Commit graph

283 commits

Author SHA1 Message Date
Joseph Schorr
109bda3a6a Add nginx configuration to serve our older SSL certificate from v1.quay.io and v1-staging.quay.io
This will allow us to upgrade our cluster to the new SSL certificate, while still serving the older one for older clients
2018-09-05 13:05:47 -04:00
Sam Chow
d58930095f Fix certs install script (again) 2018-08-23 13:33:57 -04:00
Sam Chow
ff294d6c52 Add init script to download extra ca certs 2018-08-17 15:42:42 -04:00
Joseph Schorr
f2d50b3f8e Add run commands for backfill worker 2018-08-13 14:56:32 -04:00
Brad Ison
662daf1351
Add config for nginx vhost-traffic-status module 2018-07-25 12:57:13 -04:00
Sam Chow
45853deef1
Merge pull request #3162 from quay/fix-config-app-certs-install
Override config directory in certs install script in config app
2018-07-18 17:23:50 -04:00
Joseph Schorr
2f297ab4fe Increase the rate limit on the API 2018-07-18 15:44:20 -04:00
Joseph Schorr
91e7b4264e Increase burst rate on API rate limit to allow security scan info to be loaded 2018-07-18 15:23:58 -04:00
Sam Chow
860703c2b2 Override config directory in certs install script in config app 2018-07-18 14:21:25 -04:00
Sam Chow
51ae1e03d4 Change cert install script to read from config dir
Temporarily breaks the config app certs install, which will be fixed
later.
2018-07-18 14:01:07 -04:00
Sam Chow
9024419896 Modify ldap validator to just check user existence
Remove auth user check from updating config app config

remove duplicate certs install script
2018-07-11 16:49:13 -04:00
Joseph Schorr
33a8099f35 Temporarily double the request limit. We'll start ratcheting it down over time. 2018-06-20 14:31:51 -04:00
Joseph Schorr
1d94e4d605 Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
For registry operations, these were the numbers found at time the PR was written:

download_blob 108 per second across fleet
v2_auth 180 per second across fleet
catalog 1 per second across fleet
fetch_manifest 205 per second across fleet
list_all_tags 150 per second across fleet

With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller.

Fixes https://jira.coreos.com/browse/QUAY-976
2018-06-20 13:36:24 -04:00
Joseph Schorr
ef167ab7e3 Rate limit the catalog endpoint by auth token and IP address 2018-06-05 18:24:31 -04:00
Jimmy Zelinskie
e542de7e65 nginx: temporarily disable catalog for production 2018-06-05 16:06:10 -04:00
josephschorr
7722721396
Merge pull request #3064 from quay/joseph.schorr/QUAY-928/fix-worker-count
Fix worker count to  use CPU affinity correctly and be properly bounded
2018-05-07 20:45:26 +03:00
Joseph Schorr
b26a131085 Fix worker count to use CPU affinity correctly and be properly bounded
We were using the `cpu_count`, which doesn't respect container affinity. Now, we use `cpu_affinity` and also bound to make sure we don't start a million workers

Fixes https://jira.coreos.com/browse/QUAY-928
2018-05-03 11:57:20 +03:00
Joseph Schorr
e20295f573 Fix Kubernetes config provider for recent changes in Kub API
Kubernetes secret volumes are now mounted as read-only, so we have to write the files *only* via the Kub API

Fixes https://jira.coreos.com/browse/QUAY-911
2018-04-22 17:22:28 +03:00
Joseph Schorr
ab0172d2fd Switch Quay to using an in-container memcached for data model caching 2018-02-27 16:55:22 -05:00
Joseph Schorr
8bc55a5676 Make namespace deletion asynchronous
Instead of deleting a namespace synchronously as before, we now mark the namespace for deletion, disable it, and rename it. A worker then comes along and deletes the namespace in the background. This results in a *significantly* better user experience, as the namespace deletion operation now "completes" in under a second, where before it could take 10s of minutes at the worse.

Fixes https://jira.coreos.com/browse/QUAY-838
2018-02-27 13:12:51 -05:00
Joseph Schorr
d45161b120 Add a worker to automatically GC expired app specific tokens
Fixes https://jira.coreos.com/browse/QUAY-822
2018-02-12 14:56:01 -05:00
josephschorr
ccef3bffe9
Merge pull request #2978 from coreos-inc/joseph.schorr/QS-117/gunicorn-worker-count
Make gunicorn worker count scale automatically and be configurable
2018-02-02 13:46:17 -05:00
Joseph Schorr
da9b05fa4a Remove syslog check lines from all services 2018-02-02 13:38:25 -05:00
Joseph Schorr
0f49d787eb Fix syslog for updated phusion base image
Syslog is now started outside of the normal init process
2018-02-02 10:52:18 -05:00
Joseph Schorr
4cd3d110db Make gunicorn worker count scale automatically and be configurable
Fixes https://jira.coreos.com/browse/QS-117
2018-02-02 10:34:19 -05:00
Joseph Schorr
9f996a8745 Change worker processes to be auto set based on CPU count
Fixes https://jira.coreos.com/browse/QS-109
2018-01-10 11:10:57 -05:00
Joseph Schorr
6de96ee8a5 Fix the custom cert install process to install to the new certifi location, in addition to the old location
Also updates our requirements around requests
2017-12-15 17:26:44 -05:00
Jimmy Zelinskie
e36bf25a5e nginx: rate limit 1r/s
This reduces our rate limiting down to to 1 request per second.
2017-12-13 13:15:32 -05:00
josephschorr
3bef21253d Merge pull request #2695 from coreos-inc/oidc-internal-auth
OIDC internal auth support
2017-10-02 16:51:17 -04:00
Joseph Schorr
05b4a7d457 Add worker to update ipresolver data files every few hours 2017-09-28 14:40:59 -04:00
Joseph Schorr
ed897c7cb0 Change OIDC engine to not be federated
We don't need linking, just the ability to perform lookup
2017-09-12 12:26:41 -04:00
Joseph Schorr
bd67eaf856 Make SSL more resilient and cached 2017-09-05 18:02:07 -04:00
Alec Merdler
ae9bd8b727 Merge pull request #2837 from alecmerdler/QUAY-755
Fix 502 Error Page
2017-07-28 12:30:02 -04:00
Alec Merdler
fb7df1e568 fixed 502 route in Nginx config 2017-07-27 14:45:18 -04:00
Jake Moshenko
572eeca8f5 Split the runit services into interactive and batch categories. 2017-07-27 14:30:45 -04:00
Joseph Schorr
be62ede87c Pass DB connection pooling arg 2017-07-27 14:22:44 -04:00
Joseph Schorr
f79542fefb Enable connection pooling in the registry 2017-07-27 14:00:23 -04:00
josephschorr
78652de3ee Merge pull request #2766 from coreos-inc/joseph.schorr/QUAY-634/buildlogsarchiver-data-interface
Change buildlogsarchiver to use a data model interface
2017-07-19 16:40:05 -04:00
josephschorr
9bd4cee029 Merge pull request #2765 from coreos-inc/joseph.schorr/QUAY-629/globalprom-data-interface
Switch globalpromstats worker to use a data interface
2017-07-19 16:39:36 -04:00
Erica
6576965647 Merge pull request #2780 from coreos-inc/FIX-teamsync-logger
fix(init/service/teamsyncworker/log/run): log correct worker
2017-07-12 23:38:44 -04:00
josephschorr
fdb21aa5dc Merge pull request #2777 from coreos-inc/joseph.schorr/QUAY-618/notificationworker-data-interface
Change notificationworker to use data interface
2017-07-13 00:23:15 +03:00
josephschorr
2206c81a95 Merge pull request #2776 from coreos-inc/joseph.schorr/QUAY-652/servicekeyworker-data-interface
Change service key worker to use a data interface
2017-07-13 00:22:49 +03:00
EvB
67abfe7483 fix(init/service/teamsyncworker/log/run): log correct worker 2017-07-12 13:52:22 -04:00
Joseph Schorr
fbfd78532c Move notification worker to its own package 2017-07-12 17:35:09 +03:00
Joseph Schorr
3b496e2759 Move serverkeyworker into its own package 2017-07-12 15:57:02 +03:00
Joseph Schorr
e2cf2d6f2b Move teamsyncworker into its own package 2017-07-12 15:53:01 +03:00
josephschorr
dc6c6b30fc Merge pull request #2768 from coreos-inc/joseph.schorr/QUAY-653/blobuploadcleanupworker-data-interface
Change blobuploadcleanupworker to use a data interface
2017-07-12 00:32:09 +03:00
Evan Cordell
8d07bbc7af Remove volumes 2017-07-11 10:54:56 -04:00
Joseph Schorr
b87415129f Move blobuploadcleanupworker into its own package 2017-07-11 15:38:10 +03:00
Joseph Schorr
22f088d90a Move buildlogsarchiver worker to its own package 2017-07-11 14:42:18 +03:00