iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/prod-env/05-apisix-remove-ssl.md
Murat ÖZDEMİR e3787d80f6 docs(infra): align DB stack and APISIX production guidance 
Update Environment_Infrastructure to match the current root stack conventions for database images, shared secret names, and APISIX real IP handling.

- update test Ansible DB image defaults to PostGIS 18/PostGIS 3.6 and MongoDB 8.3.2

- align Patroni configuration with DATABASE_POSTGRES_* secret variable names

- document APISIX real IP template configuration and Harbor rebuild workflow

- replace the separate DB stack env file guidance with the shared .env.secrets.shared flow

- update production setup and roadmap snippets to use current PostGIS, MongoDB, and APISIX rebuild commands
2026-05-20 19:55:49 +03:00

2.1 KiB
Raw Blame History

05 — APISIX: Remove SSL / Configure Trusted Proxy (Prod)

Context

Identical to test-env-setup/05-apisix-remove-ssl.md.

The same init/apisix-core/init.sh and custom APISIX image are used for both environments. Changes made for test already apply to prod.

Checklist

  • ssls/1 PUT block removed from init/apisix-core/init.sh
  • dev SSL block removed or confirmed non-impactful for prod
  • Custom APISIX image (custom-apisix:3.12.0) template/apisix-core/config.yaml.template contains real_ip_header, real_ip_recursive, and set_real_ip_from (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • New image built and pushed to Harbor if config.yaml.template was changed: bash bash ops/push-harbor-custom-images.sh

Prod-specific note

APISIX runs with replicas: 3 in prod — this value is defined in the docker-stack-infra.prod.yml overlay (not in the base docker-stack-infra.yml). All replicas read the same configuration from Patroni etcd (/apisix prefix) — a single init run is sufficient.

# Prod deploy:
docker stack deploy -c docker-stack-infra.yml -c docker-stack-infra.prod.yml iklimco

init/apisix-core/init.sh is run once by the pipeline and writes the etcd state that all APISIX instances read.

SWAG → APISIX load distribution

SWAG connects to APISIX via proxy_pass http://apisix:9080; — using the service name directly. No additional upstream or load balancer configuration is needed on the SWAG side.

How it works: Docker Swarm resolves the apisix service name to a VIP (Virtual IP). Swarm's internal IPVS load balancer automatically distributes incoming connections across the 3 replicas in round-robin. SWAG is unaware of this mechanism; it happens transparently at the overlay network layer.

Verification

# From a whitelisted IP, make a request and check real IP in APISIX logs
docker exec $(docker ps -q -f name=iklimco_apisix | head -1) \
  tail -5 /usr/local/apisix/logs/access.log

Client IP should appear in the log, not SWAG's internal overlay IP.