From d18ad63e4975a247dd2bf0c25e83c99cfaeb6a51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <ak@patientsky.com>
Date: Mon, 8 Apr 2019 11:02:29 +0200
Subject: [PATCH] Update nginx to 1.15. Update manifest and performance
 optimize (#4458)

---
 roles/download/defaults/main.yml              |  2 +-
 roles/kubernetes/node/defaults/main.yml       |  4 +-
 .../manifests/nginx-proxy.manifest.j2         |  8 ++-
 roles/kubernetes/node/templates/nginx.conf.j2 | 61 +++++++++++--------
 4 files changed, 44 insertions(+), 31 deletions(-)

diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index c1626a556..d7d194727 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -200,7 +200,7 @@ kube_router_image_tag: "{{ kube_router_version }}"
 multus_image_repo: "docker.io/nfvpe/multus"
 multus_image_tag: "{{ multus_version }}"
 nginx_image_repo: nginx
-nginx_image_tag: 1.13
+nginx_image_tag: 1.15
 
 coredns_version: "1.4.0"
 coredns_image_repo: "coredns/coredns"
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index e3f20d4a6..c802ab91e 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -42,9 +42,7 @@ kube_master_cpu_reserved: 200m
 
 kubelet_status_update_frequency: 10s
 
-# Limits for nginx load balancer app
-nginx_memory_limit: 512M
-nginx_cpu_limit: 300m
+# Requests for nginx load balancer app
 nginx_memory_requests: 32M
 nginx_cpu_requests: 25m
 
diff --git a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
index fbe170cfa..ed52f647e 100644
--- a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2
@@ -4,6 +4,7 @@ metadata:
   name: nginx-proxy
   namespace: kube-system
   labels:
+    addonmanager.kubernetes.io/mode: Reconcile
     k8s-app: kube-nginx
 spec:
   hostNetwork: true
@@ -17,9 +18,6 @@ spec:
     image: {{ nginx_image_repo }}:{{ nginx_image_tag }}
     imagePullPolicy: {{ k8s_image_pull_policy }}
     resources:
-      limits:
-        cpu: {{ nginx_cpu_limit }}
-        memory: {{ nginx_memory_limit }}
       requests:
         cpu: {{ nginx_cpu_requests }}
         memory: {{ nginx_memory_requests }}
@@ -30,6 +28,10 @@ spec:
       httpGet:
         path: /healthz
         port: {{ nginx_kube_apiserver_healthcheck_port }}
+    readinessProbe:
+      httpGet:
+        path: /healthz
+        port: {{ nginx_kube_apiserver_healthcheck_port }}
     {% endif -%}
     volumeMounts:
     - mountPath: /etc/nginx
diff --git a/roles/kubernetes/node/templates/nginx.conf.j2 b/roles/kubernetes/node/templates/nginx.conf.j2
index 3e5374b71..274139529 100644
--- a/roles/kubernetes/node/templates/nginx.conf.j2
+++ b/roles/kubernetes/node/templates/nginx.conf.j2
@@ -1,37 +1,50 @@
 error_log stderr notice;
 
-worker_processes 1;
+worker_processes 2;
+worker_rlimit_nofile 130048;
+worker_shutdown_timeout 10s;
+
 events {
   multi_accept on;
   use epoll;
-  worker_connections 1024;
+  worker_connections 16384;
 }
 
 stream {
-        upstream kube_apiserver {
-            least_conn;
-            {% for host in groups['kube-master'] -%}
-            server {{ hostvars[host]['access_ip'] | default(hostvars[host]['ip'] | default(fallback_ips[host])) }}:{{ kube_apiserver_port }};
-            {% endfor -%}
-        }
-
-        server {
-            listen        127.0.0.1:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }};
-            proxy_pass    kube_apiserver;
-            proxy_timeout 10m;
-            proxy_connect_timeout 1s;
+  upstream kube_apiserver {
+    least_conn;
+    {% for host in groups['kube-master'] -%}
+    server {{ hostvars[host]['access_ip'] | default(hostvars[host]['ip'] | default(fallback_ips[host])) }}:{{ kube_apiserver_port }};
+    {% endfor -%}
+  }
 
-        }
+  server {
+    listen        127.0.0.1:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }};
+    proxy_pass    kube_apiserver;
+    proxy_timeout 10m;
+    proxy_connect_timeout 1s;
+  }
 }
 
 http {
-        {% if nginx_kube_apiserver_healthcheck_port is defined -%}
-        server {
-            listen {{ nginx_kube_apiserver_healthcheck_port }};
-            location /healthz {
-              access_log off;
-              return 200;
-            }
-        }
-        {% endif -%}  
+  aio threads;
+  aio_write on;
+  tcp_nopush on;
+  tcp_nodelay on;
+
+  keepalive_timeout 75s;
+  keepalive_requests 100;
+  reset_timedout_connection on;
+  server_tokens off;
+  autoindex off;
+
+  {% if nginx_kube_apiserver_healthcheck_port is defined -%}
+  server {
+    listen {{ nginx_kube_apiserver_healthcheck_port }};
+    location /healthz {
+      access_log off;
+      return 200;
+    }
+  }
+  {% endif -%}
 }
-- 
GitLab