Jump to content

Help:Toolforge/Kubernetes/Reverse proxy

From Wikitech
Tracked in Phabricator
Task T337191
Any objects manually created in Kubernetes (as opposed to using toolforge clients and APIs) are not officially supported by the Toolforge admin team. They may stop working without notice following any Kubernetes software update or platform outage.
If you rely on this method, please add a note in the T337191 task so we can better focus our efforts.

Rationale

The Wikimedia projects try very hard to preserve end user privacy by limiting the amount of information that is recorded about website usage and avoiding direct embedding of 3rd party content. When we build tools to support the projects we should attempt to continue this level of privacy protection when possible. Sometimes we can do that by using shared proxy services. We can also create reverse proxies that are specific to a particular tool when needed.

Imagine your webservice includes request to an external service named cool-api.example.com. Instead of having the client web browser load the external content directly, you can use a proxied endpoint like mytool.toolforge.org/cool-api that will hide the requesting user's IP address from the upstream service.

How to do it

Create a new kubernetes Service and Ingress resources.

For that, put the following information on a reverse-proxy.yaml file in your tool home directory: 

---
# Service object for routing requests to cool-api.example.com
apiVersion: v1
kind: Service
metadata:
  name: cool-api-example-com
  namespace: tool-mytool
spec:
  type: ExternalName
  externalName: cool-api.example.com
---
# Ingress object for routing requests to cool-api.example.com
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: proxy-api-example-com
  namespace: tool-mytool
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/upstream-vhost: cool-api.example.com
    nginx.ingress.kubernetes.io/backend-protocol: https
    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
    nginx.ingress.kubernetes.io/proxy-ssl-name: cool-api.example.com
spec:
  rules:
    - host: mytool.toolforge.org
      http:
        paths:
          - backend:
              service:
                name: cool-api-example-com
                port:
                  number: 443
            path: /external-api(/|$)(.*)
            pathType: ImplementationSpecific

Load it in your tool account: 

tools.mytool@tools-sgebastion-08:~$ kubectl apply -f reverse-proxy.yaml 
service/cdn-example-com configured
ingress.networking.k8s.io/proxy-api-example-com configured

Repeat the process for each external endpoint you want to reverse-proxy.

A quota bump is likely required to increase allowance for Service resources.

See also

TODO.

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Help:Toolforge/Kubernetes/Reverse_proxy&oldid=2249391"