How to autoreload Varnish Cache backends when Kubernetes Deployment changed

You can use quay.io/spaces/kube-httpcache:stable - Github README

Necessary configuration when RBAC is enabled:

  • create ServiceAccount: kubectl --kubeconfig kube_config_cluster.yml -n web create serviceaccount varnish-watcher
  • create ClusterRole + ClusterRoleBinding: kubectl --kubeconfig kube_config_cluster.yml apply -f role.yml
  • change namespace web to your namespace name (-n yournamespace and namespace: yournamespace)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: watch-endpoints
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - pods
  verbs:
  - watch
  - get
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: watch-endpoints_varnish-watcher
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: watch-endpoints
subjects:
- kind: ServiceAccount
  name: varnish-watcher
  namespace: web
        

Now you can deploy quay.io/spaces/kube-httpcache:stable with command args: -admin-addr=0.0.0.0 -admin-port=6088 -varnish-secret-file=/etc/varnish/secret2/secret -varnish-vcl-template=/etc/varnish/tmpl/default.vcl.tmpl -varnish-storage=malloc,256M -backend-namespace=web -backend-service=production -backend-port=http

Example deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: production
  labels:
    app: shopware
spec:
  replicas: 4
  selector:
    matchLabels:
      app: shopware
  template:
    metadata:
      labels:
        app: shopware
    spec:
      containers:
        - name: app
          image: nginx
          ports:
            - containerPort: 80
              name: http
---
apiVersion: v1
kind: Service
metadata:
  name: production
spec:
  selector:
    app: shopware
  clusterIP: None
  ports:
    - port: 80
      targetPort: http
      name: http
      

Varnish cache output log

I0819 11:50:45.170764 1 main.go:27] using in-cluster configuration
I0819 11:50:45.174733 1 run.go:11] waiting for initial configuration before starting Varnish
I0819 11:50:45.219008 1 run.go:19] creating initial VCL config
I0819 11:50:45.220064 1 wait.go:11] probing admin port until it is available
Debug: Version: varnish-6.0.1 revision 8d54bec5330c29304979ebf2c425ae14ab80493c
Debug: Platform: Linux,4.15.0-55-generic,x86_64,-junix,-smalloc,-sdefault,-hcritbit
Debug: Child (26) Started
Info: Child (26) said Child starts
I0819 11:50:49.223435 1 dial.go:38] authentication required. challenge string: "xxxxxxxxxxxxxxxxxxxxxxx"
I0819 11:50:49.223483 1 wait.go:16] admin port is available
I0819 11:58:38.154024 1 backends_watch.go:57] endpoints did not change
I0819 11:58:41.871754 1 backends_watch.go:57] endpoints did not change
I0819 11:58:52.641990 1 watch.go:33] received new backend configuration: &{Backends:[{Name:production-6d5cbd7bf5-gnnxr Host:10.42.2.183 Port:80 Probe:<nil>} {Name:production-54cdbbd6c6-2pwbw Host:10.42.2.213 Port:80 Probe:<nil>}] Primary:0xc000560040}
I0819 11:58:52.643064 1 dial.go:38] authentication required. challenge string: "xxxxxxxxxxxxxxxxxxxxxxx"
I0819 11:58:55.047266 1 watch.go:33] received new backend configuration: &{Backends:[{Name:production-54cdbbd6c6-2pwbw Host:10.42.2.213 Port:80 Probe:<nil>}] Primary:0xc00007f200}
I0819 11:58:55.048016 1 dial.go:38] authentication required. challenge string: "xxxxxxxxxxxxxxxxxxxxxxx"