charts/nginz: Support galeb and allow upstream services to be in another namespace

changelog.d/2-features/nginz-galeb

@@ -0,0 +1 @@
+charts/nginz: Add upstream configuration for galeb

changelog.d/2-features/nginz-upstream-namespace

@@ -0,0 +1 @@
+charts/nginz: Allow upstreams to be in other namespaces

charts/cannon/templates/conf/_nginx.conf.tpl

@@ -145,6 +145,10 @@ http {
   limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate=10r/s;
   limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate=5r/m;
 
+{{- range $limit := .Values.nginx_conf.user_rate_limit_request_zones }}
+  {{ $limit }}
+{{- end }}
+
   limit_conn_zone $rate_limited_by_zuser zone=conns_per_user:10m;
   limit_conn_zone $rate_limited_by_addr zone=conns_per_addr:10m;
 
@@ -280,6 +284,11 @@ http {
         limit_req zone=reqs_per_addr burst=5 nodelay;
         limit_conn conns_per_addr 20;
               {{- end -}}
+            {{- else }}
+
+              {{- if hasKey $location "specific_user_rate_limit" }}
+        limit_req zone={{ $location.specific_user_rate_limit }} nodelay;
+              {{- end }}
             {{- end }}
 
         if ($request_method = 'OPTIONS') {
@@ -290,7 +299,7 @@ http {
             return 204;
         }
 
-        proxy_pass         http://{{ $name }};
+        proxy_pass         http://{{ $name }}{{ if hasKey $.Values.nginx_conf.upstream_namespace $name }}.{{ get $.Values.nginx_conf.upstream_namespace $name }}{{end}};
         proxy_http_version 1.1;
 
             {{- if ($location.disable_request_buffering) }}

charts/cannon/values.yaml

@@ -29,6 +29,7 @@ nginx_conf:
   worker_rlimit_nofile: 131072
   worker_connections: 65536
   disabled_paths: []
+  user_rate_limit_request_zones: []
 
   tls:
     protocols: TLSv1.2 TLSv1.3
@@ -50,6 +51,17 @@ nginx_conf:
   # The list entries must be full hostnames (they are **not** combined with
   # 'external_env_domain'). http and https URLs are allow listed.
   randomport_allowlisted_origins: [] # default is empty by intention
+
+  # Setting this value does nothing as the only upstream recongnized here is
+  # 'cannon' and is forwarded to localhost. This is here only to make sure that
+  # nginx.conf templating doesn't differ too much with the one in nginz helm
+  # chart.
+  upstream_namespace: {}
+
+  # Only upstream recognized by the generated nginx config is 'cannon', the
+  # server for this will be cannon running on localhost. This setting is like
+  # this so that templating for nginx.conf doesn't differ too much from the one
+  # in the nginz helm chart.
   upstreams:
     cannon:
     - path: /await

charts/nginz/templates/conf/_nginx.conf.tpl

@@ -145,6 +145,10 @@ http {
   limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate=10r/s;
   limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate=5r/m;
 
+{{- range $limit := .Values.nginx_conf.user_rate_limit_request_zones }}
+  {{ $limit }}
+{{- end }}
+
   limit_conn_zone $rate_limited_by_zuser zone=conns_per_user:10m;
   limit_conn_zone $rate_limited_by_addr zone=conns_per_addr:10m;
 
@@ -277,6 +281,11 @@ http {
         limit_req zone=reqs_per_addr burst=5 nodelay;
         limit_conn conns_per_addr 20;
               {{- end -}}
+            {{- else }}
+
+              {{- if hasKey $location "specific_user_rate_limit" }}
+        limit_req zone={{ $location.specific_user_rate_limit }} nodelay;
+              {{- end }}
             {{- end }}
 
         if ($request_method = 'OPTIONS') {
@@ -287,7 +296,7 @@ http {
             return 204;
         }
 
-        proxy_pass         http://{{ $name }};
+        proxy_pass         http://{{ $name }}{{ if hasKey $.Values.nginx_conf.upstream_namespace $name }}.{{ get $.Values.nginx_conf.upstream_namespace $name }}{{end}};
         proxy_http_version 1.1;
 
             {{- if ($location.disable_request_buffering) }}

charts/nginz/templates/conf/_upstreams.txt.tpl

@@ -1,3 +1,3 @@
 {{ define "nginz_upstreams.txt" }}
-{{ range $key, $value := .Values.nginx_conf.upstreams }}{{ if not (has $key $.Values.nginx_conf.ignored_upstreams) }} {{ $key }} {{ end }}{{ end -}}
-{{ end }}
+{{ range $key, $value := .Values.nginx_conf.upstreams }}{{ if not (has $key $.Values.nginx_conf.ignored_upstreams) }} {{ $key }}{{ if hasKey $.Values.nginx_conf.upstream_namespace $key }}.{{ get $.Values.nginx_conf.upstream_namespace $key }}{{end}} {{ end }}{{ end -}}
+{{ end }}

charts/nginz/values.yaml

@@ -51,22 +51,40 @@ nginx_conf:
   - /conversations/([^/]*)/call/state
   - /search/top
   - /search/common
+
+  # This value must be a list of strings. Each string is copied verbatim into
+  # the nginx.conf after the default 'limit_req_zone' directives. This should be
+  # used to create request zones which can then be specified in
+  # 'upstreams.<upstream>.<n>.specific_user_rate_limit'.
+  user_rate_limit_request_zones:
+    - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m;
+
   # The origins from which we allow CORS requests. These are combined with
   # 'external_env_domain' to form a full url
   allowlisted_origins:
     - webapp
     - teams
     - account
+
   # The origins from which we allow CORS requests at random ports. This is
   # useful for testing with HTTP proxies and should not be used in production.
   # The list entries must be full hostnames (they are **not** combined with
   # 'external_env_domain'). http and https URLs are allow listed.
   randomport_allowlisted_origins: [] # default is empty by intention
+
   # Add 'cannon' to 'ignored_upstreams' if you wish to make use of separate
-  # network traffic to cannon-with-its-own-nginz
-  # See also "Separate incoming websocket network traffic from the rest of the
-  # https traffic" section in the docs.
+  # network traffic to cannon-with-its-own-nginz See also "Separate incoming
+  # websocket network traffic from the rest of the https traffic" section in the
+  # docs.
   ignored_upstreams: []
+
+  # If an upstream runs in a different namespace than nginz, its namespace must
+  # be specified here otherwise nginz_disco will fail to find the upstream and
+  # nginx will think that the upstream is down.
+  upstream_namespace: {
+    # galeb: integrations
+  }
+
   upstreams:
     cargohold:
     - path: /conversations/([^/]*)/assets
@@ -484,6 +502,27 @@ nginx_conf:
       - all
       versioned: false
       strip_version: true
+    galeb:
+    - path: /consent
+      envs:
+      - all
+      disable_zauth: true
+      versioned: false
+      strip_version: true
+    - path: /self/consent
+      versioned: false
+      strip_version: true
+    - path: /signature
+      versioned: false
+      specific_user_rate_limit: reqs_per_user_signatures
+      strip_version: true
+    - path: /i/marketo/emails/([^/]*)$
+      disable_zauth: true
+      versioned: false
+      basic_auth: true
+      envs:
+      - staging
+
     calling-test:
     - path: /calling-test
       envs:

docs/src/how-to/install/configuration-options.rst

@@ -514,3 +514,19 @@ You need Giphy/Google/Spotify/Soundcloud API keys (if you want to
 support previews by proxying these services)
 
 See the ``proxy`` chart for configuration.
+
+Routing traffic to other namespaces via nginz
+---------------------------------------------
+
+If you have some components running in namespaces different from nginz. For
+instance, the billing service (``ibis``) could be deployed to a separate
+namespace, say ``integrations``. But it still needs to get traffic via
+``nginz``. When this is needed, the helm config can be adjusted like this:
+
+.. code:: yaml
+
+   # in your wire-server/values.yaml overrides:
+   nginz:
+     nginx_conf:
+       upstream_namespace:
+         ibis: integrations