blob: 8fcbd658565b9ea6148f2fb23ea8ba4e9c19e738 [file] [log] [blame] [view]
# SKFE - The Skia Frontend
A single unified web frontend for all the Skia properties.
```
+--------------------------+
| GKE Ingress |
+----+------------------+--+
| |
| |
v v
+-------------+ +-------------+
| (envoy) | ... | (envoy) |
+------+------+ +------+------+
| |
+---+-------------+----------+-----+
v v v
+---------+ +---------+ +-----------+
|skia perf| ... |skia gold| |skia alerts|
+---------+ +---------+ +-----------+
```
A single static IP is handled by GKE Ingress which handles SSL and then
distributes requests to multiple envoy pods: They, in turn, distribute the calls
to the backend as kubernetes sevices. The certs for all Skia properties are
handled at the GKE Ingress level, see http://go/skia-ssl-cert for more details.
The configuration for the envoy server comes from `envoy-starter.json` and
metadata annotations on services running in the skia-public k8s cluster.
The generation of the configuration involves three files, two of which are
auto-generated:
envoy-starter.json
simple.json
computed.json
The `simple.json` and `computed.json` are generated files.
The `enjoy-starter.json` file contains our liveness handling, all redirects, and
complicated routes for services like Gold. It is a hand-written file.
The contents of `simple.json` are generated directly from metadata in
kubernetes Services.
We need three pieces of information, the domain name, the target service name,
and the port that the service is running on. Consider the following
configuration for `https://perf.skia.org`.
```
apiVersion: v1
kind: Service
metadata:
labels:
app: skiaperf
name: skiaperf
annotations:
beta.cloud.google.com/backend-config: '{"ports": {"8000":"skia-default-backendconfig"}}'
skia.org.domain: perf.skia.org
spec:
ports:
- name: metrics
port: 20000
- name: http
port: 8000
selector:
app: skiaperf
type: NodePort
```
The parts of the Service spec that are important are the `skia.org.domain`
annotation which specifies the public domain name where this service should be
available. It must be a sub-domain of `.skia.org`. There also must be a
`.spec.ports` with a name of "http" that specifies the port at which the service
is available. Along with the name of the service those values are combined to
produce the `simple.json` config file. We then run `merge_envoy` to merge
`simple.json` and `envoy-starter.json` into `computed.json` which is then used
in the envoy image. Making this a two step process makes it easier to debug the
output of each step, as Envoy configs are very wordy.
Finally `update_probers` can be run to add all the redirects from
`envoy-starter.json` to `probersk.json5`.
## Pushing
Run
make
To build the `computed.json` config file which is then reviewed and submitted.
After that file has landed then run:
make push
to push the `computed.json` file to production.
## Admin
You can reach the Envoy admin interface by
kubectl port-forward <envoy-skia-org pod name> 9000:9000
And then visit
http://localhost:9000
The admin interface also provides the metrics endpoint to prometheus.
## DNS
Our DNS Zone file is checked in here as [skia.org.zone](./skia.org.zone). See
that file for instructions on how to update our DNS records.
## FAQ
Q: Why not just use GKE Ingress?
A: GKE Ingress is limited to 50 total rules, which we currently exceed.
Q: Why not use TCP Load Balancing and a custom ingress on GKE?
A: GKE Ingress is the only public facing option available to us.