Update proxy resources, increase ssl handshake timeout (#2819)

jetty/kubernetes/nomulus-frontend.yaml

@@ -99,7 +99,7 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: frontend
-  minReplicas: 8
+  minReplicas: 12
   maxReplicas: 16
   metrics:
   - type: Resource

networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java

@@ -119,6 +119,7 @@ public class SslClientInitializer<C extends Channel> extends ChannelInitializer<
         sslContextBuilder
             .build()
             .newHandler(channel.alloc(), hostProvider.apply(channel), portProvider.apply(channel));
+    sslHandler.setHandshakeTimeoutMillis(20000);
 
     // Enable hostname verification.
     SSLEngine sslEngine = sslHandler.engine();

networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java

@@ -139,6 +139,8 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
 
     logger.atInfo().log("Available Cipher Suites: %s", sslContext.cipherSuites());
     SslHandler sslHandler = sslContext.newHandler(channel.alloc());
+    sslHandler.setHandshakeTimeoutMillis(20000);
+
     if (requireClientCert) {
       Promise<X509Certificate> clientCertificatePromise = channel.eventLoop().newPromise();
       Future<Channel> unusedFuture =
@@ -159,15 +161,15 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
                       }
                       logger.atInfo().log(
                           """
-                              --SSL Information--
+                          --SSL Information--
-                              Client Certificate Hash: %s
+                          Client Certificate Hash: %s
-                              SSL Protocol: %s
+                          SSL Protocol: %s
-                              Cipher Suite: %s
+                          Cipher Suite: %s
-                              Not Before: %s
+                          Not Before: %s
-                              Not After: %s
+                          Not After: %s
-                              Client Certificate Type: %s
+                          Client Certificate Type: %s
-                              Client Certificate Length: %s
+                          Client Certificate Length: %s
-                              """,
+                          """,
                           getCertificateHash(clientCertificate),
                           sslSession.getProtocol(),
                           sslSession.getCipherSuite(),

proxy/deploy-proxy-for-env.sh

@@ -31,7 +31,6 @@ do
   echo "Updating cluster ${parts[0]} in zone ${parts[1]}..."
   gcloud container clusters get-credentials "${parts[0]}" \
     --project "${project}" --zone "${parts[1]}"
-  kubectl apply -f "./kubernetes/proxy-limit-range.yaml" --force
   sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}.yaml" | \
   kubectl apply -f -
   kubectl apply -f "./kubernetes/proxy-service.yaml" --force

proxy/kubernetes/proxy-deployment-production-canary.yaml

@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "production_canary"]
         env:

proxy/kubernetes/proxy-deployment-production.yaml

@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "production"]
         env:

proxy/kubernetes/proxy-deployment-sandbox-canary.yaml

@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "sandbox_canary", "--log"]
         env:

proxy/kubernetes/proxy-deployment-sandbox.yaml

@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "sandbox", "--log"]
         env:

proxy/kubernetes/proxy-limit-range.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: LimitRange
-metadata:
-  name: resource-limits
-  namespace: default
-spec:
-  limits:
-  - type: Container
-    default:
-      cpu: "600m"
-      memory: "512Mi"
-    defaultRequest:
-      cpu: "400m"
-      memory: "350Mi"