broadinstitute · sjahl · Sep 11, 2024 · Sep 11, 2024
diff --git a/gnomad-ingress/README.md b/gnomad-ingress/README.md
@@ -0,0 +1,89 @@
+# gnomAD ingress configuration
+
+This set of kustomizations configures the ingress object for the gnomAD browser. Because the ingress sits in front of several different services and changes with a much different frequency than our app deployments, we manage it as a separate deployment.
+
+This directory contains a definition for the prod ingress, and a demo base to use for putting an ingress in front front of your demo browser deployments.
+
+## Creating a new demo ingress
+
+Create a new directory at the same level as `demo/`, cd into it, and then run a `kustomize init`:
+
+```bash
+mkdir new-feature-ingress && cd new-feature-ingress
+kustomize init --resources ../demo
+```
+
+In the kustomization.yaml file, you should:
+- Add a nameSuffix or namePrefix to identify your ingress
+- supply a patch to set an appropriate domain name
+- the name of your browser Service object
+- add any specific routes that your ingress needs to serve.
+  - For example, the default demo kustomization serves all traffic to a single service. You may want to specify a `/reads` route if you need to serve reads data from your demo. The [Common Patches](#common-patches) section has details on how to add this functionality.
+
+## Creating or updating the prod ingress
+
+At the moment, we only have one prod ingress. You can view its configuration by running `kustomize build prod`. The deployment is automated via ArgoCD. If you need to make a change to the prod ingress, create a Pull Request with your changes, and coordinate a deployment through Argo once it's reviewed ang merged.
+
+## Common Patches
+
+Here's some examples of patches that could be placed in your kustomization.yaml file. Each `-op:` element here could be used individually, or you can combine multiple operations into a single `-patch:` objects. A complete example that changes the hostname, adds reads URL paths, and sets custom service names can be found in the `example-demo-reads/` folder.
+
+### Setting a domain name for a demo:
+
+```yaml
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/rules/0/host
+        value: new-feature.gnomad.the-tgg.dev
+    target:
+      group: networking.k8s.io
+      version: v1
+      kind: Ingress
+      name: demo-ingress
+```
+
+### Setting a service name to point at a specific service
+
+```yaml
+  - patch: |-
+      - op: replace
+        path: /spec/rules/0/http/paths/0/backend/service/name
+        value: demo-browser-newfeature
+    target:
+      group: networking.k8s.io
+      version: v1
+      kind: Ingress
+      name: demo-ingress
+```
+
+### Adding reads paths to your demo ingress:
+
+```yaml
+  - patch: |-
+      - op: add
+        path: /spec/rules/0/http/paths/-
+        value:
+          path: "/reads"
+          backend:
+            service:
+              name: demo-reads-service
+              port:
+                number: 80
+          pathType: ImplementationSpecific
+      - op: add
+        path: /spec/rules/0/http/paths/-
+        value:
+          path: "/reads/*"
+          backend:
+            service:
+              name: demo-reads-service
+              port:
+                number: 80
+          pathType: ImplementationSpecific
+    target:
+      group: networking.k8s.io
+      version: v1
+      kind: Ingress
+      name: demo-ingress
+```
diff --git a/gnomad-ingress/demo/frontendconfig.yaml b/gnomad-ingress/demo/frontendconfig.yaml
@@ -0,0 +1,7 @@
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: demo-frontendconfig
+spec:
+  redirectToHttps:
+    enabled: true
diff --git a/gnomad-ingress/demo/ingress.yaml b/gnomad-ingress/demo/ingress.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: demo-ingress
+  annotations:
+    networking.gke.io/managed-certificates: demo-certificate
+    networking.gke.io/v1beta1.FrontendConfig: demo-frontendconfig
+spec:
+  rules:
+    - host: my-demo.gnomad.the-tgg.dev
+      http:
+        paths:
+          - backend:
+              service:
+                name: demo-browser
+                port:
+                  number: 80
+            pathType: ImplementationSpecific
diff --git a/gnomad-ingress/demo/kustomization.yaml b/gnomad-ingress/demo/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ingress.yaml
+  - frontendconfig.yaml
+  - managedcertificate.yaml
+labels:
+  - pairs:
+      tier: demo
+      environment: dev
diff --git a/gnomad-ingress/demo/managedcertificate.yaml b/gnomad-ingress/demo/managedcertificate.yaml
@@ -0,0 +1,7 @@
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: demo-certificate
+spec:
+  domains:
+    - my-demo.gnomad.the-tgg.dev
diff --git a/gnomad-ingress/example-demo-reads/kustomization.yaml b/gnomad-ingress/example-demo-reads/kustomization.yaml
@@ -0,0 +1,48 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../demo
+nameSuffix: -newfeature
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/rules/0/http/paths/0/backend/service/name
+        value: demo-browser-newfeature
+      - op: add
+        path: /spec/rules/0/http/paths/-
+        value:
+          path: "/reads"
+          backend:
+            service:
+              name: demo-reads-service
+              port:
+                number: 80
+          pathType: ImplementationSpecific
+      - op: add
+        path: /spec/rules/0/http/paths/-
+        value:
+          path: "/reads/*"
+          backend:
+            service:
+              name: demo-reads-service
+              port:
+                number: 80
+          pathType: ImplementationSpecific
+      - op: replace
+        path: /spec/rules/0/host
+        value: new-feature.gnomad.the-tgg.dev
+    target:
+      group: networking.k8s.io
+      version: v1
+      kind: Ingress
+      name: demo-ingress
+  - patch: |-
+      - op: replace
+        path: /spec/domains
+        value:
+        - new-feature.gnomad.the-tgg.dev
+    target:
+      group: networking.gke.io
+      version: v1
+      kind: ManagedCertificate
+      name: demo-certificate
diff --git a/gnomad-ingress/prod/backendconfig.yaml b/gnomad-ingress/prod/backendconfig.yaml
@@ -0,0 +1,8 @@
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+  name: gnomad-backend-config
+spec:
+  timeoutSec: 60
+  securityPolicy:
+    name: 'deny-problematic-requests'
diff --git a/gnomad-ingress/prod/frontendconfig.yaml b/gnomad-ingress/prod/frontendconfig.yaml
@@ -0,0 +1,7 @@
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: gnomad-frontend-config
+spec:
+  redirectToHttps:
+    enabled: true
diff --git a/gnomad-ingress/prod/ingress.yaml b/gnomad-ingress/prod/ingress.yaml
@@ -0,0 +1,77 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gnomad-ingress
+  labels:
+    tier: production
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: gnomad-prod-global-ip
+    networking.gke.io/managed-certificates: gnomad-prod-certificate
+    networking.gke.io/v1beta1.FrontendConfig: 'gnomad-frontend-config'
+spec:
+  rules:
+    - host: gnomad.broadinstitute.org
+      http:
+        paths:
+          - backend:
+              service:
+                name: reads-bluegreen-active
+                port:
+                  number: 80
+            path: /reads
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: reads-bluegreen-active
+                port:
+                  number: 80
+            path: /reads/*
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: reads-bluegreen-preview
+                port:
+                  number: 80
+            path: /preview-reads
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: reads-bluegreen-preview
+                port:
+                  number: 80
+            path: /preview-reads/*
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: gnomad-blog
+                port:
+                  number: 80
+            path: /blog
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: gnomad-blog
+                port:
+                  number: 80
+            path: /blog/*
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: gnomad-blog
+                port:
+                  number: 80
+            path: /news
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: gnomad-blog
+                port:
+                  number: 80
+            path: /news/*
+            pathType: ImplementationSpecific
+          - backend:
+              service:
+                name: gnomad-browser
+                port:
+                  number: 80
+            pathType: ImplementationSpecific
diff --git a/gnomad-ingress/prod/kustomization.yaml b/gnomad-ingress/prod/kustomization.yaml
@@ -1,5 +1,7 @@
----
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://github.com/broadinstitute/gnomad-browser//deploy/manifests/ingress?timeout=120&ref=a74e10c606912738f14fe7ffca8ec05d9f9c732d
+  - ingress.yaml
+  - backendconfig.yaml
+  - frontendconfig.yaml
+  - managedcertificate.yaml
diff --git a/gnomad-ingress/prod/managedcertificate.yaml b/gnomad-ingress/prod/managedcertificate.yaml
@@ -0,0 +1,9 @@
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: gnomad-prod-certificate
+  labels:
+    tier: production
+spec:
+  domains:
+    - gnomad.broadinstitute.org