
|
## Linux agents
|
||||||
|
|
||||||
|
|
|
@ -1,23 +1,18 @@
|
||||||
|
# This ingress matches ALL requests to nginx.
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Ingress
|
kind: Ingress
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-ingress-build
|
name: nginx-ingress-all
|
||||||
namespace: buildkite
|
namespace: buildkite
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.global-static-ip-name: "web-static-ip"
|
kubernetes.io/ingress.global-static-ip-name: "web-static-ip"
|
||||||
kubernetes.io/ingress.class: "nginx"
|
kubernetes.io/ingress.class: "nginx"
|
||||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
|
||||||
nginx.ingress.kubernetes.io/auth-type: basic
|
nginx.ingress.kubernetes.io/auth-type: basic
|
||||||
nginx.ingress.kubernetes.io/auth-secret: http-auth
|
nginx.ingress.kubernetes.io/auth-secret: http-auth
|
||||||
nginx.ingress.kubernetes.io/auth-realm: "LLVM pre-merge checks"
|
nginx.ingress.kubernetes.io/auth-realm: "LLVM pre-merge checks"
|
||||||
spec:
|
spec:
|
||||||
tls:
|
|
||||||
- secretName: build-prod-tls
|
|
||||||
hosts:
|
|
||||||
- build.llvm-merge-guard.org
|
|
||||||
rules:
|
rules:
|
||||||
- host: build.llvm-merge-guard.org
|
- http:
|
||||||
http:
|
|
||||||
paths:
|
paths:
|
||||||
- backend:
|
- backend:
|
||||||
serviceName: phabricator-proxy
|
serviceName: phabricator-proxy
|
||||||
|
|
|
@ -24,9 +24,9 @@ sudo apt install -y google-cloud-sdk kubectl docker
|
||||||
|
|
||||||
# configure gCloud
|
# configure gCloud
|
||||||
source "${ROOT_DIR}/k8s_config"
|
source "${ROOT_DIR}/k8s_config"
|
||||||
|
gcloud auth login
|
||||||
gcloud config set project ${GCP_PROJECT}
|
gcloud config set project ${GCP_PROJECT}
|
||||||
gcloud config set compute/zone ${GCP_ZONE}
|
gcloud config set compute/zone ${GCP_ZONE}
|
||||||
|
|
||||||
# setup docker for pushing containers
|
# setup docker for pushing containers
|
||||||
gcloud auth configure-docker
|
gcloud auth configure-docker
|
||||||
gcloud container clusters get-credentials $GCP_CLUSTER
|
gcloud container clusters get-credentials $GCP_CLUSTER
|
Loading…
Reference in a new issue