Nginx proxy

.vscode/monorepo.code-workspace

@@ -20,6 +20,10 @@
       "name": "services/api",
       "path": "../services/api"
     },
+    {
+      "name": "services/reverse-proxy",
+      "path": "../services/reverse-proxy"
+    },
     {
       "name": "services/worker",
       "path": "../services/worker"

docker-compose.yml

@@ -1,19 +1,39 @@
 version: "3.9"
 services:
+  reverse-proxy:
+    image: nginx:1.20
+    volumes:
+    - ./infra/charts/datasets-server/nginx-templates/:/etc/nginx/templates:ro
+    - reverse-proxy-cache:/nginx-cache
+    - assets:/assets:ro
+    ports:
+    - "8000:80"
+    environment:
+    - ASSETS_DIRECTORY=/assets
+    - CACHE_DIRECTORY=/nginx-cache
+    - CACHE_INACTIVE=24h
+    - CACHE_MAX_SIZE=1g
+    - CACHE_ZONE_SIZE=50m
+    - HOST=localhost
+    - PORT=80
+    - TARGET_URL=http://api:8080
+    depends_on:
+      api:
+        condition: service_started
   api:
     build:
       context: .
       dockerfile: ./services/api/Dockerfile
     volumes:
       - assets:/assets:ro
     environment:
-      APP_PORT: 8000
+      APP_PORT: 8080
       APP_HOSTNAME: 0.0.0.0
       ASSETS_DIRECTORY: "/assets"
       MONGO_URL: "mongodb://mongodb"
       WEB_CONCURRENCY: 1
     ports:
-      - 8000:8000
+      - 8080:8080
     depends_on:
       mongodb:
         condition: service_started
@@ -54,3 +74,4 @@ services:
 volumes:
   assets:
   mongo:
+  reverse-proxy-cache:

infra/charts/datasets-server/env/dev.yaml

@@ -8,7 +8,7 @@ storage:
 
 domain: "datasets-server.us.dev.moon.huggingface.tech"
 
-api:
+reverseProxy:
   replicas: 1
 
   ingress:
@@ -28,6 +28,15 @@ api:
     limits:
       cpu: 1
 
+api:
+  replicas: 1
+
+  resources:
+    requests:
+      cpu: 0.01
+    limits:
+      cpu: 1
+
 datasetsWorker:
   replicas: 2
 

infra/charts/datasets-server/nginx-templates/default.conf.template

@@ -0,0 +1,31 @@
+proxy_cache_path ${CACHE_DIRECTORY}/ levels=1:2 keys_zone=STATIC:${CACHE_ZONE_SIZE} inactive=${CACHE_INACTIVE} max_size=${CACHE_MAX_SIZE};
+
+server {
+  listen ${PORT};
+  listen [::]:${PORT};
+  server_name ${HOST};
+
+  add_header 'Access-Control-Allow-Origin' '*' always;
+
+  location /assets/ {
+    alias ${ASSETS_DIRECTORY}/;
+  }
+
+  location / {
+    proxy_pass ${TARGET_URL};
+    proxy_set_header Host $proxy_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_http_version 1.1;
+    # cache all the HEAD+GET requests (without Set-Cookie)
+    # Cache-Control is used to determine the cache duration
+    # see https://www.nginx.com/blog/nginx-caching-guide/
+    proxy_buffering on;
+    proxy_cache STATIC;
+    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+    proxy_cache_background_update on;
+    proxy_cache_lock on;
+    add_header X-Cache-Status $upstream_cache_status;
+  }
+}

infra/charts/datasets-server/templates/_helpers.tpl

@@ -12,6 +12,13 @@ Expand the name of the release.
 {{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+The name of the release in uppercase and with underscores.
+*/}}
+{{- define "upper-release" -}}
+{{- include "release" . | replace "-" "_" | upper }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -42,6 +49,11 @@ heritage: {{ $.Release.Service | quote }}
 chart: "{{ include "name" . }}"
 {{- end }}
 
+{{- define "labels.reverseProxy" -}}
+{{ include "labels" . }}
+app: "{{ .Release.Name }}-reverse-proxy"
+{{- end -}}
+
 {{- define "labels.api" -}}
 {{ include "labels" . }}
 app: "{{ include "release" . }}-api"
@@ -75,6 +87,14 @@ The cache/ subpath in the NFS
 {{- printf "%s/%s/%s/" .Chart.Name .Release.Name "cache" }}
 {{- end }}
 
+{{/*
+The cache/ subpath in the NFS
+- in a subdirectory named as the chart (datasets-server/), and below it,
+- in a subdirectory named as the Release, so that Releases will not share the same assets/ dir
+*/}}
+{{- define "nginx.cache.subpath" -}}
+{{- printf "%s/%s/%s/" .Chart.Name .Release.Name "nginx-cache" }}
+{{- end }}
 
 {{/*
 The URL to access the mongodb instance created if mongodb.enable is true
@@ -83,3 +103,11 @@ It's named using the Release name
 {{- define "mongodb.url" -}}
 {{- printf "mongodb://%s-mongodb" .Release.Name }}
 {{- end }}
+
+{{/*
+The URL to access the API service from another container
+See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
+*/}}
+{{- define "api.url" -}}
+{{- printf "http://${%s_API_SERVICE_HOST}:${%s_API_SERVICE_PORT}" ( include "upper-release" . ) ( include "upper-release" . ) }}
+{{- end }}

infra/charts/datasets-server/templates/_initContainerAssets.tpl

@@ -4,9 +4,9 @@
   imagePullPolicy: IfNotPresent
   command: ["/bin/sh", "-c"]
   args:
-  - chown {{ .Values.uid }}:{{ .Values.gid }} {{ .Values.storage.assetsDirectory | quote }};
+  - chown {{ .Values.uid }}:{{ .Values.gid }} /mounted-path;
   volumeMounts:
-  - mountPath: {{ .Values.storage.assetsDirectory | quote }}
+  - mountPath: /mounted-path
     mountPropagation: None
     name: nfs
     subPath: "{{ include "assets.subpath" . }}"

infra/charts/datasets-server/templates/_initContainerCache.tpl

@@ -4,9 +4,9 @@
   imagePullPolicy: IfNotPresent
   command: ["/bin/sh", "-c"]
   args:
-  - chown {{ .Values.uid }}:{{ .Values.gid }} {{ .Values.storage.cacheDirectory | quote }};
+  - chown {{ .Values.uid }}:{{ .Values.gid }} /mounted-path;
   volumeMounts:
-  - mountPath: {{ .Values.storage.cacheDirectory | quote }}
+  - mountPath: /mounted-path
     mountPropagation: None
     name: nfs
     subPath: "{{ include "cache.subpath" . }}"

infra/charts/datasets-server/templates/api/_container.tpl

@@ -6,7 +6,7 @@
   - name: APP_PORT
     value: {{ .Values.api.appPort | quote }}
   - name: ASSETS_DIRECTORY
-    value: {{ .Values.storage.assetsDirectory | quote }}
+    value: {{ .Values.api.assetsDirectory | quote }}
   - name: LOG_LEVEL
     value: {{ .Values.api.logLevel | quote }}
   - name: MAX_AGE_LONG_SECONDS
@@ -26,7 +26,7 @@
   image: "{{ .Values.api.image.repository }}/{{ .Values.api.image.name }}:{{ .Values.api.image.tag }}"
   imagePullPolicy: {{ .Values.api.image.pullPolicy }}
   volumeMounts:
-  - mountPath: {{ .Values.storage.assetsDirectory | quote }}
+  - mountPath: {{ .Values.api.assetsDirectory | quote }}
     mountPropagation: None
     name: nfs
     subPath: "{{ include "assets.subpath" . }}"

infra/charts/datasets-server/templates/datasets-worker/_container.tpl

@@ -2,15 +2,15 @@
 - name: "{{ include "name" . }}-datasets-worker"
   env:
   - name: ASSETS_DIRECTORY
-    value: {{ .Values.storage.assetsDirectory | quote }}
+    value: {{ .Values.datasetsWorker.assetsDirectory | quote }}
   - name: DATASETS_BLOCKLIST
     value: {{ .Values.datasetsWorker.datasetsBlocklist | quote }}
   - name: DATASETS_REVISION
     value: {{ .Values.datasetsWorker.datasetsRevision | quote }}
   - name: HF_DATASETS_CACHE
-    value: "{{ .Values.storage.cacheDirectory }}/datasets"
+    value: "{{ .Values.datasetsWorker.cacheDirectory }}/datasets"
   - name: HF_MODULES_CACHE
-    value: "{{ .Values.storage.cacheDirectory }}/modules"
+    value: "{{ .Values.datasetsWorker.cacheDirectory }}/modules"
   - name: HF_TOKEN
     # see https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret
     # and https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
@@ -53,12 +53,12 @@
   image: "{{ .Values.datasetsWorker.image.repository }}/{{ .Values.datasetsWorker.image.name }}:{{ .Values.datasetsWorker.image.tag }}"
   imagePullPolicy: {{ .Values.datasetsWorker.image.pullPolicy }}
   volumeMounts:
-  - mountPath: {{ .Values.storage.assetsDirectory | quote }}
+  - mountPath: {{ .Values.datasetsWorker.assetsDirectory | quote }}
     mountPropagation: None
     name: nfs
     subPath: "{{ include "assets.subpath" . }}"
     readOnly: false
-  - mountPath: {{ .Values.storage.cacheDirectory | quote }}
+  - mountPath: {{ .Values.datasetsWorker.cacheDirectory | quote }}
     mountPropagation: None
     name: nfs
     subPath: "{{ include "cache.subpath" . }}"

infra/charts/datasets-server/templates/ingress.yaml

@@ -3,9 +3,9 @@ kind: Ingress
 metadata:
   annotations:
     # to communicate with AWS
-    {{ toYaml .Values.api.ingress.annotations | nindent 4 }}
+    {{ toYaml .Values.reverseProxy.ingress.annotations | nindent 4 }}
   labels:
-    {{ include "labels.api" . | nindent 4 }}
+    {{ include "labels.reverseProxy" . | nindent 4 }}
   name: {{ include "release" . }}
   namespace: {{ .Release.Namespace }}
 spec:
@@ -15,8 +15,7 @@ spec:
         paths:
           - backend:
               service:
-                name: "{{ include "release" . }}-api"
+                name: "{{ include "release" . }}-reverse-proxy"
                 port:
                   name: http
             pathType: ImplementationSpecific
-

infra/charts/datasets-server/templates/reverse-proxy/_container.tpl

@@ -0,0 +1,47 @@
+{{- define "containerReverseProxy" -}}
+- name: "{{ include "name" . }}-reverse-proxy"    
+  image: "{{ .Values.reverseProxy.image.repository }}/{{ .Values.reverseProxy.image.name }}:{{ .Values.reverseProxy.image.tag }}"
+  imagePullPolicy: {{ .Values.reverseProxy.image.pullPolicy }}
+  env:
+  - name: ASSETS_DIRECTORY
+    value: {{ .Values.reverseProxy.assetsDirectory | quote }}
+  - name: CACHE_DIRECTORY
+    value: {{ .Values.reverseProxy.cacheDirectory | quote }}
+  - name: CACHE_INACTIVE
+    value: {{ .Values.reverseProxy.cacheInactive | quote }}
+  - name: CACHE_MAX_SIZE
+    value: {{ .Values.reverseProxy.cacheMaxSize | quote }}
+  - name: CACHE_ZONE_SIZE
+    value: {{ .Values.reverseProxy.cacheZoneSize | quote }}
+  - name: HOST
+    value: {{ .Values.reverseProxy.host | quote }}
+  - name: PORT
+    value: {{ .Values.reverseProxy.port | quote }}
+  volumeMounts:
+  - name: nginx-templates
+    mountPath: /etc/nginx/templates
+    mountPropagation: None
+    readOnly: true
+  - mountPath: {{ .Values.reverseProxy.assetsDirectory | quote }}
+    mountPropagation: None
+    name: nfs
+    subPath: "{{ include "assets.subpath" . }}"
+    readOnly: true
+  - mountPath: {{ .Values.reverseProxy.cacheDirectory | quote }}
+    mountPropagation: None
+    name: nfs
+    subPath: "{{ include "nginx.cache.subpath" . }}"
+    readOnly: false
+  readinessProbe:
+    tcpSocket:
+      port: {{ .Values.reverseProxy.readinessPort }}
+  livenessProbe:
+    tcpSocket:
+      port: {{ .Values.reverseProxy.readinessPort }}
+  ports:
+  - containerPort: {{ .Values.reverseProxy.port }}
+    name: http
+    protocol: TCP
+  resources:
+    {{ toYaml .Values.reverseProxy.resources | nindent 4 }}
+{{- end -}}

infra/charts/datasets-server/templates/reverse-proxy/configMap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{ include "labels.reverseProxy" . | nindent 4 }}
+  name: "{{ include "release" . }}-reverse-proxy"
+  namespace: {{ .Release.Namespace }}
+data:
+  default.conf.template: |-
+    {{ .Files.Get .Values.reverseProxy.nginxTemplateFile | replace "${TARGET_URL}" (include "api.url" . | quote ) | nindent 4 }}

infra/charts/datasets-server/templates/reverse-proxy/deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    {{ include "labels.reverseProxy" . | nindent 4 }}
+  name: "{{ include "release" . }}-reverse-proxy"
+  namespace: {{ .Release.Namespace }}
+spec:
+  progressDeadlineSeconds: 600
+  replicas: {{ .Values.reverseProxy.replicas }}
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      {{ include "labels.reverseProxy" . | nindent 6 }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        {{ include "labels.reverseProxy" . | nindent 8 }}
+    spec:
+      initContainers:
+        {{ include "initContainerAssets" . | nindent 8 }}
+      containers:
+        {{ include "containerReverseProxy" . | nindent 8 }}
+      nodeSelector:
+        {{ toYaml .Values.reverseProxy.nodeSelector | nindent 8 }}
+      tolerations:
+        {{ toYaml .Values.reverseProxy.tolerations | nindent 8 }}
+      volumes:
+      - name: nfs
+        nfs:
+          server: {{ .Values.storage.nfs.server }}
+          path: {{ .Values.storage.nfs.path }}
+      - name: nginx-templates
+        configMap:
+          name: "{{ include "release" . }}-reverse-proxy"
+          defaultMode: 420
+          optional: false
+          items:
+            - key: "default.conf.template"
+              path: "default.conf.template"

infra/charts/datasets-server/templates/reverse-proxy/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ include "release" . }}-reverse-proxy"
+  annotations:
+    {{ toYaml .Values.reverseProxy.service.annotations | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "labels.reverseProxy" . | nindent 4 }}
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: {{ .Values.reverseProxy.port }}
+  selector:
+    {{ include "labels.reverseProxy" . | nindent 4 }}
+  type: {{ .Values.reverseProxy.service.type }}