Murat ÖZDEMİR 67f4c10c93 docs(roadmap): update various roadmap docs to align with latest infrastructure setup

- Synchronized swarm initialization, pipeline update, and certificate reloader instructions with the new monolithic stack logic and Ansible roles.

2026-06-15 16:48:04 +03:00

1.7 KiB

Raw Blame History

05 — APISIX: Remove SSL / Configure Trusted Proxy (Prod)

Context

The same init/apisix-core/init.sh and custom APISIX image are used for test and prod. TLS terminates at SWAG; APISIX receives plain HTTP over the iklimco-net overlay network.

Checklist

ssls/1 PUT block is removed from init/apisix-core/init.sh.
The dev-only SSL block is removed or confirmed to be non-impactful for prod.
The custom APISIX image includes trusted proxy settings in template/apisix-core/config.yaml.template: real_ip_header, real_ip_recursive, and set_real_ip_from for private ranges.
The custom image is pushed to Harbor when the APISIX config template changes.

Current Prod Model

APISIX runs with 3 replicas in docker-stack-infra_db-prod.yml. All replicas read configuration from the shared DB-node etcd cluster with the /apisix prefix, so the pipeline runs init/apisix-core/init.sh once.

Production deployment uses:

docker stack deploy --with-registry-auth -c docker-stack-infra_db-prod.yml iklimco

SWAG to APISIX Load Distribution

SWAG connects to APISIX through the service name:

proxy_pass http://apisix:9080;

Docker Swarm resolves apisix to the service VIP and distributes requests across APISIX replicas. SWAG does not need a separate upstream list for APISIX.

Verification

docker exec $(docker ps -q -f name=iklimco_apisix | head -1) \
  tail -5 /usr/local/apisix/logs/access.log

Client IP should appear in the log, not SWAG's internal overlay IP.

Historical / Superseded by Setup

The old prod overlay command docker stack deploy -c docker-stack-infra.yml -c docker-stack-infra.prod.yml iklimco is superseded by docker-stack-infra_db-prod.yml.

1.7 KiB Raw Blame History