CH-225 implement gatekeeper and ingress optimizations#823
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR implements gatekeeper and ingress optimizations by adding configurable gatekeeper replicas (default: 5) and supporting white-listed endpoints that bypass authentication at the ingress level.
Key Changes:
- Added
GatekeeperConfmodel with configurableimageandreplicasproperties - Extended ingress template to create direct routes for white-listed URIs, bypassing gatekeepers
- Updated default gatekeeper configuration with optimized replica count and nginx proxy buffer settings
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| libraries/models/api/openapi.yaml | Added GatekeeperConf schema definition with image and replicas properties |
| libraries/models/cloudharness_model/models/gatekeeper_conf.py | Generated Python model class for GatekeeperConf |
| libraries/models/cloudharness_model/models/proxy_conf.py | Added gatekeeper field to ProxyConf model |
| deployment-configuration/helm/templates/ingress.yaml | Implemented white-listed URI handling to bypass gatekeepers at ingress level |
| deployment-configuration/helm/templates/auto-gatekeepers.yaml | Made gatekeeper replicas and image configurable |
| deployment-configuration/value-template.yaml | Added default gatekeeper configuration (5 replicas) |
| deployment-configuration/helm/values.yaml | Added default gatekeeper configuration values |
| applications/*/deploy/values.yaml | Set gatekeeper replicas to 1 for specific applications |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| @@ -165,7 +165,6 @@ spec: | |||
| resources: | |||
| requests: | |||
| memory: "32Mi" | |||
There was a problem hiding this comment.
CPU request was removed but CPU limit remains. Consider whether the CPU limit should also be removed, or if a request should be restored to ensure proper resource allocation and scheduling.
| memory: "32Mi" | |
| memory: "32Mi" | |
| cpu: "100m" |
There was a problem hiding this comment.
cpu request has been removed to ensure pods can be scheduled with high replicas
alxbrd
left a comment
alxbrd
left a comment
There was a problem hiding this comment.
Looks good to me. I think the default of 5 replicas is sensible.
|
Changed the default configuration back to one replica and no cpu limits based on the conversation here: gogatekeeper/gatekeeper#642 |
Interesting to see a different load testing tool used to benchmark: https://github.com/tsenart/vegeta |
|
Based on the latest thread with the gogatekeeper developer this now looks good to me. |
Closes CH-225
Implemented solution
How to test this PR
Can test on samples application: the home page should be visible without logging in.
Sanity checks:
Breaking changes (select one):
breaking-changeand the migration procedure is well described abovePossible deployment updates issues (select one):
alert:deploymentTest coverage (select one):
Documentation (select one):
Nice to have (if relevant):