mirror of
https://github.com/bigchaindb/bigchaindb.git
synced 2024-10-13 13:34:05 +00:00
0ddfc62e3b
Problem The current production deployment template uses 3scale to ensure that POST requests to the network (from anyone) only get through if they come from a client with an account (app_id and app_key). A private network wants to launch so that all HTTP requests (POST and GET) sent to the nodes in the network get be dropped unless they come from a small set of known (and unchanging) clients/sources. They don't need 3scale. They will want a modified version of the production deployment template. Solution Generate a special HTTP header and share it with all the known clients/sources. Have a single NGINX in each node which checks for that HTTP header value. If it's present, let the request pass through to the network. (HTTP headers are encrypted if HTTPS is used.) Are there other simpler or better options?
131 lines
3.6 KiB
YAML
131 lines
3.6 KiB
YAML
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: ngx-instance-0-dep
|
|
spec:
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: ngx-instance-0-dep
|
|
spec:
|
|
terminationGracePeriodSeconds: 10
|
|
containers:
|
|
- name: nginx
|
|
image: bigchaindb/nginx_https:unstable
|
|
imagePullPolicy: Always
|
|
env:
|
|
- name: CLUSTER_FRONTEND_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: cluster-frontend-port
|
|
- name: HEALTH_CHECK_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: cluster-health-check-port
|
|
- name: CLUSTER_FQDN
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: cluster-fqdn
|
|
- name: DNS_SERVER
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: cluster-dns-server-ip
|
|
- name: MONGODB_BACKEND_HOST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: ngx-mdb-instance-name
|
|
- name: MONGODB_BACKEND_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: mongodb-backend-port
|
|
- name: OPENRESTY_BACKEND_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: openresty-backend-port
|
|
- name: OPENRESTY_BACKEND_HOST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: ngx-openresty-instance-name
|
|
- name: BIGCHAINDB_BACKEND_HOST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: ngx-bdb-instance-name
|
|
- name: BIGCHAINDB_API_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: bigchaindb-api-port
|
|
- name: BIGCHAINDB_WS_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: bigchaindb-ws-port
|
|
- name: TM_PUB_KEY_ACCESS_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: tendermint-config
|
|
key: tm-pub-key-access
|
|
- name: TM_BACKEND_HOST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: tendermint-config
|
|
key: ngx-tm-instance-name
|
|
- name: TM_P2P_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: tendermint-config
|
|
key: tm-p2p-port
|
|
- name: AUTHORIZATION_MODE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: vars
|
|
key: authorization-mode
|
|
ports:
|
|
# return a pretty error message on port 80, since we are expecting
|
|
# HTTPS traffic.
|
|
- containerPort: 80
|
|
protocol: TCP
|
|
- containerPort: 443
|
|
protocol: TCP
|
|
- containerPort: 8888
|
|
protocol: TCP
|
|
name: ngx-port
|
|
- containerPort: 9986
|
|
protocol: TCP
|
|
name: tm-pub-key
|
|
- containerPort: 46656
|
|
protocol: TCP
|
|
name: tm-p2p-port
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: ngx-port
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 15
|
|
failureThreshold: 3
|
|
timeoutSeconds: 10
|
|
resources:
|
|
limits:
|
|
cpu: 200m
|
|
memory: 768Mi
|
|
volumeMounts:
|
|
- name: https-certs
|
|
mountPath: /etc/nginx/ssl/
|
|
readOnly: true
|
|
restartPolicy: Always
|
|
volumes:
|
|
- name: https-certs
|
|
secret:
|
|
secretName: https-certs
|
|
defaultMode: 0400
|