[ADD] reverse proxy

az-adhoc · az-adhoc · commit 93d937a0c51f · 2025-04-29T19:21:02.000Z
diff --git a/charts/adhoc-odoo/v0.3.0/changelog.md b/charts/adhoc-odoo/v0.3.0/changelog.md
@@ -4,6 +4,9 @@
 
 Features:
 
+- reverse Proxy:
+  - add nginx to serve files
+
 ## *0.2.9*
 
 Features:
diff --git a/charts/adhoc-odoo/v0.3.0/questions.yml b/charts/adhoc-odoo/v0.3.0/questions.yml
@@ -468,6 +468,13 @@ questions:
     type: "string"
     required: false
     default: ""
+  - variable: ingress.enableReverseProxy
+    group: "Ingress"
+    label: "Enable Reverse Proxy"
+    description: "put an nginx in front of odoo"
+    type: "boolean"
+    required: false
+    default: false
 
   # Adhoc
   - variable: adhoc.serviceLevel
diff --git a/charts/adhoc-odoo/v0.3.0/templates/_helpers.tpl b/charts/adhoc-odoo/v0.3.0/templates/_helpers.tpl
@@ -97,4 +97,4 @@ We remove initial number to compile with [a-z]([-a-z0-9]*[a-z0-9])?
 {{- $original := (include "adhoc-odoo.fullname" .) | lower }}
 {{- $original = regexReplaceAll "^[0-9]+" $original "" }}
 {{- regexReplaceAll "[^a-z0-9-]" $original "" }}
-{{- end }}
+{{- end }}
diff --git a/charts/adhoc-odoo/v0.3.0/templates/deployment.yaml b/charts/adhoc-odoo/v0.3.0/templates/deployment.yaml
@@ -125,6 +125,11 @@ spec:
             mountPath: /etc/hosts
             subPath: hosts
           {{- end }}
+          {{- if .Values.ingress.enableReverseProxy }}
+          - name: odoo-sendfile-conf
+            mountPath: /home/odoo/.resources/conf.d/odoo-send-file.conf
+            subPath: odoo-send-file.conf
+          {{- end }}
       affinity:
           podAntiAffinity:
             preferredDuringSchedulingIgnoredDuringExecution:
@@ -187,6 +192,11 @@ spec:
         configMap:
           name: {{ include "adhoc-odoo.fullname" . }}-hosts
       {{- end }}
+      {{- if .Values.ingress.enableReverseProxy }}
+      - name: odoo-sendfile-conf
+        configMap:
+          name: {{ include "adhoc-odoo.fullname" . }}-odoo-sendfile-conf
+      {{- end }}
       {{- if eq .Values.storage.location "fuse" }}
       - name: gcs-fuse-csi-ephemeral
         csi:
diff --git a/charts/adhoc-odoo/v0.3.0/templates/ingress.yaml b/charts/adhoc-odoo/v0.3.0/templates/ingress.yaml
@@ -57,7 +57,11 @@ spec:
             pathType: Prefix
             backend:
               service:
+                {{- if .Values.ingress.enableReverseProxy }}
+                name: {{ include "adhoc-odoo.serviceNameSuffix" . }}-nginx
+                {{- else }}
                 name: {{ $fullName }}-http
+                {{- end }}
                 port:
                   number: 80
           {{- if gt $usewebsocket 0 }}
@@ -69,7 +73,11 @@ spec:
             {{- end  }}
             backend:
               service:
+                {{- if .Values.ingress.enableReverseProxy }}
+                name: {{ include "adhoc-odoo.serviceNameSuffix" . }}-nginx
+                {{- else }}
                 name: {{ $fullName }}-websocket
+                {{- end }}
                 port:
                   number: 80
           {{- end  }}
diff --git a/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/_helpers.tpl b/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/_helpers.tpl
@@ -0,0 +1,7 @@
+{{/*
+Selector labels
+*/}}
+{{- define "adhoc-odoo.nxselectorLabels" -}}
+app.kubernetes.io/name: {{ include "adhoc-odoo.name" . }}-nx
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/cm.yaml b/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/cm.yaml
@@ -0,0 +1,214 @@
+{{- if .Values.ingress.enableReverseProxy }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "adhoc-odoo.fullname" . }}-nginx-config
+  labels:
+    {{- include "adhoc-odoo.labels" . | nindent 4 }}
+data:
+  nginx.conf: |
+    events {
+      worker_connections 1024;
+    }
+    http {
+      default_type  application/octet-stream;
+
+      sendfile on;
+      proxy_redirect off;
+      server_tokens off;
+
+      access_log off;
+      # access_log /dev/stdout;
+      # error_log /dev/stderr;
+
+      keepalive_timeout  65;
+      tcp_nodelay        on;
+
+      # Proxy optimizations
+      proxy_buffers           32 8k;
+      proxy_buffer_size       4k;
+      proxy_busy_buffers_size 8k;
+      proxy_max_temp_file_size  2048m;
+      proxy_temp_file_write_size  64k;
+
+      # Proxy cache
+      proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:10m max_size=10g inactive=60m;
+
+      # Default value '4 8k' is raising a '414 Request-URI Too Large' error
+      # when '/web/webclient/translations/' is requested with a lot of module names
+      # as GET parameters (performed on user login), rendering a blank page.
+      # Source: https://github.com/camptocamp/docker-odoo-nginx/blob/891ad970/9.0/templates/nginx.conf.tmpl#L46-L50
+      large_client_header_buffers 4 12k;
+
+      types_hash_max_size 1024;
+      types_hash_bucket_size 512;
+
+      server_names_hash_bucket_size 64;
+      server_names_hash_max_size 512;
+
+      # Gzip
+      gzip                on;
+      gzip_http_version   1.0;
+      gzip_proxied        any;
+      gzip_min_length     500;
+      gzip_disable        "MSIE [1-6]\.";
+      gzip_types          text/plain text/xml text/css
+                          text/comma-separated-values
+                          text/javascript
+                          application/json
+                          application/xml
+                          application/x-javascript
+                          application/javascript
+                          application/atom+xml;
+
+      upstream odoo {
+        server {{ include "adhoc-odoo.serviceNameSuffix" . }}-http:80;
+        keepalive 32;  # Mejora rendimiento para conexiones persistentes
+      }
+
+      {{- $usewebsocket  := .Values.odoo.performance.workers | toString | int -}}
+      {{- if gt $usewebsocket 0 }}
+      upstream odoochat {
+        server {{ include "adhoc-odoo.serviceNameSuffix" . }}-websocket:80;
+        keepalive 32;  # Mejora rendimiento para conexiones persistentes
+      }
+      {{- end }}
+
+      # Used by websocket
+      # https://www.odoo.com/documentation/18.0/administration/on_premise/deploy.html?highlight=nginx#https
+      map $http_upgrade $connection_upgrade {
+          default upgrade;
+          ''      close;
+      }
+
+      # Used by static files
+      # https://www.odoo.com/documentation/18.0/administration/on_premise/deploy.html?highlight=nginx#serving-static-files
+      map $sent_http_content_type $content_type_csp {
+          default "";
+          ~image/ "default-src 'none'";
+      }
+
+      server {
+        listen 80 default;
+        client_max_body_size 1G;
+
+
+        # Prevent browsers from ever sending a plain HTTP request to this domain
+        # https://www.odoo.com/documentation/18.0/administration/on_premise/deploy.html?highlight=nginx#https-hardening
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+        # Additional configuration for the session_id cookie.
+        # The Secure flag ensures it is never transmitted over HTTP
+        # SameSite=Lax to prevent authenticated CSRF.
+        # https://www.odoo.com/documentation/18.0/administration/on_premise/deploy.html?highlight=nginx#https-hardening
+        proxy_cookie_flags session_id samesite=lax secure;
+
+        # Security
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-XSS-Protection "1; mode=block";
+        # Cookies are set to Secure and HttpOnly
+        proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Lax";
+        # Additional protection against clickjacking
+        add_header Content-Security-Policy "frame-ancestors 'self'";
+
+        # Redirect requests to odoo backend server
+        location / {
+            proxy_pass http://odoo;
+            # Add Headers for odoo proxy mode
+            proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header Forwarded "for=$http_x_forwarded_for;proto=$scheme";
+
+            proxy_set_header Host $http_host;
+            proxy_redirect off;
+        }
+
+        {{- if gt $usewebsocket 0 }}
+        # Redirect longpoll requests to odoo longpolling port (Odoo <= 15.0)
+        location /longpolling {
+            proxy_pass http://odoochat;
+            # Add Headers for odoo proxy mode
+            proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header Forwarded "for=$http_x_forwarded_for;proto=$scheme";
+
+            proxy_set_header Host $http_host;
+            proxy_redirect off;
+            # Avoid premature disconections
+            proxy_read_timeout 86400s;
+            proxy_send_timeout 86400s;
+        }
+
+        # Redirect websocket requests to odoo gevent port (Odoo >= 16.0)
+        location /websocket {
+            proxy_pass http://odoochat;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            # Add Headers for odoo proxy mode
+            proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header Forwarded "for=$http_x_forwarded_for;proto=$scheme";
+
+            proxy_set_header Host $http_host;
+            proxy_redirect off;
+            # Avoid premature disconections
+            proxy_read_timeout 86400s;
+            proxy_send_timeout 86400s;
+        }
+        {{- end }}
+
+        # Static files are still served by Odoo, because Nginx doesn't have access to
+        # the Odoo source code. However, they are cached.
+        location ~ ^/[^/]+/static/.+$ {
+            proxy_buffering on;
+            proxy_pass http://odoo;
+
+            proxy_cache cache;
+            proxy_cache_valid 60m;
+            proxy_cache_valid any 1m;
+            proxy_cache_revalidate on;
+            proxy_cache_use_stale error timeout updating;
+            proxy_cache_background_update on;
+            proxy_cache_lock on;
+
+            expires 24h;
+            # expires 365d;  # TODO: Check if this is a good idea
+            add_header Cache-Control "public, immutable";
+            # proxy_cache_valid 200 302 365d;  # Cache más largo para respuestas exitosas
+            # proxy_cache_valid 404 1m;        # Cache corto para 404
+            # add_header X-Cache-Status $upstream_cache_status;  # Para debugging
+
+            # Security recommendations
+            # https://www.odoo.com/documentation/18.0/administration/on_premise/deploy.html?highlight=nginx#serving-static-files
+            add_header Content-Security-Policy $content_type_csp;
+
+            # Add Headers for odoo proxy mode
+            proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
+            proxy_set_header Forwarded "for=$http_x_forwarded_for;proto=$scheme";
+
+            proxy_set_header Host $http_host;
+            proxy_redirect off;
+        }
+
+        # Filestore storage files are served by Nginx thanks to the X-Accel extension
+        # Requires the `x_sendfile = True` configuration in Odoo.
+        # https://www.odoo.com/documentation/18.0/administration/on_premise/deploy.html?highlight=nginx#serving-attachments
+        location /web/filestore {
+            internal;
+            alias /mnt/filestore;
+        }
+      }
+    }
+
+{{- end }}
diff --git a/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/deploy.yaml b/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/deploy.yaml
@@ -0,0 +1,87 @@
+{{- if .Values.ingress.enableReverseProxy }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "adhoc-odoo.fullname" . }}-nx
+  labels:
+    {{- include "adhoc-odoo.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ .Release.Name }}-nx
+  annotations:
+    {{ if .Values.ingress.enableHttps }}
+    certmanager.k8s.io/disable-auto-restart: "true"
+    {{- end }}
+spec:
+  replicas: 1 # TODO: Single failure point
+  selector:
+    matchLabels:
+      {{- include "adhoc-odoo.nxselectorLabels" . | nindent 8 }}
+  strategy:
+    type: RollingUpdate
+  revisionHistoryLimit: 2
+  template:
+    metadata:
+      annotations:
+        {{- if eq .Values.storage.location "fuse" }}
+        gke-gcsfuse/volumes: "true"
+        {{- end }}
+      labels:
+        {{- include "adhoc-odoo.nxselectorLabels" . | nindent 8 }}
+        {{- include "adhoc-odoo.adhocLabels" . | nindent 8 }}
+        adhoc.ar/app-name: "nginx"
+    spec:
+      {{- if eq .Values.storage.location "fuse" }}
+      terminationGracePeriodSeconds: 60
+      {{- end }}
+      serviceAccountName: {{ include "adhoc-odoo.serviceAccountName" . }}
+      containers:
+      - name: nginx
+        image: "nginx:1.27-alpine"
+        ports:
+        - name: http
+          containerPort: 80
+          protocol: TCP
+        volumeMounts:
+        {{- if eq .Values.storage.location "fuse" }}
+        - name: gcs-fuse-csi-ephemeral
+          {{- if .Values.cloudNativePG.enabled }}
+          mountPath: /mnt/filestore/odoo
+          {{- else }}
+          mountPath: /mnt/filestore/{{ .Release.Name }}
+          {{- end }}
+          readOnly: true
+        {{- end }}
+        - mountPath: /etc/nginx/nginx.conf
+          name: nginx-config
+          subPath: nginx.conf
+          readOnly: true
+      volumes:
+        - name: nginx-config
+          configMap:
+            name: {{ include "adhoc-odoo.fullname" . }}-nginx-config
+        {{- if eq .Values.storage.location "fuse" }}
+        - name: gcs-fuse-csi-ephemeral
+          csi:
+            driver: gcsfuse.csi.storage.gke.io
+            readOnly: false
+            volumeAttributes:
+              bucketName: {{ .Values.storage.aws_bucketname | quote }}
+              {{/*
+              Description: Whether your workload should export metrics. This should be set to "false" if you plan on using
+
+              Default: true
+              */}}
+              disableMetrics: "true"
+              {{/*
+              Directs the CSI driver to skip redundant access control checks for the Cloud Storage bucket, when set to "true".
+              This reduces the overhead of redundant Kubernetes Service API, Security Token Service, and IAM calls.
+              When the flag is set, the Cloud Storage FUSE process, running as part of the sidecar container in the Pod,
+              handles the bucket access control checks
+
+              Default: False
+              */}}
+              skipCSIBucketAccessCheck: "true"
+              gcsfuseLoggingSeverity: warning
+              mountOptions: "uid=101,gid=101,file-mode=600,dir-mode=700,implicit-dirs=true,o=r,file-cache:enable-parallel-downloads:true,file-cache:parallel-downloads-per-file:4,file-cache:max-parallel-downloads:-1,file-cache:download-chunk-size-mb:3,file-cache:max-size-mb:200,metadata-cache:ttl-secs:-1"
+              fileCacheCapacity: "200Mi"
+        {{- end }}
+{{- end }}
diff --git a/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/odoo_cm.yaml b/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/odoo_cm.yaml
diff --git a/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/service.yaml b/charts/adhoc-odoo/v0.3.0/templates/reverseProxy/service.yaml
