Update proxy resources, increase ssl handshake timeout (#2819)

ptkach · web-flow · commit 6bbd7a2290ba · 2025-09-05T18:09:55.000Z
diff --git a/jetty/kubernetes/nomulus-frontend.yaml b/jetty/kubernetes/nomulus-frontend.yaml
@@ -99,7 +99,7 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: frontend
-  minReplicas: 8
+  minReplicas: 12
   maxReplicas: 16
   metrics:
   - type: Resource
diff --git a/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java b/networking/src/main/java/google/registry/networking/handler/SslClientInitializer.java
@@ -119,6 +119,7 @@ protected void initChannel(C channel) throws Exception {
         sslContextBuilder
             .build()
             .newHandler(channel.alloc(), hostProvider.apply(channel), portProvider.apply(channel));
+    sslHandler.setHandshakeTimeoutMillis(20000);
 
     // Enable hostname verification.
     SSLEngine sslEngine = sslHandler.engine();
diff --git a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
@@ -139,6 +139,8 @@ protected void initChannel(C channel) throws Exception {
 
     logger.atInfo().log("Available Cipher Suites: %s", sslContext.cipherSuites());
     SslHandler sslHandler = sslContext.newHandler(channel.alloc());
+    sslHandler.setHandshakeTimeoutMillis(20000);
+
     if (requireClientCert) {
       Promise<X509Certificate> clientCertificatePromise = channel.eventLoop().newPromise();
       Future<Channel> unusedFuture =
@@ -159,15 +161,15 @@ protected void initChannel(C channel) throws Exception {
                       }
                       logger.atInfo().log(
                           """
-                              --SSL Information--
-                              Client Certificate Hash: %s
-                              SSL Protocol: %s
-                              Cipher Suite: %s
-                              Not Before: %s
-                              Not After: %s
-                              Client Certificate Type: %s
-                              Client Certificate Length: %s
-                              """,
+                          --SSL Information--
+                          Client Certificate Hash: %s
+                          SSL Protocol: %s
+                          Cipher Suite: %s
+                          Not Before: %s
+                          Not After: %s
+                          Client Certificate Type: %s
+                          Client Certificate Length: %s
+                          """,
                           getCertificateHash(clientCertificate),
                           sslSession.getProtocol(),
                           sslSession.getCipherSuite(),
diff --git a/proxy/deploy-proxy-for-env.sh b/proxy/deploy-proxy-for-env.sh
@@ -31,7 +31,6 @@ do
   echo "Updating cluster ${parts[0]} in zone ${parts[1]}..."
   gcloud container clusters get-credentials "${parts[0]}" \
     --project "${project}" --zone "${parts[1]}"
-  kubectl apply -f "./kubernetes/proxy-limit-range.yaml" --force
   sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}.yaml" | \
   kubectl apply -f -
   kubectl apply -f "./kubernetes/proxy-service.yaml" --force
diff --git a/proxy/kubernetes/proxy-deployment-production-canary.yaml b/proxy/kubernetes/proxy-deployment-production-canary.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "production_canary"]
         env:
diff --git a/proxy/kubernetes/proxy-deployment-production.yaml b/proxy/kubernetes/proxy-deployment-production.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "production"]
         env:
diff --git a/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml b/proxy/kubernetes/proxy-deployment-sandbox-canary.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "sandbox_canary", "--log"]
         env:
diff --git a/proxy/kubernetes/proxy-deployment-sandbox.yaml b/proxy/kubernetes/proxy-deployment-sandbox.yaml
@@ -33,6 +33,13 @@ spec:
             port: health-check
           initialDelaySeconds: 15
           periodSeconds: 20
+        resources:
+          requests:
+            cpu: "400m"
+            memory: "350Mi"
+          limits:
+            cpu: "600m"
+            memory: "512Mi"
         imagePullPolicy: Always
         args: ["--env", "sandbox", "--log"]
         env:
diff --git a/proxy/kubernetes/proxy-limit-range.yaml b/proxy/kubernetes/proxy-limit-range.yaml
