This is a HTTP reverse proxy for Kubernetes based on Nginx and confd.
To run this container, you need Kubernetes v0.15.0 or later and access to the etcd cluster on which Kubernetes operates.
docker run -e CONFD_ETCD_NODE=<etcd-address>:<etcd-port> -p 80:80 -p 443:443 kube-http-proxy
The reverse proxy is configured using Kubernetes annotations on services.
The configuration is stored as serialized JSON strings. Two annotations are supported:
- http-proxy-servers - To configure the servers and a root path for the service
- http-proxy-paths - To configure additional paths for specified servers
http-proxy-servers:
[
{
"host": "some.example.com",
"names": ["some.other.example.com"],
"port": "8080",
"targetPort": "3000",
"default": true,
"pattern": true,
"targetPath": "proxy",
"pathOptions": ["proxy_pass_request_headers on"],
},
{
"host": "another.example.com",
"port": "8000",
"ssl": true,
"sslPort": "8443",
"path": "/somewhere/",
"webSocket": true
},
]
Field:
- host - Server hostname. Required.
- names - Additional names for the server.
- port - Port on which to listen for connections. Defaults to 80.
- ssl - If enabled, ceritificate and key has to be available at /etc/nginx/ssl named .crt and <host.key>. If enabled all http requests are redirected to https. Defaults to false.
- sslPort - Port on which to listen to ssl connections. Defaults to 443.
- targetPort - Port on which the service listens for connections. Defaults to 80.
- path - Path on which this service is exposed. Defaults to "/".
- webSocket - Enable if the service requires upgrading the HTTP conenction to a WebSocket. Defaults to false.
- default - Enable if this is the default server. Defaults to false.
- pattern - Defaults to false, true adds a ~ to the location line allowing url rewriting.
- targetPath - The path to proxy to.
- options - Additional Nginx options for the server;
- pathOptions - Additional Nginx options for the default path;
http-proxy-paths:
{
"some.example.com": [
{
"path": "/somewhere/",
"targetPort": "3000",
"webSocket": true,
"pattern": true
},
{
"path": "/somewhere/else/",
"targetPort": "3000",
"options": ["proxy_pass_request_headers on"],
}
],
"another.example.com": [
{
"path": "/api/",
"targetPort": "8080",
"targetPath": "proxy",
}
]
}
Fields:
- path - Path on which this service is exposed. Required.
- targetPort - Port on which the service listens for connections. Defaults to 80.
- webSocket - Enable if the service requires upgrading the HTTP conenction to a WebSocket. Defaults to false.
- targetPath - Path to proxy to.
- options - Additional Nginx options for the path.
- pattern - Defaults to false, true adds a ~ to the location line allowing url rewriting.
Example service.yaml
apiVersion: v1
kind: List
items:
- kind: Service
apiVersion: v1
metadata:
name: test-proxy
annotations:
http-proxy-servers: '[{"host": "some.example.com"}]'
spec:
selector:
name: test-pod
ports:
- port: 80
targetPort: http
- kind: Service
apiVersion: v1
metadata:
name: test-proxy-api
annotations:
http-proxy-paths: '{"some.example.com": [{"path": "/api/", "targetPort": 8080}]}'
spec:
selector:
name: test-pod-api
ports:
- port: 8080
targetPort: api
This container should be ran outside of kubernetes because due to kube-proxy, client IPs are obscured. Here's a service file that can be used to launch this container:
[Unit]
Description=Kubernetes HTTP Reverse Proxy
Documentation=https://github.com/noonien/kube-http-proxy
Requires=docker.service
Requires=etcd2.service
After=docker.service
After=etcd2.service
[Service]
EnvironmentFile=/etc/network-environment
ExecStartPre=-/usr/bin/docker rm -f kube-http-proxy
ExecStart=/usr/bin/docker run -e CONFD_ETCD_NODE=${DEFAULT_IPV4}:4001 -p 443:443 -p 80:80 --name kube-http-proxy noonien/kube-http-proxy
Restart=always
RestartSec=10
This example uses setup-network-environment to get the correct IP address of the etcd server.