DevConf.CZ

Scalable and multi-tenant Kubernetes ingress infrastructure
2024-06-14 , D105 (capacity 300)

CERN, the European Organization for Nuclear Research, is one of the world's largest centres for scientific research. Not only is it home to the world's largest particle accelerator (Large Hadron Collider, LHC), but it also the birthplace of the Web in 1989.
Since 2016, CERN has been using the OpenShift Kubernetes Distribution to host a private platform-as-a-service (PaaS). This service is optimized for hosting web applications and has grown to tens of thousands of individual websites.
By now, we have established on a reliable framework that deals with various use cases: thousands of websites per ingress controller (8K+ routes), dealing with long-lived connections (30K+ concurrent sessions) and high traffic applications (25TB+ per day).

This session will discuss:
* CERN's web hosting infrastructure based on OpenShift Kubernetes clusters;
* usage of open source and in-house developed software for providing a seamless user experience;
* integrations for registering hostnames (local DNS, LanDB, external)
* provisioning of certificates (automatic with external-dns / ACME HTTP-01, manual provisioning)
* access control policies and "connecting" different components with OpenPolicyAgent
* enforcing unique hostnames across multiple Kuberenetes clustes
* strategies for setting up Kubernetes Ingress Controllers for multi-tenant clusters;
* methods for scaling and sharding ingress controllers according to the application's requirements (specifically HAProxy ingress controllers);

See also:

Jack Henschel is a Cloud Computing Engineer at CERN where he develops and administrates several Kubernetes cluster, ensuring all components integrate smoothly with the rest of CERN's computing environment. His special areas of interest are systems performance, observability and efficiency. In his free time he likes exploring the French and Swiss Alps by foot and bike.