Update proxy resources, increase ssl handshake timeout (#2819)

2025-12-23 06:15:42 +00:00 · 2025-09-05 14:09:55 -04:00
parent 77ab80f3dc
commit 6bbd7a2290
9 changed files with 41 additions and 25 deletions
--- a/jetty/kubernetes/nomulus-frontend.yaml
+++ b/jetty/kubernetes/nomulus-frontend.yaml
@@ -99,7 +99,7 @@ spec:
    apiVersion: apps/v1
    kind: Deployment
    name: frontend
-  minReplicas: 8
+  minReplicas: 12
  maxReplicas: 16
  metrics:
  - type: Resource
--- a/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java
+++ b/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java
@@ -119,6 +119,7 @@ public class SslClientInitializer<C extends Channel> extends ChannelInitializer<
        sslContextBuilder
            .build()
            .newHandler(channel.alloc(), hostProvider.apply(channel), portProvider.apply(channel));
+    sslHandler.setHandshakeTimeoutMillis(20000);

    // Enable hostname verification.
    SSLEngine sslEngine = sslHandler.engine();
--- a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
+++ b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
@@ -139,6 +139,8 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<

    logger.atInfo().log("Available Cipher Suites: %s", sslContext.cipherSuites());
    SslHandler sslHandler = sslContext.newHandler(channel.alloc());
+    sslHandler.setHandshakeTimeoutMillis(20000);
+
    if (requireClientCert) {
      Promise<X509Certificate> clientCertificatePromise = channel.eventLoop().newPromise();
      Future<Channel> unusedFuture =
@@ -159,15 +161,15 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
                      }
                      logger.atInfo().log(
                          """
-                              --SSL Information--
-                              Client Certificate Hash: %s
-                              SSL Protocol: %s
-                              Cipher Suite: %s
-                              Not Before: %s
-                              Not After: %s
-                              Client Certificate Type: %s
-                              Client Certificate Length: %s
-                              """,
+                          --SSL Information--
+                          Client Certificate Hash: %s
+                          SSL Protocol: %s
+                          Cipher Suite: %s
+                          Not Before: %s
+                          Not After: %s
+                          Client Certificate Type: %s
+                          Client Certificate Length: %s
+                          """,
                          getCertificateHash(clientCertificate),
                          sslSession.getProtocol(),
                          sslSession.getCipherSuite(),
--- a/proxy/deploy-proxy-for-env.sh
+++ b/proxy/deploy-proxy-for-env.sh
@@ -31,7 +31,6 @@ do
  echo "Updating cluster ${parts[0]} in zone ${parts[1]}..."
  gcloud container clusters get-credentials "${parts[0]}" \
    --project "${project}" --zone "${parts[1]}"
-  kubectl apply -f "./kubernetes/proxy-limit-range.yaml" --force
  sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}.yaml" | \
  kubectl apply -f -
  kubectl apply -f "./kubernetes/proxy-service.yaml" --force
--- a/proxy/kubernetes/proxy-deployment-production-canary.yaml
+++ b/proxy/kubernetes/proxy-deployment-production-canary.yaml
@@ -33,6 +33,13 @@ spec:
            port: health-check
          initialDelaySeconds: 15
          periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
        imagePullPolicy: Always
        args: ["--env", "production_canary"]
        env:
--- a/proxy/kubernetes/proxy-deployment-production.yaml
+++ b/proxy/kubernetes/proxy-deployment-production.yaml
@@ -33,6 +33,13 @@ spec:
            port: health-check
          initialDelaySeconds: 15
          periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
        imagePullPolicy: Always
        args: ["--env", "production"]
        env:
--- a/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml
+++ b/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml
@@ -33,6 +33,13 @@ spec:
            port: health-check
          initialDelaySeconds: 15
          periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
        imagePullPolicy: Always
        args: ["--env", "sandbox_canary", "--log"]
        env:
--- a/proxy/kubernetes/proxy-deployment-sandbox.yaml
+++ b/proxy/kubernetes/proxy-deployment-sandbox.yaml
@@ -33,6 +33,13 @@ spec:
            port: health-check
          initialDelaySeconds: 15
          periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
        imagePullPolicy: Always
        args: ["--env", "sandbox", "--log"]
        env:
--- a/proxy/kubernetes/proxy-limit-range.yaml
+++ b/proxy/kubernetes/proxy-limit-range.yaml
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: LimitRange
-metadata:
-  name: resource-limits
-  namespace: default
-spec:
-  limits:
-  - type: Container
-    default:
-      cpu: "600m"
-      memory: "512Mi"
-    defaultRequest:
-      cpu: "400m"
-      memory: "350Mi"