For #133: Kubernetes tweak (AWS)

Author: dhruvit-r

deployment/charts/presidio/Chart.yaml

@@ -1,5 +1,6 @@
 apiVersion: v2
 description: A context aware, born to the cloud, customizable data loss prevention service
 name: presidio
+type: application
 version: 2.0
-appVersion: latest
+appVersion: 2.2.21

deployment/charts/presidio/nginx.conf

@@ -0,0 +1,57 @@
+error_log                               /dev/stdout info;
+user nginx;
+
+worker_processes auto;
+
+events {
+  worker_connections 1024;
+}
+
+pid        /var/run/nginx.pid;
+
+http {
+    access_log                            /dev/stdout;
+
+    #Redirect to https, using 307 instead of 301 to preserve post data
+
+    server {
+        listen [::]:{{ .Values.nginxPort }} ssl;
+        listen {{ .Values.nginxPort }} ssl;
+
+        server_name localhost;
+
+        # Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
+        # SSLv3 to the list of protocols below.
+        ssl_protocols              TLSv1.2;
+
+        # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
+        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
+        ssl_prefer_server_ciphers  on;
+
+        # Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
+        # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
+        # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
+        # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
+        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
+        ssl_session_timeout  24h;
+
+
+        # Use a higher keepalive timeout to reduce the need for repeated handshakes
+        keepalive_timeout 300; # up from 75 secs default
+
+        # remember the certificate for a year and automatically connect to HTTPS
+        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
+
+        ssl_certificate      /etc/nginx/ssl.crt;
+        ssl_certificate_key  /etc/nginx/ssl.key;
+
+        location / {
+            proxy_pass http://localhost:{{ .Values.appPort }};
+
+            proxy_set_header Connection "";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $remote_addr;
+        }
+    }
+}

deployment/charts/presidio/templates/NOTES.txt

@@ -1,55 +1,8 @@
-{{/* vim: set filetype=mustache */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "presidio.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "presidio.fullname" -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "presidio.analyzer.fullname" -}}
-{{ include "presidio.fullname" . | printf "%s-analyzer" }}
-{{- end -}}
-{{- define "presidio.anonymizer.fullname" -}}
-{{ include "presidio.fullname" . | printf "%s-anonymizer" }}
-{{- end -}}
-{{- define "presidio.anonymizerimage.fullname" -}}
-{{ include "presidio.fullname" . | printf "%s-image-redactor" }}
-{{- end -}}
-{{- define "presidio.ingress.fullname" -}}
-{{ printf "presidio-ingress" }}
-{{- end -}}
-{{- define "presidio.ingress.cert.secretname" -}}
-{{ include "presidio.fullname" . | printf "%s-ingress-cert" }}
-{{- end -}}
-
-{{- define "presidio.analyzer.address" -}}
-{{template "presidio.analyzer.fullname" .}}:{{.Values.analyzer.service.externalPort}}
-{{- end -}}
-
-{{- define "presidio.anonymizer.address" -}}
-{{template "presidio.anonymizer.fullname" .}}:{{.Values.anonymizer.service.externalPort}}
-{{- end -}}
-
-{{- define "presidio.anonymizerimage.address" -}}
-{{template "presidio.anonymizerimage.fullname" .}}:{{.Values.anonymizerimage.service.externalPort}}
-{{- end -}}
-
-{{- define "presidio.rbac.version" }}rbac.authorization.k8s.io/v1{{ end -}}
-
 {{/* Generate certificates for custom-metrics api server */}}
 {{- define "tcx-presidio.gen-certs" -}}
 {{- $ca := genCA (.Values.caCommonName) 365 -}}
 {{- $altNames := list (.Values.certDomainName) -}}
-{{- $cert := genSignedCert (.Values.certDomainName) nil $altNames 365 $ca -}}
-tls.crt: {{ $cert.Cert | b64enc }}
-tls.key: {{ $cert.Key | b64enc }}
+{{- $cert := genSignedCert (.Values.certDomainName) nil $altNames 365 $ca }}
+ssl.crt: {{ $cert.Cert | b64enc }}
+ssl.key: {{ $cert.Key | b64enc }}
 {{- end -}}

deployment/charts/presidio/templates/_helpers.tpl

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Values.appName }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  selector:
+    matchLabels:
+      app: "{{ .Values.appName }}"
+  replicas: {{ .Values.replicaCount }}
+  template:
+    metadata:
+      name: "{{ .Values.appName }}"
+      labels:
+        app: "{{ .Values.appName }}"
+    spec:
+      containers:
+      - name: "{{ .Values.appName }}"
+        image: "{{ .Values.imageName }}"
+        imagePullPolicy: Always
+      - name: nginx
+        image: nginx:{{ .Values.nginxImageTag }}
+        imagePullPolicy: Always
+        ports:
+        - containerPort: {{ .Values.nginxPort }}
+          protocol: TCP
+        volumeMounts:
+        - name: nginx-config
+          mountPath: /etc/nginx
+      volumes:
+      - name: nginx-config
+        secret:
+          secretName: "{{ .Values.appName }}"