Browse Source

Merge branch 'feature/nginx-proxy' into develop

LecygneNoir 4 years ago
6 changed files with 240 additions and 4 deletions
  1. +3
  2. +1
  3. +60
  4. +148
  5. +8
  6. +20

+ 3
- 0
scripts/ View File

@ -11,4 +11,7 @@ cp /app/support/docker/production/config/custom-environment-variables.yaml /conf
# Patch user after the cp # Patch user after the cp
find /config ! -user peertube -exec chown peertube:peertube {} \; find /config ! -user peertube -exec chown peertube:peertube {} \;
# Prepare assets for the Nginx sidecar
cp -r /app/client/dist/* /assets/
exit 0 exit 0

+ 1
- 1
templates/NOTES.txt View File

@ -11,7 +11,7 @@
NOTE: It may take a few minutes for the LoadBalancer IP to be available. NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "peertube.fullname" . }}' You can watch the status of by running 'kubectl get svc -w {{ template "peertube.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "peertube.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "peertube.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
echo http://$SERVICE_IP:{{ .Values.ports.peertubePort }}
{{- else if contains "ClusterIP" .Values.service.type }} {{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0]}") export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0]}")
echo "Visit to use your application" echo "Visit to use your application"

+ 60
- 1
templates/deployment.yaml View File

@ -31,6 +31,8 @@ spec:
- mountPath: /init - mountPath: /init
name: peertube-init name: peertube-init
readOnly: true readOnly: true
- name: peertubeassets
mountPath: /assets
command: command:
- sh - sh
- /init/ - /init/
@ -51,12 +53,54 @@ spec:
- /init/ - /init/
{{- end }} {{- end }}
containers: containers:
{{- if .Values.nginxproxy.enabled }}
- name: nginx-proxy
image: "{{ .Values.nginxproxy.image.repository }}:{{ .Values.nginxproxy.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
- name: http
containerPort: {{ .Values.ports.nginxproxyPort }}
protocol: TCP
path: /
port: http
initialDelaySeconds: 60
path: /
port: http
initialDelaySeconds: 60
- name: nginxtemp
mountPath: /nginxtemp
- mountPath: /etc/nginx/conf.d
name: nginx-proxyconf
readOnly: true
- name: peertubeassets
mountPath: /assets
readOnly: true
- name: data
mountPath: /data
{{- end }}
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.nginxproxy.enabled }}
path: /
port: 9000
initialDelaySeconds: 60
path: /
port: 9000
initialDelaySeconds: 60
{{- else }}
ports: ports:
- name: http - name: http
containerPort: 9000
containerPort: {{ .Values.ports.peertubePort }}
protocol: TCP protocol: TCP
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -68,6 +112,7 @@ spec:
path: / path: /
port: http port: http
initialDelaySeconds: 60 initialDelaySeconds: 60
{{- end }}
command: command:
- gosu - gosu
- peertube - peertube
@ -146,6 +191,20 @@ spec:
- name: config - name: config
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- if .Values.nginxproxy.persistence.enabled }}
- name: nginxtemp
claimName: {{ .Values.nginxproxy.persistence.existingClaim }}
{{- else }}
- name: nginxtemp
emptyDir: {}
{{- end }}
- name: peertubeassets
emptyDir: {}
- configMap:
defaultMode: 420
name: nginx-proxyconf
name: nginx-proxyconf
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: peertube-init name: peertube-init

+ 148
- 0
templates/nginx-proxyconf.yml View File

@ -0,0 +1,148 @@
apiVersion: v1
kind: ConfigMap
name: nginx-proxyconf
peertubesite.conf: |-
server {
listen {{ .Values.ports.nginxproxyPort }} default_server;
listen [::]:{{ .Values.ports.nginxproxyPort }} default_server;
server_name _;
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log main;
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
gzip on;
gzip_types text/css application/javascript;
gzip_vary on;
# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
# See
client_body_temp_path /nginxtemp;
# Bypass PeerTube for performance reasons. Could be removed
location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
add_header Cache-Control "public, max-age=31536000, immutable";
alias /assets/$1;
# Bypass PeerTube for performance reasons. Could be removed
location ~ ^/static/(thumbnails|avatars)/ {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
# Cache 2 hours
add_header Cache-Control "public, max-age=7200";
root /data;
rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
try_files $uri /;
location / {
proxy_pass{{ .Values.ports.peertubePort }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is the maximum upload size, which roughly matches the maximum size of a video file
# you can send via the API or the web interface. By default this is 8GB, but administrators
# can increase or decrease the limit. Currently there's no way to communicate this limit
# to users automatically, so you may want to leave a note in your instance 'about' page if
# you change this.
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
# on a dedicated filesystem.
client_max_body_size {{ .Values.nginxproxy.maxbodysize }};
# Default timeout to 50m to allow large upload with slow connection
proxy_connect_timeout 3000;
proxy_send_timeout 3000;
proxy_read_timeout 3000;
send_timeout 3000;
# Bypass PeerTube for performance reasons. Could be removed
location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
# Clients usually have 4 simultaneous webseed connections, so the real limit is 4MB/s per client
set $peertube_limit_rate 1000k;
# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5000k;
# Use this with nginx >= 1.17.0
limit_rate $peertube_limit_rate;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
# Don't spam access log file with byte range requests
access_log off;
root /data;
rewrite ^/static/webseed/(.*)$ /videos/$1 break;
rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;
rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
try_files $uri /;
# Websocket tracker
location /tracker/socket {
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before this time
proxy_read_timeout 1200s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass{{ .Values.ports.peertubePort }};
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass{{ .Values.ports.peertubePort }};
# enable WebSockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

+ 8
- 1
templates/service.yaml View File

@ -10,10 +10,17 @@ metadata:
spec: spec:
type: {{ .Values.service.type }} type: {{ .Values.service.type }}
ports: ports:
- port: {{ .Values.service.port }}
{{- if .Values.nginxproxy.enabled }}
- port: {{ .Values.ports.nginxproxyPort }}
targetPort: http targetPort: http
protocol: TCP protocol: TCP
name: http name: http
{{- else }}
- port: {{ .Values.ports.peertubePort }}
targetPort: http
protocol: TCP
name: http
{{- end }}
selector: selector:
app: {{ template "" . }} app: {{ template "" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}

+ 20
- 1
values.yaml View File

@ -12,7 +12,14 @@ image:
service: service:
type: ClusterIP type: ClusterIP
port: 9000
# peertubePort should be the same than the port in your Peertube production.yml configuration. Default to 9000
# nginxproxyPort is used only when nginx-proxy is enabled, and should be different from the Peertube port.
# peertubePort is exposed outside of the pod, except if nginx-proxy is enabled, in this case it's the nginxproxyPort that is exposed
# The chart uses the correct port for service and ingress according to configuration
peertubePort: 9000
nginxproxyPort: 9001
ingress: ingress:
enabled: true enabled: true
@ -86,6 +93,18 @@ environment:
signup: false signup: false
transcoding: true transcoding: true
enabled: true
repository: nginx
tag: 1.17.9
maxbodysize: 8G
# When uploading, temporary space is needed equal to the total size of all concurrent uploads.
# It could be a good idea to use an outside docker storage (eg: pvc in k8s) for these files
enabled: false
existingClaim: pvc-nginx-proxy
redis: redis:
usePassword: false usePassword: false
password: peertube password: peertube
