From 048744e95f49c7821151c0b5853097a81fd63b1a Mon Sep 17 00:00:00 2001 From: Petr Gregor Date: Wed, 11 Oct 2017 15:24:33 +0200 Subject: [PATCH 1/3] Change alias behaviour not to create new server section needlessly --- configuration.md | 2 +- rootfs/etc/nginx/template/nginx.tmpl | 16 +--------------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/configuration.md b/configuration.md index caf718ec6..bc948d47c 100644 --- a/configuration.md +++ b/configuration.md @@ -201,7 +201,7 @@ For more information please check https://enable-cors.org/server_nginx.html ### Server Alias To add Server Aliases to an Ingress rule add the annotation `ingress.kubernetes.io/server-alias: ""`. -This will create a server with the same configuration, but a different server_name as the provided host. +This will create a server with two server_names (hostname and alias) *Note:* A server-alias name cannot conflict with the hostname of an existing server. If it does the server-alias annotation will be ignored. If a server-alias is created and later a new server with the same hostname is created diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 6f101aa84..caaec9282 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -362,26 +362,12 @@ http { {{ range $index, $server := $servers }} server { - server_name {{ $server.Hostname }}; + server_name {{ $server.Hostname }} {{ $server.Alias }}; {{ template "SERVER" serverConfig $all $server }} {{ template "CUSTOM_ERRORS" $all }} } - - {{ if $server.Alias }} - server { - server_name {{ $server.Alias }}; - {{ template "SERVER" serverConfig $all $server }} - - {{ if not (empty $cfg.ServerSnippet) }} - # Custom code snippet configured in the configuration configmap - {{ $cfg.ServerSnippet }} - {{ end }} - - {{ template "CUSTOM_ERRORS" $all }} - } - {{ end }} {{ end }} # default server, used for NGINX healthcheck and access to nginx stats From 306268d24c579d31ab36f281d9743a4138730abb Mon Sep 17 00:00:00 2001 From: Chris Reinhardt Date: Thu, 12 Oct 2017 14:30:05 -0400 Subject: [PATCH 2/3] Include the serversnippet from the config map in servers that aren't aliaes --- rootfs/etc/nginx/template/nginx.tmpl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index caaec9282..803329327 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -365,6 +365,10 @@ http { server_name {{ $server.Hostname }} {{ $server.Alias }}; {{ template "SERVER" serverConfig $all $server }} + {{ if not (empty $cfg.ServerSnippet) }} + # Custom code snippet configured in the configuration configmap + {{ $cfg.ServerSnippet }} + {{ end }} {{ template "CUSTOM_ERRORS" $all }} } @@ -818,7 +822,7 @@ stream { return 503; {{ end }} } - + {{ end }} {{ if eq $server.Hostname "_" }} From b1329aa5ea827e36b9941b7ba40c2d49d05d9e99 Mon Sep 17 00:00:00 2001 From: tamal Date: Thu, 12 Oct 2017 13:02:54 -0700 Subject: [PATCH 3/3] Document Voyager's support for various annotations --- docs/annotations.md | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/docs/annotations.md b/docs/annotations.md index b23f7ecee..0ab91b446 100644 --- a/docs/annotations.md +++ b/docs/annotations.md @@ -12,6 +12,7 @@ Key: * `nginx`: the `kubernetes/ingress` nginx controller * `gce`: the `kubernetes/ingress` GCE controller * `traefik`: Traefik's built-in Ingress controller +* `voyager`: [Voyager by AppsCode](https://github.com/appscode/voyager) - Secure HAProxy based Ingress Controller for Kubernetes * `haproxy`: Joao Morais' [HAProxy Ingress controller](https://github.com/jcmoraisjr/haproxy-ingress) * `trafficserver`: Torchbox's [Apache Traffic Server controller plugin](https://github.com/torchbox/k8s-ts-ingress) @@ -19,27 +20,27 @@ Key: | Name | Meaning | Default | Controller | --- | --- | --- | --- | -| `ssl-passthrough` | Pass TLS connections directly to backend; do not offload. | `false` | nginx, haproxy -| `ssl-redirect` | Redirect non-TLS requests to TLS when TLS is enabled. | `true` | nginx, haproxy, trafficserver -| `force-ssl-redirect` | Redirect non-TLS requests to TLS even when TLS is not configured. | `false` | nginx, trafficserver -| `secure-backends` | Use TLS to communicate with origin (pods). | `false` | nginx, haproxy, trafficserver +| `ssl-passthrough` | Pass TLS connections directly to backend; do not offload. | `false` | nginx, voyager, haproxy +| `ssl-redirect` | Redirect non-TLS requests to TLS when TLS is enabled. | `true` | nginx, voyager, haproxy, trafficserver +| `force-ssl-redirect` | Redirect non-TLS requests to TLS even when TLS is not configured. | `false` | nginx, voyager, trafficserver +| `secure-backends` | Use TLS to communicate with origin (pods). | `false` | nginx, voyager, haproxy, trafficserver | `kubernetes.io/ingress.allow-http` | Whether to accept non-TLS HTTP connections. | `true` | gce | `pre-shared-cert` | Name of the TLS certificate in GCP to use when provisioning the HTTPS load balancer. | empty string | gce -| `hsts-max-age` | Set an HSTS header with this lifetime. | | trafficserver -| `hsts-include-subdomains` | Add includeSubdomains to the HSTS header. | | trafficserver +| `hsts-max-age` | Set an HSTS header with this lifetime. | | voyager, trafficserver +| `hsts-include-subdomains` | Add includeSubdomains to the HSTS header. | | voyager, trafficserver ## Authentication related | Name | Meaning | Default | Controller | --- | --- | --- | --- | -| `auth-type` | Authentication type: `basic`, `digest`, ... | | nginx, haproxy, trafficserver -| `auth-secret` | Secret name for authentication. | | nginx, haproxy, trafficserver -| `auth-realm` | Authentication realm. | | nginx, haproxy, trafficserver -| `auth-tls-secret` | Name of secret for TLS client certification validation. | | nginx, haproxy +| `auth-type` | Authentication type: `basic`, `digest`, ... | | nginx, voyager, haproxy, trafficserver +| `auth-secret` | Secret name for authentication. | | nginx, voyager, haproxy, trafficserver +| `auth-realm` | Authentication realm. | | nginx, voyager, haproxy, trafficserver +| `auth-tls-secret` | Name of secret for TLS client certification validation. | | nginx, voyager, haproxy | `auth-tls-verify-depth` | Maximum chain length of TLS client certificate. | | nginx -| `auth-tls-error-page` | The page that user should be redirected in case of Auth error | | string +| `auth-tls-error-page` | The page that user should be redirected in case of Auth error | | nginx, voyager | `auth-satisfy` | Behaviour when more than one of `auth-type`, `auth-tls-secret` or `whitelist-source-range` are configured: `all` or `any`. | `all` | trafficserver | `trafficserver` -| `whitelist-source-range` | Comma-separate list of IP addresses to enable access to. | | nginx, haproxy, trafficserver +| `whitelist-source-range` | Comma-separate list of IP addresses to enable access to. | | nginx, voyager, haproxy, trafficserver ## URL related @@ -56,14 +57,14 @@ Key: | Name | Meaning | Default | Controller | --- | --- | --- | --- | | `configuration-snippet` | Arbitrary text to put in the generated configuration file. | | nginx -| `enable-cors` | Enable CORS headers in response. | | nginx -| `limit-connections` | Limit concurrent connections per IP address[1]. | | nginx -| `limit-rps` | Limit requests per second per IP address[1]. | | nginx -| `limit-rpm` | Limit requests per minute per IP address. | | nginx -| `affinity` | Specify a method to stick clients to origins across requests. Found in `nginx`, where the only supported value is `cookie`. | | nginx -| `session-cookie-name` | When `affinity` is set to `cookie`, the name of the cookie to use. | | nginx +| `enable-cors` | Enable CORS headers in response. | | nginx, voyager +| `limit-connections` | Limit concurrent connections per IP address[1]. | | nginx, voyager +| `limit-rps` | Limit requests per second per IP address[1]. | | nginx, voyager +| `limit-rpm` | Limit requests per minute per IP address. | | nginx, voyager +| `affinity` | Specify a method to stick clients to origins across requests. Found in `nginx`, where the only supported value is `cookie`. | | nginx, voyager +| `session-cookie-name` | When `affinity` is set to `cookie`, the name of the cookie to use. | | nginx, voyager | `session-cookie-hash` | When `affinity` is set to `cookie`, the hash algorithm used: `md5`, `sha`, `index`. | | nginx -| `proxy-body-size` | Maximum request body size. | | nginx, haproxy +| `proxy-body-size` | Maximum request body size. | | nginx, voyager, haproxy | `proxy-pass-params` | Parameters for proxy-pass directives. | | | `follow-redirects` | Follow HTTP redirects in the response and deliver the redirect target to the client. | | trafficserver | `kubernetes.io/ingress.global-static-ip-name` | Name of the static global IP address in GCP to use when provisioning the HTTPS load balancer. | empty string | gce