...
 
Commits (2)
......@@ -27,6 +27,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -38,6 +40,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -45,3 +50,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -44,6 +44,65 @@ for details about available options.
- workspace_client=256k
```
### Using ``-n`` to mount the Varnish home directory in tmpfs
The [sample manifest](/deploy/varnish.yaml) shown in the
[deployment instructions](/deploy/) uses the ``-n`` command-line
option to set the Varnish home directory to a path mounted in
tmpfs. The same configuration is used in all of the sample Varnish
deployments shown in the [``examples/`` folder](/examples/).
This is a best practice for Varnish, and is recommeneded for all
deployments. Among other things, the home directory contains the files
that are mapped to shared memory, used by Varnish for logging and
statistics. The tmpfs mount ensures that there is no file I/O involved
in any of the work that Varnish does for these purposes.
The configuration for ``-n`` requires that an ``emptyDir`` volume is
defined in the Pod template with ``medium:"Memory"`` specified in
order to use tmpfs:
```
spec:
# [...]
volumes:
# [...]
- name: varnish-home
emptyDir:
medium: "Memory"
```
In ``spec.container``, the path of the home directory is specified for
the volume mount, and that path is used as the argument of the ``-n``
option:
```
spec:
containers:
- image: varnish-ingress/varnish
# [...]
volumeMounts:
# [...]
- name: varnish-home
mountPath: "/var/run/varnish-home"
# [...]
args:
- -n
- /var/run/varnish-home
```
You may of course choose a different path name. Note that this use of
``-n`` means that other commands in the Varnish container that access
shared memory, such as
[``varnishlog``](https://varnish-cache.org/docs/6.1/reference/varnishlog.html),
[``varnishstat``](https://varnish-cache.org/docs/6.1/reference/varnishstat.html)
or
[``varnishadm``](https://varnish-cache.org/docs/6.1/reference/varnishadm.html),
must also be called with the ``-n`` option set to the Varnish home
directory (for example when executed via ``kubectl exec``).
### Restrictions on command-line arguments
Because of the fact that the container starts with a number of options
in order to implement the role of an Ingress, there are restrictions
on the options that you can or should set. Some of them result in
......
......@@ -28,6 +28,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -39,6 +41,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -46,3 +51,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -28,6 +28,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -39,6 +41,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -46,3 +51,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -28,6 +28,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -39,6 +41,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -46,3 +51,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -30,6 +30,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -41,6 +43,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -48,3 +53,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -30,6 +30,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -41,6 +43,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -48,3 +53,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -30,6 +30,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -41,6 +43,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -48,3 +53,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -30,6 +30,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -41,6 +43,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -48,3 +53,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -28,6 +28,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -40,14 +42,8 @@ spec:
path: /ready
port: k8s
args:
# varnishd command-line options
# In this example: varnishd -l 80M -p default_grace=10
# These are default values for the given options in Varnish 6.1.
# Shown here to demonstrate setting options for Varnish.
- -l
- 80M
- -p
- default_grace=10
- -n
- /var/run/varnish-home
volumes:
- name: adm-secret
secret:
......@@ -55,3 +51,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -27,6 +27,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -42,12 +44,15 @@ spec:
# varnishd command-line options
# In this example:
# varnishd -s malloc,256m -t 900 -p workspace_client=256k
- -s
- malloc,256m
- -t
- "900"
- -p
- workspace_client=256k
# in addition to the -n arg used for all deployments.
- -n
- /var/run/varnish-home
- -s
- malloc,256m
- -t
- "900"
- -p
- workspace_client=256k
volumes:
- name: adm-secret
secret:
......@@ -55,3 +60,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -27,6 +27,8 @@ spec:
- name: adm-secret
mountPath: "/var/secret"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -38,6 +40,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
env:
# Use the PROXY protocol (cf. proxy.yaml).
- name: PROTO
......@@ -77,6 +82,9 @@ spec:
items:
- key: admin
path: adm.secret
- name: varnish-home
emptyDir:
medium: "Memory"
---
apiVersion: v1
kind: Service
......
......@@ -27,6 +27,8 @@ spec:
- name: adm-secret
mountPath: "/var/run/varnish"
readOnly: true
- name: varnish-home
mountPath: "/var/run/varnish-home"
livenessProbe:
exec:
command:
......@@ -38,6 +40,9 @@ spec:
httpGet:
path: /ready
port: k8s
args:
- -n
- /var/run/varnish-home
env:
# PROTO=PROXY causes the listener at the http port to accept
# the PROXY protocol (v1 or v2).
......@@ -51,3 +56,6 @@ spec:
items:
- key: admin
path: _.secret
- name: varnish-home
emptyDir:
medium: "Memory"
......@@ -31,6 +31,7 @@ package vcl
import (
"bytes"
"testing"
"io/ioutil"
)
func testTemplate(t *testing.T, spec Spec, gold string) {
......@@ -693,6 +694,46 @@ func TestRewriteSelectOperations(t *testing.T) {
testTemplate(t, rewriteSelectOperations, gold)
}
// Test the use case that Auth should be executed, but the
// Authorization header must be removed, to prevent return(pass) from
// builtin vcl_recv. For that, the Authorization header delete must
// run *after* the auth protocol is executed.
var rewriteDeleteAuth = Spec{
Rewrites: []Rewrite{{
Target: "req.http.Authorization",
Method: Delete,
}},
Auths: []Auth{{
Realm: "foo",
Status: Basic,
Credentials: []string{
"QWxhZGRpbjpvcGVuIHNlc2FtZQ==",
"QWxhZGRpbjpPcGVuU2VzYW1l",
},
}},
}
func TestRewriteDeleteAuth(t *testing.T) {
gold := "rewrite_auth_delete.golden"
var src string
var err error
var goldbytes []byte
if src, err = rewriteDeleteAuth.GetSrc(); err != nil {
t.Fatal("GetSrc():", err)
}
if goldbytes, err = ioutil.ReadFile("testdata/"+gold); err != nil {
t.Fatal("WriteFile():", err)
}
if !bytes.Equal(goldbytes, []byte(src)) {
t.Fatalf("Generated VCL does not match gold file: %s", gold)
if testing.Verbose() {
t.Logf("Generated: %s", src)
}
}
}
// Code boilerplate for writing the golden file.
// import ioutils
// func TestRewriteXXX(t *testing.T) {
......
vcl 4.0;
import std;
import directors;
import re2;
backend vk8s_notfound {
# 192.0.2.0/24 reserved for docs & examples (RFC5737).
.host = "192.0.2.255";
.port = "80";
}
sub vcl_init {}
sub vk8s_set_backend {
set req.backend_hint = vk8s_notfound;
if (req.backend_hint == vk8s_notfound) {
return (synth(404));
}
}
sub vcl_miss {
call vk8s_set_backend;
}
sub vcl_pass {
call vk8s_set_backend;
}
import re2;
sub vcl_init {
new vk8s_foo_auth = re2.set(anchor=both);
vk8s_foo_auth.add("Basic\s+\QQWxhZGRpbjpvcGVuIHNlc2FtZQ==\E\s*");
vk8s_foo_auth.add("Basic\s+\QQWxhZGRpbjpPcGVuU2VzYW1l\E\s*");
vk8s_foo_auth.compile();
}
sub vcl_recv {
if (
!vk8s_foo_auth.match(req.http.Authorization)
) {
set req.http.VK8S-Authenticate = {"Basic realm="foo""};
return(synth(60000 + 401));
}
}
sub vcl_synth {
if (resp.status == 60401) {
set resp.http.WWW-Authenticate = req.http.VK8S-Authenticate;
return(deliver);
}
if (resp.status == 60407) {
set resp.http.Proxy-Authenticate = req.http.VK8S-Authenticate;
return(deliver);
}
}
import re2;
import selector;
sub vcl_recv {
unset req.http.Authorization;
}