feat: nginx kube zero-downtime wip (#1039)

nginx/Dockerfile

@@ -1,7 +1,7 @@
 FROM nginxinc/nginx-unprivileged:1.25-alpine@sha256:557e9af4afa7a36462e313906fe42fba39c307ae2a72d5323d49963eb2883b45
 
-COPY ./nginx.conf /etc/nginx/nginx.conf
-COPY ./entrypoint.sh /entrypoint.sh
+COPY ./nginx.conf ./ready_response.conf /etc/nginx/
+COPY ./entrypoint.sh ./pre-stop.sh /
 COPY ./404.html /usr/share/nginx/errors/
 
 ## adjust permissions

nginx/README.md

@@ -13,7 +13,6 @@ add_header X-Content-Type-Options "nosniff";
 
 > For a single-page-applications nginx image, see [../nginx4spa](../nginx4spa)
 
-
 Notes:
 
 - `PORT` is set to `8080`
@@ -28,3 +27,27 @@ COPY ./dist /usr/share/nginx/html
 ```
 
 **Note**: follow security recommendations here: <https://socialgouv.github.io/support/#/securite>
+
+
+## kubernetes integration with zero-downtime
+
+```yaml
+spec:
+  containers:
+  - name: my-app
+    image: ghcr.io/socialgouv/docker/nginx
+    ports:
+    - containerPort: 8080
+    livenessProbe:
+      httpGet:
+        path: /live
+        port: 8080
+    readinessProbe:
+      httpGet:
+        path: /ready
+        port: 8080
+    lifecycle:
+      preStop:
+        exec:
+          command: ["/pre-stop.sh"]
+```

nginx/nginx.conf

@@ -64,5 +64,19 @@ http {
       root                /var/lib/nginx/html;
     }
 
+    location /live {
+      default_type text/plain;
+      return 200 'OK';
+    }
+
+    include /etc/nginx/ready_response.conf;
+    location /ready {
+        default_type text/plain;
+        if ($ready_response = 'OK') {
+            return 200 $ready_response;
+        }
+        return 500 'Not Ready';
+    }
+
   }
 }

nginx/pre-stop.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env sh
+
+echo "set \$ready_response 'Not Ready';" > /etc/nginx/conf.d/ready_response.conf
+nginx -s reload
+
+WAIT_TIME=30
+if [ "$1" ]; then
+  WAIT_TIME="$1"
+fi
+
+for i in $(seq 1 $WAIT_TIME); do
+  if [ "$(nginx -s status | grep 'Active connections' | awk '{print $3}')" -eq "0" ]; then
+    exit 0
+  fi
+  sleep 1
+done
+
+nginx -s stop
+
+exit 0

nginx/ready_response.conf

@@ -0,0 +1 @@
+set $ready_response 'OK';

nginx4spa/Dockerfile

@@ -1,7 +1,7 @@
 FROM nginxinc/nginx-unprivileged:1.25-alpine@sha256:557e9af4afa7a36462e313906fe42fba39c307ae2a72d5323d49963eb2883b45
 
-COPY ./nginx.conf /etc/nginx/nginx.conf
-COPY ./entrypoint.sh /entrypoint.sh
+COPY ./nginx.conf ./ready_response.conf /etc/nginx/
+COPY ./entrypoint.sh ./pre-stop.sh /
 
 USER 0
 RUN chown -R nginx:nginx /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html && \

nginx4spa/README.md

@@ -28,3 +28,27 @@ COPY ./dist /usr/share/nginx/html
 ```
 
 **Note**: follow security recommendations here: <https://socialgouv.github.io/support/#/securite>
+
+
+## kubernetes integration with zero-downtime
+
+```yaml
+spec:
+  containers:
+  - name: my-app
+    image: ghcr.io/socialgouv/docker/nginx
+    ports:
+    - containerPort: 8080
+    livenessProbe:
+      httpGet:
+        path: /live
+        port: 8080
+    readinessProbe:
+      httpGet:
+        path: /ready
+        port: 8080
+    lifecycle:
+      preStop:
+        exec:
+          command: ["/pre-stop.sh"]
+```

nginx4spa/nginx.conf

@@ -51,5 +51,19 @@ http {
       root                /var/lib/nginx/html;
     }
 
+    location /live {
+      default_type text/plain;
+      return 200 'OK';
+    }
+
+    include /etc/nginx/ready_response.conf;
+    location /ready {
+        default_type text/plain;
+        if ($ready_response = 'OK') {
+            return 200 $ready_response;
+        }
+        return 500 'Not Ready';
+    }
+
   }
 }

nginx4spa/pre-stop.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env sh
+
+echo "set \$ready_response 'Not Ready';" > /etc/nginx/conf.d/ready_response.conf
+nginx -s reload
+
+WAIT_TIME=30
+if [ "$1" ]; then
+  WAIT_TIME="$1"
+fi
+
+for i in $(seq 1 $WAIT_TIME); do
+  if [ "$(nginx -s status | grep 'Active connections' | awk '{print $3}')" -eq "0" ]; then
+    exit 0
+  fi
+  sleep 1
+done
+
+nginx -s stop
+
+exit 0

nginx4spa/ready_response.conf

@@ -0,0 +1 @@
+set $ready_response 'OK';