From 094e9ba6f9d311cec0fd775b347aa79f2fd8e9d5 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Sat, 7 Oct 2017 18:29:41 -0300 Subject: [PATCH] Cleanup examples directory --- README.md | 75 ++++---- examples/README.md | 110 ++++++----- .../affinity/cookie/{nginx => }/README.md | 0 .../cookie/{nginx => }/sticky-ingress.yaml | 0 examples/auth/basic/{nginx => }/README.md | 0 examples/auth/basic/haproxy/README.md | 99 ---------- examples/auth/client-certs/haproxy/README.md | 178 ------------------ .../{nginx => }/nginx-tls-auth.yaml | 0 examples/auth/client-certs/nginx/README.md | 89 --------- .../auth/external-auth/{nginx => }/README.md | 0 .../external-auth/{nginx => }/ingress.yaml | 0 examples/aws/{nginx => }/README.md | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 .../{nginx => }/README.md | 0 .../{nginx => }/default-backend.yaml | 0 .../{nginx => }/ingress.yaml | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 .../{nginx => }/README.md | 0 .../custom-configuration/haproxy/README.md | 35 ---- .../haproxy/haproxy-custom-configuration.yaml | 38 ---- .../nginx-custom-configuration.yaml | 0 .../{nginx => }/nginx-load-balancer-conf.yaml | 0 .../custom-errors/{nginx => }/README.md | 0 .../{nginx => }/custom-default-backend.yaml | 0 .../{nginx => }/rc-custom-errors.yaml | 0 .../custom-headers/{nginx => }/README.md | 0 .../{nginx => }/custom-headers.yaml | 0 .../{nginx => }/default-backend.yaml | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 .../{nginx => }/nginx-load-balancer-conf.yaml | 0 .../{nginx => }/README.md | 0 .../{nginx => }/default-backend.yaml | 0 .../imgs/prometheus-filter-key-path.png | Bin .../imgs/vts-dashboard-filter-key-path.png | Bin .../{nginx => }/imgs/vts-dashboard.png | Bin .../nginx-ingress-controller-service.yaml | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 .../{nginx => }/nginx-vts-metrics-conf.yaml | 0 .../{nginx => }/Makefile | 0 .../{nginx => }/README.md | 0 .../{nginx => }/authsvc/Dockerfile | 0 .../{nginx => }/authsvc/authsvc.go | 0 .../{nginx => }/deploy/auth-service.yaml | 0 .../{nginx => }/deploy/default-backend.yaml | 0 .../{nginx => }/deploy/echo-service.yaml | 0 .../deploy/nginx-ingress-controller.yaml | 0 .../{nginx => }/echosvc/Dockerfile | 0 .../{nginx => }/echosvc/echosvc.go | 0 .../ssl-dh-param/{nginx => }/README.md | 0 .../{nginx => }/default-backend.yaml | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 .../{nginx => }/nginx-load-balancer-conf.yaml | 0 .../{nginx => }/ssl-dh-param.yaml | 0 examples/daemonset/{nginx => }/README.md | 0 examples/daemonset/haproxy/README.md | 67 ------- .../haproxy/haproxy-ingress-daemonset.yaml | 34 ---- .../{nginx => }/nginx-ingress-daemonset.yaml | 0 examples/deployment/{nginx => }/README.md | 0 .../{nginx => }/default-backend.yaml | 0 examples/deployment/haproxy/README.md | 173 ----------------- .../deployment/haproxy/haproxy-ingress.yaml | 38 ---- .../deployment/{nginx => }/kubeadm/README.md | 0 .../kubeadm/nginx-ingress-controller.yaml | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 examples/external-auth/{nginx => }/README.md | 0 .../{nginx => }/dashboard-ingress.yaml | 0 .../{nginx => }/images/dashboard.png | Bin .../{nginx => }/images/github-auth.png | Bin .../{nginx => }/images/oauth-login.png | Bin .../images/register-oauth-app-2.png | Bin .../{nginx => }/images/register-oauth-app.png | Bin .../{nginx => }/oauth2-proxy.yaml | 0 examples/multi-tls/{nginx => }/README.md | 0 examples/multi-tls/haproxy/README.md | 70 ------- .../multi-tls/haproxy/ingress-multi-tls.yaml | 27 --- examples/multi-tls/{nginx => }/multi-tls.yaml | 0 examples/rbac/{nginx => }/README.md | 0 examples/rbac/{nginx => }/default-backend.yml | 0 examples/rbac/haproxy/README.md | 80 -------- .../rbac/haproxy/ingress-controller-rbac.yml | 133 ------------- .../nginx-ingress-controller-rbac.yml | 0 .../nginx-ingress-controller-service.yml | 0 .../{nginx => }/nginx-ingress-controller.yml | 0 examples/rewrite/{nginx => }/README.md | 0 examples/rewrite/haproxy/README.md | 103 ---------- .../scaling-deployment/{nginx => }/README.md | 0 examples/scaling-deployment/haproxy/README.md | 70 ------- .../haproxy/default-backend.yaml | 49 ----- .../haproxy/haproxy-ingress-deployment.yaml | 38 ---- .../{nginx => }/nginx-ingress-deployment.yaml | 0 examples/static-ip/{nginx => }/README.md | 0 .../{nginx => }/nginx-ingress-controller.yaml | 0 .../static-ip/{nginx => }/nginx-ingress.yaml | 0 .../static-ip/{nginx => }/static-ip-svc.yaml | 0 examples/tcp/{nginx => }/README.md | 0 .../nginx-tcp-ingress-configmap.yaml | 0 .../nginx-tcp-ingress-controller.yaml | 0 examples/tls-termination/haproxy/README.md | 113 ----------- .../haproxy/ingress-tls-default.yaml | 16 -- .../haproxy/ingress-tls-foobar.yaml | 17 -- examples/udp/{nginx => }/README.md | 0 .../nginx-udp-ingress-configmap.yaml | 0 .../nginx-udp-ingress-controller.yaml | 0 103 files changed, 95 insertions(+), 1557 deletions(-) rename examples/affinity/cookie/{nginx => }/README.md (100%) rename examples/affinity/cookie/{nginx => }/sticky-ingress.yaml (100%) rename examples/auth/basic/{nginx => }/README.md (100%) delete mode 100644 examples/auth/basic/haproxy/README.md delete mode 100644 examples/auth/client-certs/haproxy/README.md rename examples/auth/client-certs/{nginx => }/nginx-tls-auth.yaml (100%) delete mode 100644 examples/auth/client-certs/nginx/README.md rename examples/auth/external-auth/{nginx => }/README.md (100%) rename examples/auth/external-auth/{nginx => }/ingress.yaml (100%) rename examples/aws/{nginx => }/README.md (100%) rename examples/aws/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/customization/configuration-snippets/{nginx => }/README.md (100%) rename examples/customization/configuration-snippets/{nginx => }/default-backend.yaml (100%) rename examples/customization/configuration-snippets/{nginx => }/ingress.yaml (100%) rename examples/customization/configuration-snippets/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/customization/custom-configuration/{nginx => }/README.md (100%) delete mode 100644 examples/customization/custom-configuration/haproxy/README.md delete mode 100644 examples/customization/custom-configuration/haproxy/haproxy-custom-configuration.yaml rename examples/customization/custom-configuration/{nginx => }/nginx-custom-configuration.yaml (100%) rename examples/customization/custom-configuration/{nginx => }/nginx-load-balancer-conf.yaml (100%) rename examples/customization/custom-errors/{nginx => }/README.md (100%) rename examples/customization/custom-errors/{nginx => }/custom-default-backend.yaml (100%) rename examples/customization/custom-errors/{nginx => }/rc-custom-errors.yaml (100%) rename examples/customization/custom-headers/{nginx => }/README.md (100%) rename examples/customization/custom-headers/{nginx => }/custom-headers.yaml (100%) rename examples/customization/custom-headers/{nginx => }/default-backend.yaml (100%) rename examples/customization/custom-headers/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/customization/custom-headers/{nginx => }/nginx-load-balancer-conf.yaml (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/README.md (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/default-backend.yaml (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/imgs/prometheus-filter-key-path.png (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/imgs/vts-dashboard-filter-key-path.png (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/imgs/vts-dashboard.png (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/nginx-ingress-controller-service.yaml (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/customization/custom-vts-metrics-prometheus/{nginx => }/nginx-vts-metrics-conf.yaml (100%) rename examples/customization/external-auth-headers/{nginx => }/Makefile (100%) rename examples/customization/external-auth-headers/{nginx => }/README.md (100%) rename examples/customization/external-auth-headers/{nginx => }/authsvc/Dockerfile (100%) rename examples/customization/external-auth-headers/{nginx => }/authsvc/authsvc.go (100%) rename examples/customization/external-auth-headers/{nginx => }/deploy/auth-service.yaml (100%) rename examples/customization/external-auth-headers/{nginx => }/deploy/default-backend.yaml (100%) rename examples/customization/external-auth-headers/{nginx => }/deploy/echo-service.yaml (100%) rename examples/customization/external-auth-headers/{nginx => }/deploy/nginx-ingress-controller.yaml (100%) rename examples/customization/external-auth-headers/{nginx => }/echosvc/Dockerfile (100%) rename examples/customization/external-auth-headers/{nginx => }/echosvc/echosvc.go (100%) rename examples/customization/ssl-dh-param/{nginx => }/README.md (100%) rename examples/customization/ssl-dh-param/{nginx => }/default-backend.yaml (100%) rename examples/customization/ssl-dh-param/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/customization/ssl-dh-param/{nginx => }/nginx-load-balancer-conf.yaml (100%) rename examples/customization/ssl-dh-param/{nginx => }/ssl-dh-param.yaml (100%) rename examples/daemonset/{nginx => }/README.md (100%) delete mode 100644 examples/daemonset/haproxy/README.md delete mode 100644 examples/daemonset/haproxy/haproxy-ingress-daemonset.yaml rename examples/daemonset/{nginx => }/nginx-ingress-daemonset.yaml (100%) rename examples/deployment/{nginx => }/README.md (100%) rename examples/deployment/{nginx => }/default-backend.yaml (100%) delete mode 100644 examples/deployment/haproxy/README.md delete mode 100644 examples/deployment/haproxy/haproxy-ingress.yaml rename examples/deployment/{nginx => }/kubeadm/README.md (100%) rename examples/deployment/{nginx => }/kubeadm/nginx-ingress-controller.yaml (100%) rename examples/deployment/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/external-auth/{nginx => }/README.md (100%) rename examples/external-auth/{nginx => }/dashboard-ingress.yaml (100%) rename examples/external-auth/{nginx => }/images/dashboard.png (100%) rename examples/external-auth/{nginx => }/images/github-auth.png (100%) rename examples/external-auth/{nginx => }/images/oauth-login.png (100%) rename examples/external-auth/{nginx => }/images/register-oauth-app-2.png (100%) rename examples/external-auth/{nginx => }/images/register-oauth-app.png (100%) rename examples/external-auth/{nginx => }/oauth2-proxy.yaml (100%) rename examples/multi-tls/{nginx => }/README.md (100%) delete mode 100644 examples/multi-tls/haproxy/README.md delete mode 100644 examples/multi-tls/haproxy/ingress-multi-tls.yaml rename examples/multi-tls/{nginx => }/multi-tls.yaml (100%) rename examples/rbac/{nginx => }/README.md (100%) rename examples/rbac/{nginx => }/default-backend.yml (100%) delete mode 100644 examples/rbac/haproxy/README.md delete mode 100644 examples/rbac/haproxy/ingress-controller-rbac.yml rename examples/rbac/{nginx => }/nginx-ingress-controller-rbac.yml (100%) rename examples/rbac/{nginx => }/nginx-ingress-controller-service.yml (100%) rename examples/rbac/{nginx => }/nginx-ingress-controller.yml (100%) rename examples/rewrite/{nginx => }/README.md (100%) delete mode 100644 examples/rewrite/haproxy/README.md rename examples/scaling-deployment/{nginx => }/README.md (100%) delete mode 100644 examples/scaling-deployment/haproxy/README.md delete mode 100644 examples/scaling-deployment/haproxy/default-backend.yaml delete mode 100644 examples/scaling-deployment/haproxy/haproxy-ingress-deployment.yaml rename examples/scaling-deployment/{nginx => }/nginx-ingress-deployment.yaml (100%) rename examples/static-ip/{nginx => }/README.md (100%) rename examples/static-ip/{nginx => }/nginx-ingress-controller.yaml (100%) rename examples/static-ip/{nginx => }/nginx-ingress.yaml (100%) rename examples/static-ip/{nginx => }/static-ip-svc.yaml (100%) rename examples/tcp/{nginx => }/README.md (100%) rename examples/tcp/{nginx => }/nginx-tcp-ingress-configmap.yaml (100%) rename examples/tcp/{nginx => }/nginx-tcp-ingress-controller.yaml (100%) delete mode 100644 examples/tls-termination/haproxy/README.md delete mode 100644 examples/tls-termination/haproxy/ingress-tls-default.yaml delete mode 100644 examples/tls-termination/haproxy/ingress-tls-foobar.yaml rename examples/udp/{nginx => }/README.md (100%) rename examples/udp/{nginx => }/nginx-udp-ingress-configmap.yaml (100%) rename examples/udp/{nginx => }/nginx-udp-ingress-controller.yaml (100%) diff --git a/README.md b/README.md index eed8b46f08..f0a381b004 100644 --- a/README.md +++ b/README.md @@ -28,11 +28,12 @@ The GCE ingress controller was moved to [github.com/kubernetes/ingress-gce](http Configuring a webserver or loadbalancer is harder than it should be. Most webserver configuration files are very similar. There are some applications that have weird little quirks that tend to throw a wrench in things, but for the most part you can apply the same logic to them and achieve a desired result. -The Ingress resource embodies this idea, and an Ingress controller is meant to handle all the quirks associated with a specific "class" of Ingress (be it a single instance of a loadbalancer, or a more complicated setup of frontends that provide GSLB, DDoS protection, etc). +The Ingress resource embodies this idea, and an Ingress controller is meant to handle all the quirks associated with a specific "class" of Ingress. An Ingress Controller is a daemon, deployed as a Kubernetes Pod, that watches the apiserver's `/ingresses` endpoint for updates to the [Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/). Its job is to satisfy requests for Ingresses. ### Introduction + This is an nginx Ingress controller that uses [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configmap/#understanding-configmaps) to store the nginx configuration. See [Ingress controller documentation](../README.md) for details on how it works. ## Contents @@ -73,11 +74,12 @@ Anytime we reference a tls secret, we mean (x509, pem encoded, RSA 2048, etc). Y and create the secret via `kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}` ## Requirements + - Default backend [404-server](https://github.com/kubernetes/ingress/tree/master/images/404-server) ## Command line arguments -``` +```console Usage of : --alsologtostderr log to standard error as well as files --apiserver-host string The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted. @@ -134,33 +136,37 @@ Usage of : ## Deployment First create a default backend and it's corresponding service: -``` -$ kubectl create -f examples/default-backend.yaml +```console +kubectl create -f examples/default-backend.yaml ``` -Follow the [example-deployment](../../examples/deployment/nginx/README.md) steps to deploy nginx-ingress-controller in Kubernetes cluster (you may prefer other type of workloads, like Daemonset, in production environment). +Follow the [example-deployment](examples/deployment/README.md) steps to deploy nginx-ingress-controller in Kubernetes cluster (you may prefer other type of workloads, like Daemonset, in production environment). Loadbalancers are created via a ReplicationController or Daemonset: ## HTTP First we need to deploy some application to publish. To keep this simple we will use the [echoheaders app](https://github.com/kubernetes/contrib/blob/master/ingress/echoheaders/echo-app.yaml) that just returns information about the http request as output -``` + +```console kubectl run echoheaders --image=gcr.io/google_containers/echoserver:1.8 --replicas=1 --port=8080 ``` Now we expose the same application in two different services (so we can create different Ingress rules) -``` + +```console kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-x kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-y ``` Next we create a couple of Ingress rules -``` + +```console kubectl create -f examples/ingress.yaml ``` we check that ingress rules are defined: -``` + +```console $ kubectl get ing NAME RULE BACKEND ADDRESS echomap - @@ -172,14 +178,15 @@ echomap - ``` Before the deploy of the Ingress controller we need a default backend [404-server](https://github.com/kubernetes/contrib/tree/master/404-server) -``` + +```console kubectl create -f examples/default-backend.yaml kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend ``` Check NGINX it is running with the defined Ingress rules: -``` +```console $ LBIP=$(kubectl get node `kubectl get po -l name=nginx-ingress-lb --template '{{range .items}}{{.spec.nodeName}}{{end}}'` --template '{{range $i, $n := .status.addresses}}{{if eq $n.type "ExternalIP"}}{{$n.address}}{{end}}{{end}}') $ curl $LBIP/foo -H 'Host: foo.bar.com' ``` @@ -188,7 +195,7 @@ $ curl $LBIP/foo -H 'Host: foo.bar.com' You can secure an Ingress by specifying a secret that contains a TLS private key and certificate. Currently the Ingress only supports a single TLS port, 443, and assumes TLS termination. This controller supports SNI. The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS, eg: -``` +```yaml apiVersion: v1 data: tls.crt: base64 encoded cert @@ -202,7 +209,7 @@ type: kubernetes.io/tls Referencing this secret in an Ingress will tell the Ingress controller to secure the channel from the client to the loadbalancer using TLS: -``` +```yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -214,18 +221,18 @@ spec: serviceName: s1 servicePort: 80 ``` -Please follow [PREREQUISITES](../../examples/PREREQUISITES.md) as a guide on how to generate secrets containing SSL certificates. The name of the secret can be different than the name of the certificate. -Check the [example](../../examples/tls-termination/nginx) +Please follow [PREREQUISITES](examples/PREREQUISITES.md) as a guide on how to generate secrets containing SSL certificates. The name of the secret can be different than the name of the certificate. + +Check the [example](examples/tls-termination/nginx) ### Default SSL Certificate -NGINX provides the option [server name](http://nginx.org/en/docs/http/server_names.html) as a catch-all in case of requests that do not match one of the configured server names. This configuration works without issues for HTTP traffic. In case of HTTPS NGINX requires a certificate. For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned case. -If this flag is not provided NGINX will use a self signed certificate. +NGINX provides the option [server name _](http://nginx.org/en/docs/http/server_names.html) as a catch-all in case of requests that do not match one of the configured server names. This configuration works without issues for HTTP traffic. In case of HTTPS, NGINX requires a certificate. For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned case. If this flag is not provided NGINX will use a self signed certificate. Running without the flag `--default-ssl-certificate`: -``` +```console $ curl -v https://10.2.78.7:443 -k * Rebuilt URL to: https://10.2.78.7:443/ * Trying 10.2.78.4... @@ -274,7 +281,7 @@ $ curl -v https://10.2.78.7:443 -k Specifying `--default-ssl-certificate=default/foo-tls`: -``` +```console core@localhost ~ $ curl -v https://10.2.78.7:443 -k * Rebuilt URL to: https://10.2.78.7:443/ * Trying 10.2.78.7... @@ -321,14 +328,12 @@ core@localhost ~ $ curl -v https://10.2.78.7:443 -k * Connection #0 to host 10.2.78.7 left intact ``` - ### Server-side HTTPS enforcement By default the controller redirects (301) to HTTPS if TLS is enabled for that ingress . If you want to disable that behaviour globally, you can use `ssl-redirect: "false"` in the NGINX config map. To configure this feature for specific ingress resources, you can use the `ingress.kubernetes.io/ssl-redirect: "false"` annotation in the particular resource. - ### HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. @@ -337,14 +342,13 @@ By default the controller redirects (301) to HTTPS if there is a TLS Ingress rul To disable this behavior use `hsts=false` in the NGINX config map. - ### Automated Certificate Management with Kube-Lego [Kube-Lego] automatically requests missing or expired certificates from [Let's Encrypt] by monitoring ingress resources and their referenced secrets. To enable this for an ingress resource you have to add an annotation: -``` +```console kubectl annotate ing ingress-demo kubernetes.io/tls-acme="true" ``` @@ -368,7 +372,8 @@ Ingress does not support TCP services (yet). For this reason this Ingress contro It is possible to use a number or the name of the port. The two last fields are optional. Adding `PROXY` in either or both of the two last fields we can use Proxy Protocol decoding (listen) and/or encoding (proxy_pass) in a TCP service (https://www.nginx.com/resources/admin-guide/proxy-protocol/). The next example shows how to expose the service `example-go` running in the namespace `default` in the port `8080` using the port `9000` -``` + +```yaml apiVersion: v1 kind: ConfigMap metadata: @@ -377,8 +382,7 @@ data: 9000: "default/example-go:8080" ``` - -Please check the [tcp services](../../examples/tcp/nginx/README.md) example +Please check the [tcp services](examples/tcp/README.md) example ## Exposing UDP services @@ -388,7 +392,8 @@ Ingress does not support UDP services (yet). For this reason this Ingress contro It is possible to use a number or the name of the port. The next example shows how to expose the service `kube-dns` running in the namespace `kube-system` in the port `53` using the port `53` -``` + +```yaml apiVersion: v1 kind: ConfigMap metadata: @@ -398,7 +403,7 @@ data: ``` -Please check the [udp services](../../examples/udp/nginx/README.md) example +Please check the [udp services](examples/udp/README.md) example ## Proxy Protocol @@ -419,13 +424,13 @@ In the [aledbf/zipkin-js-example](https://github.com/aledbf/zipkin-js-example) g To install the example and the zipkin collector we just need to run: ``` -$ kubectl create -f https://raw.githubusercontent.com/aledbf/zipkin-js-example/kubernetes/kubernetes/zipkin.yaml -$ kubectl create -f https://raw.githubusercontent.com/aledbf/zipkin-js-example/kubernetes/kubernetes/deployment.yaml +kubectl create -f https://raw.githubusercontent.com/aledbf/zipkin-js-example/kubernetes/kubernetes/zipkin.yaml +kubectl create -f https://raw.githubusercontent.com/aledbf/zipkin-js-example/kubernetes/kubernetes/deployment.yaml ``` Also we need to configure the NGINX controller configmap with the required values: -``` +```yaml apiVersion: v1 data: enable-opentracing: "true" @@ -438,7 +443,8 @@ metadata: ``` Using curl we can generate some traces: -``` + +```console $ curl -v http://$(minikube ip)/api -H 'Host: zipkin-js-example' $ curl -v http://$(minikube ip)/api -H 'Host: zipkin-js-example' ``` @@ -457,7 +463,7 @@ Each request to the default backend includes two headers: **Important:** the custom backend must return the correct HTTP status code to be returned. NGINX do not changes the reponse from the custom default backend. -Using this two headers is possible to use a custom backend service like [this one](https://github.com/kubernetes/ingress/tree/master/examples/customization/custom-errors/nginx) that inspect each request and returns a custom error page with the format expected by the client. Please check the example [custom-errors](examples/customization/custom-errors/nginx/README.md) +Using this two headers is possible to use a custom backend service like [this one](https://github.com/kubernetes/ingress/tree/master/examples/customization/custom-errors/nginx) that inspect each request and returns a custom error page with the format expected by the client. Please check the example [custom-errors](examples/customization/custom-errors/README.md) NGINX sends aditional headers that can be used to build custom response: @@ -541,7 +547,7 @@ Using the flag `--v=XX` it is possible to increase the level of logging. In particular: - `--v=2` shows details using `diff` about the changes in the configuration in nginx -``` +```console I0316 12:24:37.581267 1 utils.go:148] NGINX configuration diff a//etc/nginx/nginx.conf b//etc/nginx/nginx.conf I0316 12:24:37.581356 1 utils.go:149] --- /tmp/922554809 2016-03-16 12:24:37.000000000 +0000 +++ /tmp/079811012 2016-03-16 12:24:37.000000000 +0000 @@ -572,3 +578,4 @@ The NGINX ingress controller does not uses [Services](http://kubernetes.io/docs/ Since `gcr.io/google_containers/nginx-slim:0.8` NGINX contains the next patches: - Dynamic TLS record size [nginx__dynamic_tls_records.patch](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/) NGINX provides the parameter `ssl_buffer_size` to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the [TLS Time To First Byte (TTTFB)](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency. +- [HTTP/2 header compression](https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx_http2_hpack.patch) diff --git a/examples/README.md b/examples/README.md index 09a597d712..2676562851 100644 --- a/examples/README.md +++ b/examples/README.md @@ -6,91 +6,89 @@ trying them. ## Basic cross platform -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -Deployment | basic deployment of controllers | * | Beginner -TLS termination | terminate TLS at the ingress controller | * | Beginner -Name based virtual hosting | `Host` header routing | * | Beginner -Path routing | URL regex routing | * | Beginner -Health checking | configure/optimize health checks | * | Intermediate -Pipeline | pipeline cloud and nginx | * | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +Deployment | basic deployment of controllers | Beginner +TLS termination | terminate TLS at the ingress controller | Beginner +Name based virtual hosting | `Host` header routing | Beginner +Path routing | URL regex routing | Beginner +Health checking | configure/optimize health checks | Intermediate +Pipeline | pipeline cloud and nginx | Advanced ## AWS -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -AWS | basic deployment | nginx | Intermediate +Name | Description | Complexity Level +-----| ----------- | ---------------- +AWS | basic deployment | Intermediate ## TLS -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -LetsEncrypt | acquire certs via ACME protocol | * | Intermediate -Intermediate certs | terminate TLS with intermediate certs | * | Advanced -Client certs | client cert authentication | nginx | Advanced -Re-encrypty | terminate, apply routing rules, re-encrypt | nginx | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +LetsEncrypt | acquire certs via ACME protocol | Intermediate +Intermediate certs | terminate TLS with intermediate certs | Advanced +Client certs | client cert authentication | Advanced +Re-encrypty | terminate, apply routing rules, re-encrypt | Advanced ## Scaling -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -Daemonset | run multiple controllers in a daemonset | nginx/haproxy | Intermediate -Deployment | run multiple controllers as a deployment | nginx/haproxy | Intermediate -Multi-zone | bridge different zones in a single cluster | gce | Intermediate -Static-ip | a single ingress gets a single static ip | * | Intermediate -Geo-routing | route to geographically closest endpoint | nginx | Advanced -Multi-cluster | bridge Kubernetes clusters with Ingress | gce | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +Daemonset | run multiple controllers in a daemonset | Intermediate +Deployment | run multiple controllers as a deployment | Intermediate +Static-ip | a single ingress gets a single static ip | Intermediate +Geo-routing | route to geographically closest endpoint | Advanced ## Algorithms -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -Session stickyness | route requests consistently to the same endpoint | nginx | Advanced -Least connections | route requests based on least connections | on-prem | Advanced -Weights | route requests to backends based on weights | nginx | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +Session stickyness | route requests consistently to the same endpoint | Advanced +Least connections | route requests based on least connections | Advanced +Weights | route requests to backends based on weights | Advanced ## Routing -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -Redirects | send a 301 re-direct | nginx | Intermediate -URL-rewriting | re-write path | nginx | Intermediate -SNI + HTTP | HTTP routing based on SNI hostname | nginx | Advanced -SNI + TCP | TLS routing based on SNI hostname | nginx | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +Redirects | send a 301 re-direct | Intermediate +URL-rewriting | re-write path | Intermediate +SNI + HTTP | HTTP routing based on SNI hostname | Advanced +SNI + TCP | TLS routing based on SNI hostname | Advanced ## Auth -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- +Name | Description | Complexity Level +-----| ----------- | ---------------- Basic auth | password protect your website | nginx | Intermediate -[External auth plugin](external-auth/nginx/README.md) | defer to an external auth service | nginx | Intermediate +[External auth plugin](external-auth/README.md) | defer to an external auth service | Intermediate ## Protocols -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -TCP | TCP loadbalancing | nginx | Intermediate -UDP | UDP loadbalancing | nginx | Intermediate -Websockets | websockets loadbalancing | nginx | Intermediate -HTTP/2 | HTTP/2 loadbalancing | * | Intermediate -Proxy protocol | leverage the proxy protocol for source IP | nginx | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +TCP | TCP loadbalancing | Intermediate +UDP | UDP loadbalancing | Intermediate +Websockets | websockets loadbalancing | Intermediate +HTTP/2 | HTTP/2 loadbalancing | Intermediate +Proxy protocol | leverage the proxy protocol for source IP | Advanced ## Custom controllers -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -Dummy | A simple dummy controller that logs updates | * | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +Dummy | A simple dummy controller that logs updates | Advanced ## Customization -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -custom-headers | set custom headers before send traffic to backends | nginx | Advanced -configuration-snippets | customize nginx location configuration using annotations | nginx | Advanced +Name | Description | Complexity Level +-----| ----------- | ---------------- +custom-headers | set custom headers before send traffic to backends | Advanced +configuration-snippets | customize nginx location configuration using annotations | Advanced ## RBAC -Name | Description | Platform | Complexity Level ------| ----------- | ---------- | ---------------- -rbac | Configuring Role Base Access Control | nginx | intermediate +Name | Description | Complexity Level +-----| ----------- | ---------------- +rbac | Configuring Role Base Access Control | intermediate diff --git a/examples/affinity/cookie/nginx/README.md b/examples/affinity/cookie/README.md similarity index 100% rename from examples/affinity/cookie/nginx/README.md rename to examples/affinity/cookie/README.md diff --git a/examples/affinity/cookie/nginx/sticky-ingress.yaml b/examples/affinity/cookie/sticky-ingress.yaml similarity index 100% rename from examples/affinity/cookie/nginx/sticky-ingress.yaml rename to examples/affinity/cookie/sticky-ingress.yaml diff --git a/examples/auth/basic/nginx/README.md b/examples/auth/basic/README.md similarity index 100% rename from examples/auth/basic/nginx/README.md rename to examples/auth/basic/README.md diff --git a/examples/auth/basic/haproxy/README.md b/examples/auth/basic/haproxy/README.md deleted file mode 100644 index 621129405a..0000000000 --- a/examples/auth/basic/haproxy/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# HAProxy Ingress Basic Authentication - -This example demonstrates how to configure -[Basic Authentication](https://tools.ietf.org/html/rfc2617) on -HAProxy Ingress controller. - -## Prerequisites - -This document has the following prerequisites: - -* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should -end up with controller, a sample web app and an ingress resource to the `foo.bar` -domain - -## Using Basic Authentication - -HAProxy Ingress read user and password from `auth` file stored on secrets, one user -and password per line. Secret name, realm and type are configured with annotations -in the ingress resource: - -* `ingress.kubernetes.io/auth-type`: the only supported type is `basic` -* `ingress.kubernetes.io/auth-realm`: an optional string with authentication realm -* `ingress.kubernetes.io/auth-secret`: name of the secret - -Each line of the `auth` file should have: - -* user and insecure password separated with a pair of colons: `::`; or -* user and an encrypted password separated with colons: `:` - -HAProxy evaluates encrypted passwords with -[crypt](http://man7.org/linux/man-pages/man3/crypt.3.html) function. Use `mkpasswd` or -`makepasswd` to create it. `mkpasswd` can be found on Alpine Linux container. - -## Configure - -Create a secret to our users: - -* `john` and password `admin` using insecure plain text password -* `jane` and password `guest` using encrypted password - -```console -$ mkpasswd -m des ## a short, des encryption, syntax from Busybox on Alpine Linux -Password: (type 'guest' and press Enter) -E5BrlrQ5IXYK2 - -$ cat >auth <

401 Unauthorized

-You need a valid user and password to access this content. - -``` - -Send a valid user: - -```console -$ curl -i -u 'john:admin' 172.17.4.99:30876 -H 'Host: foo.bar' -HTTP/1.1 200 OK -Server: nginx/1.9.11 -Date: Sun, 05 Mar 2017 19:22:33 GMT -Content-Type: text/plain -Transfer-Encoding: chunked - -CLIENT VALUES: -client_address=10.2.18.5 -command=GET -real path=/ -query=nil -request_version=1.1 -request_uri=http://foo.bar:8080/ -``` - -Using `jane:guest` user/passwd should have the same output. - diff --git a/examples/auth/client-certs/haproxy/README.md b/examples/auth/client-certs/haproxy/README.md deleted file mode 100644 index b4078b4b50..0000000000 --- a/examples/auth/client-certs/haproxy/README.md +++ /dev/null @@ -1,178 +0,0 @@ -# HAProxy Ingress Client Certificate Authentication - -This example demonstrates how to configure client certificate -authentication on HAProxy Ingress controller. - -## Prerequisites - -This document has the following prerequisites: - -* Deploy [HAProxy Ingress](/examples/deployment/haproxy) controller, you should -end up with controller, a sample web app and an ingress resource named `app` to -the `foo.bar` domain -* Configure [TLS termination](/examples/tls-termination/haproxy) -* Create a [CA, certificate and private key](/examples/PREREQUISITES.md#ca-authentication), -following these steps you should have a secret named `caingress`, a certificate file -`client.crt` and it's private key `client.key` -* Use these same steps and create another CA and generate another certificate and private -key `fake.crt` and `fake.key` just for testing - -Secret, certificates and keys can be created using these shortcuts: - -CA and it's secret: - -```console -$ openssl req -x509 -newkey rsa:2048 -nodes -subj '/CN=example-ca' -keyout ca.key -out ca.crt -$ kubectl create secret generic caingress --from-file=ca.crt -``` - -Valid certificate and private key: - -```console -$ openssl req -new -newkey rsa:2048 -nodes -subj '/CN=client' -keyout client.key | \ - openssl x509 -req -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt -``` - -Another CA, certificate and private key that should be refused by ingress: - -```console -$ openssl req -x509 -newkey rsa:2048 -nodes -subj '/CN=example-ca' -keyout ca-fake.key -out ca-fake.crt -$ openssl req -new -newkey rsa:2048 -nodes -subj '/CN=client' -keyout fake.key | \ - openssl x509 -req -CA ca-fake.crt -CAkey ca-fake.key -set_serial 1 -out fake.crt -``` - -## Using Client Certificate Authentication - -HAProxy Ingress read one or a bundle of certificate authorities from a secret. -Only client certificates signed by one of these certificate authorities should be -allowed to make requests. - -Annotate the ingress resource to use our valid certificate authority. The ingress resource and the -secret `caingress` were created on the prerequisites. - -```console -$ kubectl annotate ingress/app ingress.kubernetes.io/auth-tls-secret=default/caingress -``` - -Make some SSL requests against domain `foo.bar`. Change `31692:172.17.4.99` below to the IP and -port of HAProxy Ingress controller. - -Note: `curl`'s `--cert` and `-k` options on macOS (since 10.9 Mavericks) doesn't work as -expected, see troubleshooting below if using macOS. - -Connect without a certificate: - -```console -$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' -curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure -``` - -Connect using the correct certificate and private key: - -```console -$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' --cert client.crt --key client.key -HTTP/1.1 200 OK -Server: nginx/1.9.11 -Date: Fri, 26 Mar 2017 13:41:26 GMT -Content-Type: text/plain -Transfer-Encoding: chunked -Strict-Transport-Security: max-age=15768000 - -CLIENT VALUES: -... -``` - -Now connect using a private key and certificate signed by another CA: - -```console -$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' --cert fake.crt --key fake.key -curl: (35) error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error -``` - -## Troubleshooting - -`curl` on macOS since 10.9 Mavericks has some issues regarding certificate on command line -parameters: - -* [sni](https://en.wikipedia.org/wiki/Server_Name_Indication) TLS extension isn't used -if `-k` (unsecure connection) is provided. The sni extension is used by HAProxy to identify -the host of the request. Without sni, the default backend will be used. The TLS -certificate should be added to Keychain instead and `-k` should be avoided. - -* `--cert` option is broken. - -These issues and it's workarounds are described on -[this message](https://curl.haxx.se/mail/archive-2013-10/0036.html) from curl mailing list. -In short, in order to test client auth use a Linux VM or the options below on macOS. - -### Using wget - -Add `foo.bar` to `/etc/hosts` and change `31692` below to the -port of HAProxy Ingress controller: - -```console -$ wget https://foo.bar:31692 -S -nv -O- --no-check-certificate -OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure -Unable to establish SSL connection. -``` - -Now with certificate and private key: - -```console -$ wget https://foo.bar:31692 -S -nv -O- --no-check-certificate --certificate client.crt --private-key client.key -WARNING: cannot verify foo.bar's certificate, issued by ‘/CN=foo.bar’: - Self-signed certificate encountered. - HTTP/1.1 200 OK - Server: nginx/1.9.11 - Date: Sun, 26 Mar 2017 13:57:53 GMT - Content-Type: text/plain - Transfer-Encoding: chunked - Strict-Transport-Security: max-age=15768000 -CLIENT VALUES: -``` - -### Using openssl - -Change `31692` below to the port of HAProxy Ingress controller: - -```console -$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar -CONNECTED(00000003) -depth=0 /CN=foo.bar -verify error:num=18:self signed certificate -verify return:1 -depth=0 /CN=foo.bar -verify return:1 -91929:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL alert number 40 -91929:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185: -``` - -Now with certificate and private key - copy these two lines to the clipboard -(HAProxy will timeout after 5 seconds waiting a http request): - -``` -GET / HTTP/1.0 -Host: foo.bar -``` - -Type the command below, paste the http request (two lines above) and send a blank line -pressing enter twice: - -```console -$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar -cert client.crt -key client.key -... ---- -GET / HTTP/1.0 -Host: foo.bar - -HTTP/1.1 200 OK -Server: nginx/1.9.11 -Date: Sun, 26 Mar 2017 14:06:30 GMT -Content-Type: text/plain -Content-Length: 268 -Connection: close -Strict-Transport-Security: max-age=15768000 - -CLIENT VALUES: -... -``` diff --git a/examples/auth/client-certs/nginx/nginx-tls-auth.yaml b/examples/auth/client-certs/nginx-tls-auth.yaml similarity index 100% rename from examples/auth/client-certs/nginx/nginx-tls-auth.yaml rename to examples/auth/client-certs/nginx-tls-auth.yaml diff --git a/examples/auth/client-certs/nginx/README.md b/examples/auth/client-certs/nginx/README.md deleted file mode 100644 index 70e440e7c7..0000000000 --- a/examples/auth/client-certs/nginx/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# TLS authentication - -This example demonstrates how to enable the TLS Authentication through the nginx Ingress controller. - -## Terminology - -* CA: Certificate authority signing the client cert, in this example we will play the role of a CA. -You can generate a CA cert as shown in this doc. - -* CA Certificate(s) - Certificate Authority public key. Client certs must chain back to this cert, -meaning the Issuer field of some certificate in the chain leading up to the client cert must contain -the name of this CA. For purposes of this example, this is a self signed certificate. - -* CA chains: A chain of certificates where the parent has a Subject field matching the Issuer field of -the child, except for the root, which has Issuer == Subject. - -* Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends. - -## Prerequisites - -You need a valid CA File, composed of a group of valid enabled CAs. This MUST be in PEM Format. -The instructions are described [here](../../../PREREQUISITES.md) - -Also your ingress must be configured as a HTTPS/TLS Ingress. - -## Deployment - -Certificate Authentication is achieved through 2 annotations on the Ingress, as shown in the [example](nginx-tls-auth.yaml). - -|Name|Description|Values| -| --- | --- | --- | -|ingress.kubernetes.io/auth-tls-secret|Sets the secret that contains the authorized CA Chain|string| -|ingress.kubernetes.io/auth-tls-verify-depth|The verification depth Certificate Authentication will make|number (default to 1)| -|ingress.kubernetes.io/auth-tls-verify-client|Enables verification of client certificates|string (default to on)| -|ingress.kubernetes.io/auth-tls-error-page|The page that user should be redirected in case of Auth error|string (default to empty| - -The following command instructs the controller to enable TLS authentication using the secret from the ``ingress.kubernetes.io/auth-tls-secret`` -annotation on the Ingress. Clients must present this cert to the loadbalancer, or they will receive a HTTP 400 response - -```console -$ kubectl create -f nginx-tls-auth.yaml -``` - -## Validation - -You can confirm that the Ingress works. - -```console -$ kubectl describe ing nginx-test -Name: nginx-test -Namespace: default -Address: 104.198.183.6 -Default backend: default-http-backend:80 (10.180.0.4:8080,10.240.0.2:8080) -TLS: tls-secret terminates ingress.test.com -Rules: - Host Path Backends - ---- ---- -------- - * - http-svc:80 () -Annotations: - auth-tls-secret: default/caingress - auth-tls-verify-depth: 3 - auth-tls-error-page: http://www.mysite.com/error-cert.html - -Events: - FirstSeen LastSeen Count From SubObjectPath Type Reason Message - --------- -------- ----- ---- ------------- -------- ------ ------- - 7s 7s 1 {nginx-ingress-controller } Normal CREATE default/nginx-test - 7s 7s 1 {nginx-ingress-controller } Normal UPDATE default/nginx-test - 7s 7s 1 {nginx-ingress-controller } Normal CREATE ip: 104.198.183.6 - 7s 7s 1 {nginx-ingress-controller } Warning MAPPING Ingress rule 'default/nginx-test' contains no path definition. Assuming / - - -$ curl -k https://ingress.test.com -HTTP/1.1 400 Bad Request -Server: nginx/1.11.9 - -$ curl -I -k --key ~/user.key --cert ~/user.cer https://ingress.test.com -HTTP/1.1 200 OK -Server: nginx/1.11.9 -``` - -You must use the full DNS name while testing, as NGINX relies on the Server Name (SNI) to select the correct Ingress to be used. -The curl version used here was ``curl 7.47.0`` - -## Which certificate was used for authentication? - -In your backend application you might want to know which certificate was used for authentication. -For this purpose, we pass the full certificate in PEM format to the backend in the `ssl-client-cert` header. diff --git a/examples/auth/external-auth/nginx/README.md b/examples/auth/external-auth/README.md similarity index 100% rename from examples/auth/external-auth/nginx/README.md rename to examples/auth/external-auth/README.md diff --git a/examples/auth/external-auth/nginx/ingress.yaml b/examples/auth/external-auth/ingress.yaml similarity index 100% rename from examples/auth/external-auth/nginx/ingress.yaml rename to examples/auth/external-auth/ingress.yaml diff --git a/examples/aws/nginx/README.md b/examples/aws/README.md similarity index 100% rename from examples/aws/nginx/README.md rename to examples/aws/README.md diff --git a/examples/aws/nginx/nginx-ingress-controller.yaml b/examples/aws/nginx-ingress-controller.yaml similarity index 100% rename from examples/aws/nginx/nginx-ingress-controller.yaml rename to examples/aws/nginx-ingress-controller.yaml diff --git a/examples/customization/configuration-snippets/nginx/README.md b/examples/customization/configuration-snippets/README.md similarity index 100% rename from examples/customization/configuration-snippets/nginx/README.md rename to examples/customization/configuration-snippets/README.md diff --git a/examples/customization/configuration-snippets/nginx/default-backend.yaml b/examples/customization/configuration-snippets/default-backend.yaml similarity index 100% rename from examples/customization/configuration-snippets/nginx/default-backend.yaml rename to examples/customization/configuration-snippets/default-backend.yaml diff --git a/examples/customization/configuration-snippets/nginx/ingress.yaml b/examples/customization/configuration-snippets/ingress.yaml similarity index 100% rename from examples/customization/configuration-snippets/nginx/ingress.yaml rename to examples/customization/configuration-snippets/ingress.yaml diff --git a/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml b/examples/customization/configuration-snippets/nginx-ingress-controller.yaml similarity index 100% rename from examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml rename to examples/customization/configuration-snippets/nginx-ingress-controller.yaml diff --git a/examples/customization/custom-configuration/nginx/README.md b/examples/customization/custom-configuration/README.md similarity index 100% rename from examples/customization/custom-configuration/nginx/README.md rename to examples/customization/custom-configuration/README.md diff --git a/examples/customization/custom-configuration/haproxy/README.md b/examples/customization/custom-configuration/haproxy/README.md deleted file mode 100644 index 77b13ba154..0000000000 --- a/examples/customization/custom-configuration/haproxy/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Customize the HAProxy configuration - -This example uses a [ConfigMap](https://kubernetes.io/docs/user-guide/configmap/) to customize the HAProxy configuration. - -## Prerequisites - -This document has the following prerequisites: - -Deploy only the tls-secret and the default backend from the [deployment instructions](/examples/deployment/haproxy) - -## Customize the HAProxy configuration - -Using a [ConfigMap](https://kubernetes.io/docs/user-guide/configmap/) is possible to customize the HAProxy configuration. - -For example, if we want to change the syslog-endpoint we need to create a ConfigMap: - -``` -$ kubectl create configmap haproxy-ingress --from-literal=syslog-endpoint=172.17.8.101 -``` - -Create the HAProxy Ingress deployment: - -``` -$ kubectl create -f haproxy-custom-configuration.yaml -``` - -The only difference from the deployment instructions is the --configmap parameter: - -``` -- --configmap=default/haproxy-conf -``` - -If the Configmap it is updated, HAProxy will be reloaded with the new configuration. - -Check all the config options in the [HAProxy Ingress docs](https://github.com/jcmoraisjr/haproxy-ingress#configmap) diff --git a/examples/customization/custom-configuration/haproxy/haproxy-custom-configuration.yaml b/examples/customization/custom-configuration/haproxy/haproxy-custom-configuration.yaml deleted file mode 100644 index 796e4c3f83..0000000000 --- a/examples/customization/custom-configuration/haproxy/haproxy-custom-configuration.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - run: haproxy-ingress - name: haproxy-ingress -spec: - selector: - matchLabels: - run: haproxy-ingress - template: - metadata: - labels: - run: haproxy-ingress - spec: - containers: - - name: haproxy-ingress - image: quay.io/jcmoraisjr/haproxy-ingress - args: - - --default-backend-service=$(POD_NAMESPACE)/ingress-default-backend - - --default-ssl-certificate=$(POD_NAMESPACE)/tls-secret - - --configmap=$(POD_NAMESPACE)/haproxy-ingress - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: stat - containerPort: 1936 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace diff --git a/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml b/examples/customization/custom-configuration/nginx-custom-configuration.yaml similarity index 100% rename from examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml rename to examples/customization/custom-configuration/nginx-custom-configuration.yaml diff --git a/examples/customization/custom-configuration/nginx/nginx-load-balancer-conf.yaml b/examples/customization/custom-configuration/nginx-load-balancer-conf.yaml similarity index 100% rename from examples/customization/custom-configuration/nginx/nginx-load-balancer-conf.yaml rename to examples/customization/custom-configuration/nginx-load-balancer-conf.yaml diff --git a/examples/customization/custom-errors/nginx/README.md b/examples/customization/custom-errors/README.md similarity index 100% rename from examples/customization/custom-errors/nginx/README.md rename to examples/customization/custom-errors/README.md diff --git a/examples/customization/custom-errors/nginx/custom-default-backend.yaml b/examples/customization/custom-errors/custom-default-backend.yaml similarity index 100% rename from examples/customization/custom-errors/nginx/custom-default-backend.yaml rename to examples/customization/custom-errors/custom-default-backend.yaml diff --git a/examples/customization/custom-errors/nginx/rc-custom-errors.yaml b/examples/customization/custom-errors/rc-custom-errors.yaml similarity index 100% rename from examples/customization/custom-errors/nginx/rc-custom-errors.yaml rename to examples/customization/custom-errors/rc-custom-errors.yaml diff --git a/examples/customization/custom-headers/nginx/README.md b/examples/customization/custom-headers/README.md similarity index 100% rename from examples/customization/custom-headers/nginx/README.md rename to examples/customization/custom-headers/README.md diff --git a/examples/customization/custom-headers/nginx/custom-headers.yaml b/examples/customization/custom-headers/custom-headers.yaml similarity index 100% rename from examples/customization/custom-headers/nginx/custom-headers.yaml rename to examples/customization/custom-headers/custom-headers.yaml diff --git a/examples/customization/custom-headers/nginx/default-backend.yaml b/examples/customization/custom-headers/default-backend.yaml similarity index 100% rename from examples/customization/custom-headers/nginx/default-backend.yaml rename to examples/customization/custom-headers/default-backend.yaml diff --git a/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml b/examples/customization/custom-headers/nginx-ingress-controller.yaml similarity index 100% rename from examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml rename to examples/customization/custom-headers/nginx-ingress-controller.yaml diff --git a/examples/customization/custom-headers/nginx/nginx-load-balancer-conf.yaml b/examples/customization/custom-headers/nginx-load-balancer-conf.yaml similarity index 100% rename from examples/customization/custom-headers/nginx/nginx-load-balancer-conf.yaml rename to examples/customization/custom-headers/nginx-load-balancer-conf.yaml diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/README.md b/examples/customization/custom-vts-metrics-prometheus/README.md similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/README.md rename to examples/customization/custom-vts-metrics-prometheus/README.md diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/default-backend.yaml b/examples/customization/custom-vts-metrics-prometheus/default-backend.yaml similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/default-backend.yaml rename to examples/customization/custom-vts-metrics-prometheus/default-backend.yaml diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/imgs/prometheus-filter-key-path.png b/examples/customization/custom-vts-metrics-prometheus/imgs/prometheus-filter-key-path.png similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/imgs/prometheus-filter-key-path.png rename to examples/customization/custom-vts-metrics-prometheus/imgs/prometheus-filter-key-path.png diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/imgs/vts-dashboard-filter-key-path.png b/examples/customization/custom-vts-metrics-prometheus/imgs/vts-dashboard-filter-key-path.png similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/imgs/vts-dashboard-filter-key-path.png rename to examples/customization/custom-vts-metrics-prometheus/imgs/vts-dashboard-filter-key-path.png diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/imgs/vts-dashboard.png b/examples/customization/custom-vts-metrics-prometheus/imgs/vts-dashboard.png similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/imgs/vts-dashboard.png rename to examples/customization/custom-vts-metrics-prometheus/imgs/vts-dashboard.png diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/nginx-ingress-controller-service.yaml b/examples/customization/custom-vts-metrics-prometheus/nginx-ingress-controller-service.yaml similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/nginx-ingress-controller-service.yaml rename to examples/customization/custom-vts-metrics-prometheus/nginx-ingress-controller-service.yaml diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/nginx-ingress-controller.yaml b/examples/customization/custom-vts-metrics-prometheus/nginx-ingress-controller.yaml similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/nginx-ingress-controller.yaml rename to examples/customization/custom-vts-metrics-prometheus/nginx-ingress-controller.yaml diff --git a/examples/customization/custom-vts-metrics-prometheus/nginx/nginx-vts-metrics-conf.yaml b/examples/customization/custom-vts-metrics-prometheus/nginx-vts-metrics-conf.yaml similarity index 100% rename from examples/customization/custom-vts-metrics-prometheus/nginx/nginx-vts-metrics-conf.yaml rename to examples/customization/custom-vts-metrics-prometheus/nginx-vts-metrics-conf.yaml diff --git a/examples/customization/external-auth-headers/nginx/Makefile b/examples/customization/external-auth-headers/Makefile similarity index 100% rename from examples/customization/external-auth-headers/nginx/Makefile rename to examples/customization/external-auth-headers/Makefile diff --git a/examples/customization/external-auth-headers/nginx/README.md b/examples/customization/external-auth-headers/README.md similarity index 100% rename from examples/customization/external-auth-headers/nginx/README.md rename to examples/customization/external-auth-headers/README.md diff --git a/examples/customization/external-auth-headers/nginx/authsvc/Dockerfile b/examples/customization/external-auth-headers/authsvc/Dockerfile similarity index 100% rename from examples/customization/external-auth-headers/nginx/authsvc/Dockerfile rename to examples/customization/external-auth-headers/authsvc/Dockerfile diff --git a/examples/customization/external-auth-headers/nginx/authsvc/authsvc.go b/examples/customization/external-auth-headers/authsvc/authsvc.go similarity index 100% rename from examples/customization/external-auth-headers/nginx/authsvc/authsvc.go rename to examples/customization/external-auth-headers/authsvc/authsvc.go diff --git a/examples/customization/external-auth-headers/nginx/deploy/auth-service.yaml b/examples/customization/external-auth-headers/deploy/auth-service.yaml similarity index 100% rename from examples/customization/external-auth-headers/nginx/deploy/auth-service.yaml rename to examples/customization/external-auth-headers/deploy/auth-service.yaml diff --git a/examples/customization/external-auth-headers/nginx/deploy/default-backend.yaml b/examples/customization/external-auth-headers/deploy/default-backend.yaml similarity index 100% rename from examples/customization/external-auth-headers/nginx/deploy/default-backend.yaml rename to examples/customization/external-auth-headers/deploy/default-backend.yaml diff --git a/examples/customization/external-auth-headers/nginx/deploy/echo-service.yaml b/examples/customization/external-auth-headers/deploy/echo-service.yaml similarity index 100% rename from examples/customization/external-auth-headers/nginx/deploy/echo-service.yaml rename to examples/customization/external-auth-headers/deploy/echo-service.yaml diff --git a/examples/customization/external-auth-headers/nginx/deploy/nginx-ingress-controller.yaml b/examples/customization/external-auth-headers/deploy/nginx-ingress-controller.yaml similarity index 100% rename from examples/customization/external-auth-headers/nginx/deploy/nginx-ingress-controller.yaml rename to examples/customization/external-auth-headers/deploy/nginx-ingress-controller.yaml diff --git a/examples/customization/external-auth-headers/nginx/echosvc/Dockerfile b/examples/customization/external-auth-headers/echosvc/Dockerfile similarity index 100% rename from examples/customization/external-auth-headers/nginx/echosvc/Dockerfile rename to examples/customization/external-auth-headers/echosvc/Dockerfile diff --git a/examples/customization/external-auth-headers/nginx/echosvc/echosvc.go b/examples/customization/external-auth-headers/echosvc/echosvc.go similarity index 100% rename from examples/customization/external-auth-headers/nginx/echosvc/echosvc.go rename to examples/customization/external-auth-headers/echosvc/echosvc.go diff --git a/examples/customization/ssl-dh-param/nginx/README.md b/examples/customization/ssl-dh-param/README.md similarity index 100% rename from examples/customization/ssl-dh-param/nginx/README.md rename to examples/customization/ssl-dh-param/README.md diff --git a/examples/customization/ssl-dh-param/nginx/default-backend.yaml b/examples/customization/ssl-dh-param/default-backend.yaml similarity index 100% rename from examples/customization/ssl-dh-param/nginx/default-backend.yaml rename to examples/customization/ssl-dh-param/default-backend.yaml diff --git a/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml b/examples/customization/ssl-dh-param/nginx-ingress-controller.yaml similarity index 100% rename from examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml rename to examples/customization/ssl-dh-param/nginx-ingress-controller.yaml diff --git a/examples/customization/ssl-dh-param/nginx/nginx-load-balancer-conf.yaml b/examples/customization/ssl-dh-param/nginx-load-balancer-conf.yaml similarity index 100% rename from examples/customization/ssl-dh-param/nginx/nginx-load-balancer-conf.yaml rename to examples/customization/ssl-dh-param/nginx-load-balancer-conf.yaml diff --git a/examples/customization/ssl-dh-param/nginx/ssl-dh-param.yaml b/examples/customization/ssl-dh-param/ssl-dh-param.yaml similarity index 100% rename from examples/customization/ssl-dh-param/nginx/ssl-dh-param.yaml rename to examples/customization/ssl-dh-param/ssl-dh-param.yaml diff --git a/examples/daemonset/nginx/README.md b/examples/daemonset/README.md similarity index 100% rename from examples/daemonset/nginx/README.md rename to examples/daemonset/README.md diff --git a/examples/daemonset/haproxy/README.md b/examples/daemonset/haproxy/README.md deleted file mode 100644 index c2497c750f..0000000000 --- a/examples/daemonset/haproxy/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# Haproxy Ingress DaemonSet - -In some cases, the Ingress controller will be required to be run at all the nodes in cluster. Using [DaemonSet](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/apps/daemon.md) can achieve this requirement. - -## Prerequisites - -If you have another Ingress controller deployed, you will need to make sure your -Ingress resources target exactly one Ingress controller by specifying the -[ingress.class](/examples/PREREQUISITES.md#ingress-class) annotation as -`haproxy`. - -This document has also the following prerequisites: - -* Create a [TLS secret](/examples/PREREQUISITES.md#tls-certificates) named `tls-secret` to be used as default TLS certificate - -Creating the TLS secret: - -```console -$ openssl req \ - -x509 -newkey rsa:2048 -nodes -days 365 \ - -keyout tls.key -out tls.crt -subj '/CN=localhost' -$ kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key -$ rm -v tls.crt tls.key -``` - -## Default Backend - -The default backend is a service of handling all url paths and hosts the haproxy controller doesn't understand. Deploy the default-http-backend as follow: - -```console -$ kubectl apply -f ../../deployment/nginx/default-backend.yaml -deployment "default-http-backend" configured -service "default-http-backend" configured - -$ kubectl -n kube-system get svc -NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE -default-http-backend 192.168.3.4 80/TCP 30m - -$ kubectl -n kube-system get pods -NAME READY STATUS RESTARTS AGE -default-http-backend-q5sb6 1/1 Running 0 30m -``` - -## RBAC Authorization - -Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with -[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/). - -## Ingress DaemonSet - -Deploy the daemonset as follows: - -```console -$ kubectl apply -f haproxy-ingress-daemonset.yaml -``` - -Check if the controller was successfully deployed: -```console -$ kubectl -n kube-system get ds -NAME DESIRED CURRENT READY NODE-SELECTOR AGE -haproxy-ingress 2 2 2 45s - -$ kubectl -n kube-system get pods -NAME READY STATUS RESTARTS AGE -default-http-backend-q5sb6 1/1 Running 0 45m -haproxy-ingress-km32x 1/1 Running 0 1m -``` diff --git a/examples/daemonset/haproxy/haproxy-ingress-daemonset.yaml b/examples/daemonset/haproxy/haproxy-ingress-daemonset.yaml deleted file mode 100644 index 713c926128..0000000000 --- a/examples/daemonset/haproxy/haproxy-ingress-daemonset.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - labels: - run: haproxy-ingress - name: haproxy-ingress -spec: - template: - metadata: - labels: - run: haproxy-ingress - spec: - containers: - - name: haproxy-ingress - image: quay.io/jcmoraisjr/haproxy-ingress - args: - - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - - --default-ssl-certificate=$(POD_NAMESPACE)/tls-secret - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: stat - containerPort: 1936 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace diff --git a/examples/daemonset/nginx/nginx-ingress-daemonset.yaml b/examples/daemonset/nginx-ingress-daemonset.yaml similarity index 100% rename from examples/daemonset/nginx/nginx-ingress-daemonset.yaml rename to examples/daemonset/nginx-ingress-daemonset.yaml diff --git a/examples/deployment/nginx/README.md b/examples/deployment/README.md similarity index 100% rename from examples/deployment/nginx/README.md rename to examples/deployment/README.md diff --git a/examples/deployment/nginx/default-backend.yaml b/examples/deployment/default-backend.yaml similarity index 100% rename from examples/deployment/nginx/default-backend.yaml rename to examples/deployment/default-backend.yaml diff --git a/examples/deployment/haproxy/README.md b/examples/deployment/haproxy/README.md deleted file mode 100644 index a7ad98fffc..0000000000 --- a/examples/deployment/haproxy/README.md +++ /dev/null @@ -1,173 +0,0 @@ -# Deploying HAProxy Ingress Controller - -If you don't have a Kubernetes cluster, please refer to [Setup cluster](/docs/dev/setup-cluster.md) -for instructions on how to create a new one. - -## Prerequisites - -If you have another Ingress controller deployed, you will need to make sure your -Ingress resources target exactly one Ingress controller by specifying the -[ingress.class](/examples/PREREQUISITES.md#ingress-class) annotation as -`haproxy`. - -This document has also the following prerequisites: - -* Create a [TLS secret](/examples/PREREQUISITES.md#tls-certificates) named `tls-secret` to be used as default TLS certificate -* Optional: deploy a [web app](/examples/PREREQUISITES.md#test-http-service) for testing - -Creating the TLS secret: - -```console -$ openssl req \ - -x509 -newkey rsa:2048 -nodes -days 365 \ - -keyout tls.key -out tls.crt -subj '/CN=localhost' -$ kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key -$ rm -v tls.crt tls.key -``` - -The optional web app can be created as follow: - -```console -$ kubectl run http-svc \ - --image=gcr.io/google_containers/echoserver:1.3 \ - --port=8080 \ - --replicas=1 \ - --expose -``` - -## Default backend - -Deploy a default backend used to serve `404 Not Found` pages: - -```console -$ kubectl run ingress-default-backend \ - --image=gcr.io/google_containers/defaultbackend:1.0 \ - --port=8080 \ - --limits=cpu=10m,memory=20Mi \ - --expose -``` - -Check if the default backend is up and running: - -```console -$ kubectl get pod -NAME READY STATUS RESTARTS AGE -ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s -``` - -## Configmap - -Create a configmap named `haproxy-ingress`: - -```console -$ kubectl create configmap haproxy-ingress -configmap "haproxy-ingress" created -``` - -A configmap is used to provide global or default configuration like -timeouts, SSL/TLS settings, a syslog service endpoint and so on. The -configmap can be edited or replaced later in order to apply new -configuration on a running ingress controller. All supported options -are [here](https://github.com/jcmoraisjr/haproxy-ingress#configmap). - -## RBAC Authorization - -Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with -[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/). - -## Controller - -Deploy HAProxy Ingress: - -```console -$ kubectl create -f haproxy-ingress.yaml -``` - -Check if the controller was successfully deployed: - -```console -$ kubectl get pod -w -NAME READY STATUS RESTARTS AGE -haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s -ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m -^C -``` - -## Testing - -From now the optional web app should be deployed. Deploy an ingress resource to expose this app: - -```console -$ kubectl create -f - < 80/TCP 30m - -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -default-http-backend-q5sb6 1/1 Running 0 30m -``` - -## RBAC Authorization - -Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with -[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/). - -## Ingress Deployment - -Deploy the Deployment of multi controllers as follows: - -```console -$ kubectl apply -f haproxy-ingress-deployment.yaml -deployment "haproxy-ingress" created -``` - -Check if the controller was successfully deployed: -```console -$ kubectl get deployment -NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE -default-http-backend 1 1 1 1 30m -haproxy-ingress 2 2 2 2 45s - -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -default-http-backend-q5sb6 1/1 Running 0 35m -haproxy-ingress-1779899633-k045t 1/1 Running 0 1m -haproxy-ingress-1779899633-mhthv 1/1 Running 0 1m -``` diff --git a/examples/scaling-deployment/haproxy/default-backend.yaml b/examples/scaling-deployment/haproxy/default-backend.yaml deleted file mode 100644 index 739ae2758a..0000000000 --- a/examples/scaling-deployment/haproxy/default-backend.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: default-http-backend - labels: - k8s-app: default-http-backend -spec: - replicas: 1 - template: - metadata: - labels: - k8s-app: default-http-backend - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: default-http-backend - # Any image is permissable as long as: - # 1. It serves a 404 page at / - # 2. It serves 200 on a /healthz endpoint - image: gcr.io/google_containers/defaultbackend:1.0 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: default-http-backend - labels: - k8s-app: default-http-backend -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - k8s-app: default-http-backend diff --git a/examples/scaling-deployment/haproxy/haproxy-ingress-deployment.yaml b/examples/scaling-deployment/haproxy/haproxy-ingress-deployment.yaml deleted file mode 100644 index 853af0ab51..0000000000 --- a/examples/scaling-deployment/haproxy/haproxy-ingress-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - run: haproxy-ingress - name: haproxy-ingress -spec: - replicas: 2 - selector: - matchLabels: - run: haproxy-ingress - template: - metadata: - labels: - run: haproxy-ingress - spec: - containers: - - name: haproxy-ingress - image: quay.io/jcmoraisjr/haproxy-ingress - args: - - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - - --default-ssl-certificate=$(POD_NAMESPACE)/tls-secret - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - - name: stat - containerPort: 1936 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace diff --git a/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml b/examples/scaling-deployment/nginx-ingress-deployment.yaml similarity index 100% rename from examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml rename to examples/scaling-deployment/nginx-ingress-deployment.yaml diff --git a/examples/static-ip/nginx/README.md b/examples/static-ip/README.md similarity index 100% rename from examples/static-ip/nginx/README.md rename to examples/static-ip/README.md diff --git a/examples/static-ip/nginx/nginx-ingress-controller.yaml b/examples/static-ip/nginx-ingress-controller.yaml similarity index 100% rename from examples/static-ip/nginx/nginx-ingress-controller.yaml rename to examples/static-ip/nginx-ingress-controller.yaml diff --git a/examples/static-ip/nginx/nginx-ingress.yaml b/examples/static-ip/nginx-ingress.yaml similarity index 100% rename from examples/static-ip/nginx/nginx-ingress.yaml rename to examples/static-ip/nginx-ingress.yaml diff --git a/examples/static-ip/nginx/static-ip-svc.yaml b/examples/static-ip/static-ip-svc.yaml similarity index 100% rename from examples/static-ip/nginx/static-ip-svc.yaml rename to examples/static-ip/static-ip-svc.yaml diff --git a/examples/tcp/nginx/README.md b/examples/tcp/README.md similarity index 100% rename from examples/tcp/nginx/README.md rename to examples/tcp/README.md diff --git a/examples/tcp/nginx/nginx-tcp-ingress-configmap.yaml b/examples/tcp/nginx-tcp-ingress-configmap.yaml similarity index 100% rename from examples/tcp/nginx/nginx-tcp-ingress-configmap.yaml rename to examples/tcp/nginx-tcp-ingress-configmap.yaml diff --git a/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml b/examples/tcp/nginx-tcp-ingress-controller.yaml similarity index 100% rename from examples/tcp/nginx/nginx-tcp-ingress-controller.yaml rename to examples/tcp/nginx-tcp-ingress-controller.yaml diff --git a/examples/tls-termination/haproxy/README.md b/examples/tls-termination/haproxy/README.md deleted file mode 100644 index 8f1fb85150..0000000000 --- a/examples/tls-termination/haproxy/README.md +++ /dev/null @@ -1,113 +0,0 @@ -# HAProxy Ingress TLS termination - -## Prerequisites - -This document has the following prerequisites: - -* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret -* Create [*another* secret](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` and subject `'/CN=foo.bar'` - -## Using default TLS certificate - -Update ingress resource in order to add TLS termination to host `foo.bar`: - -```console -$ kubectl replace -f ingress-tls-default.yaml -``` - -The difference from the starting ingress resource: - -```console - metadata: - name: app - spec: -+ tls: -+ - hosts: -+ - foo.bar - rules: - - host: foo.bar - http: -``` - -Trying default backend: - -```console -$ curl -iL 172.17.4.99:30876 -HTTP/1.1 404 Not Found -Date: Tue, 07 Feb 2017 00:06:07 GMT -Content-Length: 21 -Content-Type: text/plain; charset=utf-8 - -default backend - 404 -``` - -Now telling the controller we are `foo.bar`: - -```console -$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar' -HTTP/1.1 302 Found -Cache-Control: no-cache -Content-length: 0 -Location: https://foo.bar/ -Connection: close -^C -``` - -Note the `Location` header - this would redirect us to the correct server. - -Checking the default certificate - change below `31692` to the TLS port: - -```console -$ openssl s_client -connect 172.17.4.99:31692 -... -subject=/CN=localhost -issuer=/CN=localhost ---- -``` - -... and `foo.bar` certificate: - -```console -$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar -... -subject=/CN=localhost -issuer=/CN=localhost ---- -``` - -## Using a new TLS certificate - -Now let's reference the new certificate to our domain. Note that secret -`foobar-ssl` should be created as described in the [prerequisites](#prerequisites) - -```console -$ kubectl replace -f ingress-tls-foobar.yaml -``` - -Here is the difference: - -```console - tls: - - hosts: - - foo.bar -+ secretName: foobar-ssl - rules: - - host: foo.bar - http: -``` - -Now `foo.bar` certificate should be used to terminate TLS: - -```console -$ openssl s_client -connect 172.17.4.99:31692 -... -subject=/CN=localhost -issuer=/CN=localhost ---- - -$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar -... -subject=/CN=foo.bar -issuer=/CN=foo.bar ---- -``` diff --git a/examples/tls-termination/haproxy/ingress-tls-default.yaml b/examples/tls-termination/haproxy/ingress-tls-default.yaml deleted file mode 100644 index 7c5034645b..0000000000 --- a/examples/tls-termination/haproxy/ingress-tls-default.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: app -spec: - tls: - - hosts: - - foo.bar - rules: - - host: foo.bar - http: - paths: - - path: / - backend: - serviceName: http-svc - servicePort: 8080 diff --git a/examples/tls-termination/haproxy/ingress-tls-foobar.yaml b/examples/tls-termination/haproxy/ingress-tls-foobar.yaml deleted file mode 100644 index e15f9428bd..0000000000 --- a/examples/tls-termination/haproxy/ingress-tls-foobar.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: app -spec: - tls: - - hosts: - - foo.bar - secretName: foobar-ssl - rules: - - host: foo.bar - http: - paths: - - path: / - backend: - serviceName: http-svc - servicePort: 8080 diff --git a/examples/udp/nginx/README.md b/examples/udp/README.md similarity index 100% rename from examples/udp/nginx/README.md rename to examples/udp/README.md diff --git a/examples/udp/nginx/nginx-udp-ingress-configmap.yaml b/examples/udp/nginx-udp-ingress-configmap.yaml similarity index 100% rename from examples/udp/nginx/nginx-udp-ingress-configmap.yaml rename to examples/udp/nginx-udp-ingress-configmap.yaml diff --git a/examples/udp/nginx/nginx-udp-ingress-controller.yaml b/examples/udp/nginx-udp-ingress-controller.yaml similarity index 100% rename from examples/udp/nginx/nginx-udp-ingress-controller.yaml rename to examples/udp/nginx-udp-ingress-controller.yaml