osuAkatsuki · cmyui · Nov 5, 2023 · Nov 5, 2023 · Nov 6, 2023 · Nov 10, 2023
diff --git a/.github/workflows/k8s-deploy.yml b/.github/workflows/k8s-deploy.yml
@@ -0,0 +1,92 @@
+name: k8s-deploy
+
+on:
+  push:
+    branches:
+      - main
+      - k8s-rev-proxy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  production-deploy:
+    runs-on: [self-hosted, vpc]
+
+    steps:
+      - name: Check out latest commit
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: osuAkatsuki/rev-proxy
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/rev-proxy:latest
+            ${{ secrets.DOCKERHUB_USERNAME }}/rev-proxy:${{ github.sha }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Get kubeconfig from github secrets
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBECONFIG }}" > $HOME/.kube/config
+          sudo chown $(id -u):$(id -g) $HOME/.kube/config
+          chmod 700 $HOME/.kube/config
+
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: "v3.19.2"
+          token: ${{ secrets.GITHUB_TOKEN }}
+        id: install
+
+      - name: Install helm-diff
+        run: helm plugin install https://github.com/databus23/helm-diff
+
+      - name: Checkout common-helm-charts repo
+        uses: actions/checkout@v3
+        with:
+          repository: osuAkatsuki/common-helm-charts
+          token: ${{ secrets.COMMON_HELM_CHARTS_PAT_2024 }}
+          path: common-helm-charts
+
+      - name: Clear pending deployments
+        run: |
+          kubectl delete secret -n default -l 'status in (pending-install, pending-upgrade, pending-rollback),name=rev-proxy-production'
+
+      - name: Show manifest diff since previous release
+        run: |
+          helm diff upgrade \
+          --namespace default \
+          --allow-unreleased \
+          --color=true \
+          --values chart/values.yaml \
+          rev-proxy-production \
+          common-helm-charts/microservice-base/
+
+      - name: Deploy service to production cluster
+        run: |
+          helm upgrade \
+            --namespace default \
+            --install \
+            --atomic \
+            --wait --timeout 10m \
+            --cleanup-on-fail \
+            --values chart/values.yaml \
+            rev-proxy-production \
+            common-helm-charts/microservice-base/
diff --git a/.github/workflows/production-deploy.yml b/.github/workflows/production-deploy.yml
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,6 @@
+* @cmyui @infernalfire72
+
+# Infrastructure
+/.github/* @cmyui
+/tf/* @cmyui
+/chart/* @cmyui
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,12 @@
+FROM nginx:latest
+
+WORKDIR /usr/src/app
+
+COPY . .
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY sites-enabled/ /etc/nginx/sites-enabled/
+
+EXPOSE 80
+
+ENTRYPOINT [ "nginx", "-g", "daemon off;" ]
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -0,0 +1,32 @@
+apps:
+  - name: rev-proxy
+    environment: production
+    codebase: rev-proxy
+    replicaCount: 2
+    container:
+      image:
+        repository: osuakatsuki/rev-proxy
+        tag: latest
+      port: 80
+      readinessProbe:
+        tcpSocket:
+          port: 80
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 2
+        successThreshold: 1
+        failureThreshold: 3
+      resources:
+        limits:
+          cpu: 500m
+          memory: 256Mi
+        requests:
+          cpu: 100m
+          memory: 128Mi
+      imagePullSecrets:
+        - name: osuakatsuki-registry-secret
+    service:
+      name: http
+      type: NodePort
+      port: 80
+      nodePort: 30000
diff --git a/nginx.conf b/nginx.conf
@@ -20,6 +20,10 @@ http {
         # server_name_in_redirect off;
         client_max_body_size 20M;
 
+        # nginx uses http/1.0 by default
+        # but istio/envoy proxy requires 1.1
+        proxy_http_version 1.1;
+
         include /etc/nginx/mime.types;
         default_type application/octet-stream;
 
@@ -29,11 +33,12 @@ http {
 
         # logging Settings
         log_format main '[$time_local] $http_CF_Connecting_IP - '
-                        '"$request_method $uri" $status $body_bytes_sent '
+                        '"$request_method $host $uri" $status $body_bytes_sent '
                         '"$http_referer" "$http_user_agent"';
 
         map $status $loggable {
                 ~^[23] 0;
+                404 0;
                 default 1;
         }
         access_log /var/log/nginx/access.log main if=$loggable;
@@ -47,6 +52,13 @@ http {
 
         # compression settings
         gzip on;
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_types text/plain text/css text/xml text/javascript
+                   application/json application/javascript application/xml
+                   application/rss+xml application/atom+xml
+                   image/svg+xml font/ttf font/otf;
 
         # deny any connections without a host header
         server {
@@ -55,10 +67,6 @@ http {
                 return      444;
         }
 
-        # define rate limiting zones
-        limit_req_zone $http_CF_Connecting_IP zone=api_zone:10m rate=10r/s;
-        limit_req_zone $http_CF_Connecting_IP zone=osu_zone:10m rate=20r/s;
-
         # virtual host configs
         include /etc/nginx/sites-enabled/*.conf;
 }
diff --git a/sites-enabled/admin_panel.conf b/sites-enabled/admin_panel.conf
@@ -1,29 +1,28 @@
 server {
     listen 80;
-    server_name old.akatsuki.pw old.akatsuki.gg;
+    server_name old.akatsuki.gg old.akatsuki.pw;
 
-    root /home/akatsuki/admin-panel;
-
-    location ~ \.php$ {
-        add_header Access-Control-Allow-Origin *;
-        try_files $uri =404;
-
-        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    # Redirect /phpmyadmin to /phpmyadmin/
+    location = /phpmyadmin {
+        return 301 /phpmyadmin/;
+    }
 
-        include fastcgi.conf;
+    location /phpmyadmin/ {
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
 
-    }
+        # Strip /phpmyadmin prefix before passing to backend
+        rewrite ^/phpmyadmin(/.*)$ $1 break;
 
-    location /.git/ {
-        return 200 "yes";
+        proxy_pass http://phpmyadmin;
     }
 
     location / {
-        add_header Access-Control-Allow-Origin *;
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
 
-        index index.php;
-        rewrite ^/(?:u|d)/\d+$ /rewrite.php;
+        proxy_pass http://admin_panel;
     }
 }
diff --git a/sites-enabled/air_conditioning.conf b/sites-enabled/air_conditioning.conf
@@ -2,11 +2,25 @@ server {
     listen 80;
     server_name air_conditioning.akatsuki.pw air_conditioning.akatsuki.gg;
 
+    client_max_body_size 100M;
+
     location / {
         proxy_set_header X-Real-IP $http_CF_Connecting_IP;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
         proxy_pass http://air_conditioning_service;
     }
+
+    location /loader-hub {
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_cache_bypass $http_upgrade;
+        proxy_buffering off;
+
+        proxy_pass http://air_conditioning_service;
+    }
 }
diff --git a/sites-enabled/avatars.conf → sites-enabled/assets.conf b/sites-enabled/avatars.conf → sites-enabled/assets.conf
@@ -2,11 +2,12 @@ server {
 	listen 80;
 	server_name a.akatsuki.pw a.akatsuki.gg;
 
-	location ~ ^/(?<id>\d+|d)(?:\.png)?/?$ {
+    location / {
 		proxy_set_header X-Real-IP $http_CF_Connecting_IP;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Host $http_host;
+		add_header Cache-Control no-cache;
 
-		proxy_pass http://production_k8s;
+		proxy_pass http://assets_service;
 	}
 }
diff --git a/sites-enabled/bancho.conf b/sites-enabled/bancho.conf
@@ -1,16 +1,14 @@
 server {
     listen 80;
-    server_name c.akatsuki.pw c4.akatsuki.pw ce.akatsuki.pw c.akatsuki.gg c4.akatsuki.gg ce.akatsuki.gg;
+    server_name c.akatsuki.gg c4.akatsuki.gg ce.akatsuki.gg
+                c.akatsuki.pw c4.akatsuki.pw ce.akatsuki.pw;
 
     location / {
-        limit_req zone=osu_zone burst=10 nodelay;
-        limit_req_status 429;
-
         proxy_set_header X-Real-IP $http_CF_Connecting_IP;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
 
-        proxy_pass http://bancho_server;
+        proxy_pass http://bancho_service;
     }
 }
 

diff --git a/sites-enabled/beatmaps.conf b/sites-enabled/beatmaps.conf
@@ -0,0 +1,12 @@
+server {
+    listen 80;
+    server_name beatmaps.akatsuki.gg;
+
+    location / {
+        proxy_set_header X-Real-IP $http_CF_Connecting_IP;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+
+        proxy_pass http://beatmaps_service;
+    }
+}