The timeout configuration for httpproxy (#2603)

Configuring timeout for httpproxy in Harbor package.
Signed-off-by: Shengwen Yu <yshengwen@vmware.com>
Co-authored-by: Shengwen Yu <yshengwen@vmware.com>

addons/packages/harbor/2.3.3/bundle/config/overlay/update-httpproxy.yaml

@@ -2,6 +2,19 @@
 #@ load("/helpers.star", "get_notary_hostname")
 #@ load("@ytt:overlay", "overlay")
 
+#@ def get_timeout_policy_fragment():
+#@overlay/match missing_ok=True
+timeoutPolicy:
+  #@ if/end values.contourHttpProxy.timeout != None:
+  response: #@ values.contourHttpProxy.timeout
+  #@ if/end values.contourHttpProxy.idleTimeout != None:
+  idle: #@ values.contourHttpProxy.idleTimeout
+#@ end
+
+#@ def add_timeout_policy(routes_yaml, _):
+#@   return [overlay.apply(route, get_timeout_policy_fragment()) for route in routes_yaml]
+#@ end
+
 #@ harbor_httpproxy = overlay.subset({"kind": "HTTPProxy", "metadata": {"name": "harbor-httpproxy"}})
 #@ harbor_httpproxy_notary = overlay.subset({"kind": "HTTPProxy", "metadata": {"name": "harbor-httpproxy-notary"}})
 
@@ -13,6 +26,10 @@ spec:
     tls:
       #@ if/end values.tlsCertificateSecretName:
       secretName: #@ values.tlsCertificateSecretName
+  #@ if values.contourHttpProxy.timeout != None or values.contourHttpProxy.idleTimeout != None:
+  #@overlay/replace via=add_timeout_policy
+  routes:
+  #@ end
 
 #@ notaryHostname = "notary." + values.hostname
 
@@ -24,6 +41,10 @@ spec:
     tls:
       #@ if/end values.tlsCertificateSecretName:
       secretName: #@ values.tlsCertificateSecretName
+  #@ if values.contourHttpProxy.timeout != None or values.contourHttpProxy.idleTimeout != None:
+  #@overlay/replace via=add_timeout_policy
+  routes:
+  #@ end
 
 #@ if not values.enableContourHttpProxy:
 #@overlay/match by=harbor_httpproxy

addons/packages/harbor/2.3.3/bundle/config/upstream/manifests/05-httpproxy.yaml

@@ -32,9 +32,6 @@ spec:
       services:
         - name: harbor-core
           port: 443
-      #! Pulling extra large images requires longer timeout.
-      timeoutPolicy:
-        response: 60s
     - conditions:
       - prefix: /chartrepo/
       services:

addons/packages/harbor/2.3.3/bundle/config/values.star

 load("@ytt:data", "data")
 load("@ytt:assert", "assert")
 load("/globals.star", "globals")
+load("@ytt:regexp", "regexp")
 
 def validate_harbor_namespace():
   values.namespace or assert.fail("harbor namespace should be provided")
@@ -94,6 +95,16 @@ def validate_ip_families():
   end
 end
 
+def validate_httpproxy_timeout():
+  pattern = '^(((\d*(\.\d*)?h)|(\d*(\.\d*)?m)|(\d*(\.\d*)?s)|(\d*(\.\d*)?ms)|(\d*(\.\d*)?us)|(\d*(\.\d*)?µs)|(\d*(\.\d*)?ns))+|infinity|infinite)$'
+  if data.values.contourHttpProxy.timeout:
+    regexp.match(pattern, data.values.contourHttpProxy.timeout) or assert.fail("The contourHttpProxy.timeout should be #h, or #m, or #s, or infinity or infinite, where # is a positive integer")
+  end
+  if data.values.contourHttpProxy.idleTimeout:
+    regexp.match(pattern, data.values.contourHttpProxy.idleTimeout) or assert.fail("The contourHttpProxy.idleTimeout should be #h, or #m, or #s, or infinity or infinite, where # is a positive integer")
+  end
+end
+
 def validate_harbor():
   validate_funcs = [
     validate_harbor_namespace,
@@ -107,6 +118,7 @@ def validate_harbor():
     validate_database,
     validate_image_chart_storage,
     validate_ip_families,
+    validate_httpproxy_timeout,
   ]
    for validate_func in validate_funcs:
      validate_func()

addons/packages/harbor/2.3.3/bundle/config/values.yaml

@@ -35,6 +35,15 @@ tlsCertificateSecretName:
 #! Use contour http proxy instead of the ingress when it's true
 enableContourHttpProxy: true
 
+#! [Optional] Set http proxy timeout policy
+contourHttpProxy:
+  #! [Optional] Timeout for receiving a response from the server after processing a request from client.
+  #! the value assigned to timeout should be a number followed by a letter like "h", "m", "s", or "ms", i.e. 1h, 5m, 60s, 1000ms; or infinite or infinity.
+  timeout: 0s
+  #! [Optional] Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
+  #! the value assigned to idleTimeout should also be a number followed by a letter like "h", "m", "s", or "ms", i.e. 1h, 5m, 60s, 1000ms; or infinite or infinity.
+  idleTimeout: 5m
+
 #! [Required] The initial password of Harbor admin.
 harborAdminPassword:
 

addons/packages/harbor/2.3.3/package.yaml

@@ -66,6 +66,16 @@ spec:
           type: boolean
           description: Use contour http proxy instead of the ingress when it's true.
           default: true
+        contourHttpProxy:
+          type: object
+          description: The timeout policy configuration for httpproxy.
+          properties:
+            timeout:
+              type: string
+              description: Timeout for receiving a response from the server after processing a request from client.
+            idleTimeout:
+              type: string
+              description: Timeout for how long the proxy should wait while there is no activity during single request/response (for HTTP/1.1) or stream (for HTTP/2).
         harborAdminPassword:
           type: string
           description: The initial password of Harbor admin.
@@ -711,7 +721,7 @@ spec:
     spec:
       fetch:
         - imgpkgBundle:
-            image: projects.registry.vmware.com/tce/harbor@sha256:d8b983b4ce99e037fff0ee7c21a938447f0aa0e03f87d5d17b6b588d6d014400
+            image: projects.registry.vmware.com/tce/harbor@sha256:610c0ec78afd7095eed05624976ab83bd05c41b1f926fb2ccb7cf1bdfc239f37
       template:
         - ytt:
             paths:

addons/packages/harbor/2.3.3/test/unittest/fixtures/expected/default.yaml

@@ -429,33 +429,49 @@ spec:
     services:
     - name: harbor-portal
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /api/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /service/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /v2/
     services:
     - name: harbor-core
       port: 443
     timeoutPolicy:
-      response: 60s
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /chartrepo/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /c/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -475,6 +491,9 @@ spec:
     services:
     - name: harbor-notary-server
       port: 4443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: v1
 kind: ConfigMap

addons/packages/harbor/2.3.3/test/unittest/fixtures/expected/registry-azure-storage.yaml

@@ -429,33 +429,49 @@ spec:
     services:
     - name: harbor-portal
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /api/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /service/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /v2/
     services:
     - name: harbor-core
       port: 443
     timeoutPolicy:
-      response: 60s
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /chartrepo/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /c/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -475,6 +491,9 @@ spec:
     services:
     - name: harbor-notary-server
       port: 4443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: v1
 kind: ConfigMap

addons/packages/harbor/2.3.3/test/unittest/fixtures/expected/registry-existing-pvc.yaml

@@ -429,33 +429,49 @@ spec:
     services:
     - name: harbor-portal
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /api/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /service/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /v2/
     services:
     - name: harbor-core
       port: 443
     timeoutPolicy:
-      response: 60s
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /chartrepo/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /c/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -475,6 +491,9 @@ spec:
     services:
     - name: harbor-notary-server
       port: 4443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: v1
 kind: ConfigMap

addons/packages/harbor/2.3.3/test/unittest/fixtures/expected/registry-gcs-storage.yaml

@@ -429,33 +429,49 @@ spec:
     services:
     - name: harbor-portal
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /api/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /service/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /v2/
     services:
     - name: harbor-core
       port: 443
     timeoutPolicy:
-      response: 60s
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /chartrepo/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /c/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -475,6 +491,9 @@ spec:
     services:
     - name: harbor-notary-server
       port: 4443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: v1
 kind: ConfigMap

addons/packages/harbor/2.3.3/test/unittest/fixtures/expected/registry-s3-storage.yaml

@@ -429,33 +429,49 @@ spec:
     services:
     - name: harbor-portal
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /api/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /service/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /v2/
     services:
     - name: harbor-core
       port: 443
     timeoutPolicy:
-      response: 60s
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /chartrepo/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /c/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -475,6 +491,9 @@ spec:
     services:
     - name: harbor-notary-server
       port: 4443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: v1
 kind: ConfigMap

addons/packages/harbor/2.3.3/test/unittest/fixtures/expected/tls-certificate-secret-name.yaml

@@ -429,33 +429,49 @@ spec:
     services:
     - name: harbor-portal
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /api/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /service/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /v2/
     services:
     - name: harbor-core
       port: 443
     timeoutPolicy:
-      response: 60s
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /chartrepo/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
   - conditions:
     - prefix: /c/
     services:
     - name: harbor-core
       port: 443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -475,6 +491,9 @@ spec:
     services:
     - name: harbor-notary-server
       port: 4443
+    timeoutPolicy:
+      response: 0s
+      idle: 5m
 ---
 apiVersion: v1
 kind: ConfigMap

addons/packages/harbor/2.3.3/test/unittest/fixtures/values/httpproxy-timeout.yaml

+#@data/values
+---
+contourHttpProxy:
+  timeout: 65s
+  idleTimeout: 300s

addons/packages/harbor/2.3.3/test/unittest/harbor_test.go

@@ -123,4 +123,14 @@ var _ = Describe("Harbor Ytt Templates", func() {
 		})
 	})
 
+	Context("configuring timeoutPolicy for HTTPProxy", func() {
+		BeforeEach(func() {
+			values = ValuesFromFile("httpproxy-timeout.yaml")
+		})
+
+		It("renders with a HTTPProxy timeoutPolicy configuration", func() {
+			Expect(err).NotTo(HaveOccurred())
+			ExpectOutputEqualToFile("httpproxy-timeout.yaml")
+		})
+	})
 })