From 6bbd7a2290bad4b02cf2c055df81ae5f70eb3161 Mon Sep 17 00:00:00 2001
From: Pavlo Tkach <3469726+ptkach@users.noreply.github.com>
Date: Fri, 5 Sep 2025 14:09:55 -0400
Subject: [PATCH] Update proxy resources, increase ssl handshake timeout
 (#2819)

---
 jetty/kubernetes/nomulus-frontend.yaml        |  2 +-
 .../handler/SslClientInitializer.java         |  1 +
 .../handler/SslServerInitializer.java         | 20 ++++++++++---------
 proxy/deploy-proxy-for-env.sh                 |  1 -
 .../proxy-deployment-production-canary.yaml   |  7 +++++++
 .../proxy-deployment-production.yaml          |  7 +++++++
 .../proxy-deployment-sandbox-canary.yaml      |  7 +++++++
 .../kubernetes/proxy-deployment-sandbox.yaml  |  7 +++++++
 proxy/kubernetes/proxy-limit-range.yaml       | 14 -------------
 9 files changed, 41 insertions(+), 25 deletions(-)
 delete mode 100644 proxy/kubernetes/proxy-limit-range.yaml

diff --git a/jetty/kubernetes/nomulus-frontend.yaml b/jetty/kubernetes/nomulus-frontend.yaml
index 648a90c42..95c8539e4 100644
--- a/jetty/kubernetes/nomulus-frontend.yaml
+++ b/jetty/kubernetes/nomulus-frontend.yaml
@@ -99,7 +99,7 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: frontend
-  minReplicas: 8
+  minReplicas: 12
   maxReplicas: 16
   metrics:
   - type: Resource
diff --git a/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java b/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java
index 157fd0d28..d57413833 100644
--- a/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java
+++ b/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java
@@ -119,6 +119,7 @@ public class SslClientInitializer<C extends Channel> extends ChannelInitializer<
         sslContextBuilder
             .build()
             .newHandler(channel.alloc(), hostProvider.apply(channel), portProvider.apply(channel));
+    sslHandler.setHandshakeTimeoutMillis(20000);
 
     // Enable hostname verification.
     SSLEngine sslEngine = sslHandler.engine();
diff --git a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
index 196aa22f2..d948d058c 100644
--- a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
+++ b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
@@ -139,6 +139,8 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
 
     logger.atInfo().log("Available Cipher Suites: %s", sslContext.cipherSuites());
     SslHandler sslHandler = sslContext.newHandler(channel.alloc());
+    sslHandler.setHandshakeTimeoutMillis(20000);
+
     if (requireClientCert) {
       Promise<X509Certificate> clientCertificatePromise = channel.eventLoop().newPromise();
       Future<Channel> unusedFuture =
@@ -159,15 +161,15 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
                       }
                       logger.atInfo().log(
                           """
-                              --SSL Information--
-                              Client Certificate Hash: %s
-                              SSL Protocol: %s
-                              Cipher Suite: %s
-                              Not Before: %s
-                              Not After: %s
-                              Client Certificate Type: %s
-                              Client Certificate Length: %s
-                              """,
+                          --SSL Information--
+                          Client Certificate Hash: %s
+                          SSL Protocol: %s
+                          Cipher Suite: %s
+                          Not Before: %s
+                          Not After: %s
+                          Client Certificate Type: %s
+                          Client Certificate Length: %s
+                          """,
                           getCertificateHash(clientCertificate),
                           sslSession.getProtocol(),
                           sslSession.getCipherSuite(),
diff --git a/proxy/deploy-proxy-for-env.sh b/proxy/deploy-proxy-for-env.sh
index 80bb659c5..a20c53b6d 100755
--- a/proxy/deploy-proxy-for-env.sh
+++ b/proxy/deploy-proxy-for-env.sh
@@ -31,7 +31,6 @@ do
   echo "Updating cluster ${parts[0]} in zone ${parts[1]}..."
   gcloud container clusters get-credentials "${parts[0]}" \
     --project "${project}" --zone "${parts[1]}"
-  kubectl apply -f "./kubernetes/proxy-limit-range.yaml" --force
   sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}.yaml" | \
   kubectl apply -f -
   kubectl apply -f "./kubernetes/proxy-service.yaml" --force
diff --git a/proxy/kubernetes/proxy-deployment-production-canary.yaml b/proxy/kubernetes/proxy-deployment-production-canary.yaml
index 9c04c6b35..9dba32279 100644
--- a/proxy/kubernetes/proxy-deployment-production-canary.yaml
+++ b/proxy/kubernetes/proxy-deployment-production-canary.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "production_canary"]
         env:
diff --git a/proxy/kubernetes/proxy-deployment-production.yaml b/proxy/kubernetes/proxy-deployment-production.yaml
index a42b48b7a..fdfaa4517 100644
--- a/proxy/kubernetes/proxy-deployment-production.yaml
+++ b/proxy/kubernetes/proxy-deployment-production.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "production"]
         env:
diff --git a/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml b/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml
index bac5696e7..d853a4e50 100644
--- a/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml
+++ b/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "sandbox_canary", "--log"]
         env:
diff --git a/proxy/kubernetes/proxy-deployment-sandbox.yaml b/proxy/kubernetes/proxy-deployment-sandbox.yaml
index 4f7dcf03f..5bda82a7d 100644
--- a/proxy/kubernetes/proxy-deployment-sandbox.yaml
+++ b/proxy/kubernetes/proxy-deployment-sandbox.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "sandbox", "--log"]
         env:
diff --git a/proxy/kubernetes/proxy-limit-range.yaml b/proxy/kubernetes/proxy-limit-range.yaml
deleted file mode 100644
index fdd4b3efb..000000000
--- a/proxy/kubernetes/proxy-limit-range.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: LimitRange
-metadata:
-  name: resource-limits
-  namespace: default
-spec:
-  limits:
-  - type: Container
-    default:
-      cpu: "600m"
-      memory: "512Mi"
-    defaultRequest:
-      cpu: "400m"
-      memory: "350Mi"