Deploy GitHub Pages
This commit is contained in:
k8s-ci-robot
parent
439138cd18
commit
1f3b258af2
39 changed files with 204 additions and 198 deletions
4
OWNERS
Normal file
4
OWNERS
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
|
||||
|
||||
labels:
|
||||
- area/docs
|
||||
|
|
@ -2,22 +2,22 @@
|
|||
<span class="l l-Scalar l-Scalar-Plain">--for=condition=ready pod \</span>
|
||||
<span class="l l-Scalar l-Scalar-Plain">--selector=app.kubernetes.io/component=controller \</span>
|
||||
<span class="l l-Scalar l-Scalar-Plain">--timeout=120s</span>
|
||||
</code></pre></div> <h2 id=contents>Contents<a class=headerlink href=#contents title="Permanent link"> ¶</a></h2> <ul> <li><a href=#provider-specific-steps>Provider Specific Steps</a></li> <li><a href=#docker-desktop>Docker Desktop</a></li> <li><a href=#minikube>minikube</a></li> <li><a href=#microk8s>microk8s</a></li> <li><a href=#aws>AWS</a></li> <li><a href=#gce-gke>GCE - GKE</a></li> <li><a href=#azure>Azure</a></li> <li><a href=#digital-ocean>Digital Ocean</a></li> <li><a href=#scaleway>Scaleway</a></li> <li><a href=#exoscale>Exoscale</a></li> <li><a href=#oracle-cloud-infrastructure>Oracle Cloud Infrastructure</a> </li> <li><a href=#bare-metal>Bare-metal</a></li> <li><a href=#verify-installation>Verify installation</a></li> <li><a href=#detect-installed-version>Detect installed version</a></li> <li><a href=#using-helm>Using Helm</a></li> </ul> <h3 id=provider-specific-steps>Provider Specific Steps<a class=headerlink href=#provider-specific-steps title="Permanent link"> ¶</a></h3> <h4 id=docker-desktop>Docker Desktop<a class=headerlink href=#docker-desktop title="Permanent link"> ¶</a></h4> <p>Kubernetes is available in Docker Desktop</p> <ul> <li>Mac, from <a href=https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018>version 18.06.0-ce</a></li> <li>Windows, from <a href=https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25>version 18.06.0-ce</a></li> </ul> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <h2 id=contents>Contents<a class=headerlink href=#contents title="Permanent link"> ¶</a></h2> <ul> <li><a href=#provider-specific-steps>Provider Specific Steps</a></li> <li><a href=#docker-desktop>Docker Desktop</a></li> <li><a href=#minikube>minikube</a></li> <li><a href=#microk8s>microk8s</a></li> <li><a href=#aws>AWS</a></li> <li><a href=#gce-gke>GCE - GKE</a></li> <li><a href=#azure>Azure</a></li> <li><a href=#digital-ocean>Digital Ocean</a></li> <li><a href=#scaleway>Scaleway</a></li> <li><a href=#exoscale>Exoscale</a></li> <li><a href=#oracle-cloud-infrastructure>Oracle Cloud Infrastructure</a> </li> <li><a href=#bare-metal>Bare-metal</a></li> <li><a href=#verify-installation>Verify installation</a></li> <li><a href=#detect-installed-version>Detect installed version</a></li> <li><a href=#using-helm>Using Helm</a></li> </ul> <h3 id=provider-specific-steps>Provider Specific Steps<a class=headerlink href=#provider-specific-steps title="Permanent link"> ¶</a></h3> <h4 id=docker-desktop>Docker Desktop<a class=headerlink href=#docker-desktop title="Permanent link"> ¶</a></h4> <p>Kubernetes is available in Docker Desktop</p> <ul> <li>Mac, from <a href=https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018>version 18.06.0-ce</a></li> <li>Windows, from <a href=https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25>version 18.06.0-ce</a></li> </ul> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <h4 id=minikube>minikube<a class=headerlink href=#minikube title="Permanent link"> ¶</a></h4> <p>For standard usage:</p> <div class=highlight><pre><span></span><code><span class=go>minikube addons enable ingress</span>
|
||||
</code></pre></div> <h4 id=microk8s>microk8s<a class=headerlink href=#microk8s title="Permanent link"> ¶</a></h4> <p>For standard usage:</p> <div class=highlight><pre><span></span><code><span class=go>microk8s enable ingress</span>
|
||||
</code></pre></div> <p>Please check the microk8s <a href=https://microk8s.io/docs/addon-ingress>documentation page</a></p> <h4 id=aws>AWS<a class=headerlink href=#aws title="Permanent link"> ¶</a></h4> <p>In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of <code>Type=LoadBalancer</code>.</p> <h5 id=network-load-balancer-nlb>Network Load Balancer (NLB)<a class=headerlink href=#network-load-balancer-nlb title="Permanent link"> ¶</a></h5> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/aws/deploy.yaml</span>
|
||||
</code></pre></div> <h5 id=tls-termination-in-aws-load-balancer-elb>TLS termination in AWS Load Balancer (ELB)<a class=headerlink href=#tls-termination-in-aws-load-balancer-elb title="Permanent link"> ¶</a></h5> <p>In some scenarios is required to terminate TLS in the Load Balancer and not in the ingress controller.</p> <p>For this purpose we provide a template:</p> <ul> <li>Download <a href=https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/aws/deploy-tls-termination.yaml>deploy-tls-termination.yaml</a></li> </ul> <div class=highlight><pre><span></span><code><span class=go>wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/aws/deploy-tls-termination.yaml</span>
|
||||
</code></pre></div> <p>Please check the microk8s <a href=https://microk8s.io/docs/addon-ingress>documentation page</a></p> <h4 id=aws>AWS<a class=headerlink href=#aws title="Permanent link"> ¶</a></h4> <p>In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of <code>Type=LoadBalancer</code>.</p> <h5 id=network-load-balancer-nlb>Network Load Balancer (NLB)<a class=headerlink href=#network-load-balancer-nlb title="Permanent link"> ¶</a></h5> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy.yaml</span>
|
||||
</code></pre></div> <h5 id=tls-termination-in-aws-load-balancer-elb>TLS termination in AWS Load Balancer (ELB)<a class=headerlink href=#tls-termination-in-aws-load-balancer-elb title="Permanent link"> ¶</a></h5> <p>In some scenarios is required to terminate TLS in the Load Balancer and not in the ingress controller.</p> <p>For this purpose we provide a template:</p> <ul> <li>Download <a href=https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy-tls-termination.yaml>deploy-tls-termination.yaml</a></li> </ul> <div class=highlight><pre><span></span><code><span class=go>wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/aws/deploy-tls-termination.yaml</span>
|
||||
</code></pre></div> <ul> <li> <p>Edit the file and change:</p> </li> <li> <p>VPC CIDR in use for the Kubernetes cluster:</p> </li> </ul> <p><code>proxy-real-ip-cidr: XXX.XXX.XXX/XX</code></p> <ul> <li>AWS Certificate Manager (ACM) ID</li> </ul> <p><code>arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX</code></p> <ul> <li>Deploy the manifest:</li> </ul> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f deploy-tls-termination.yaml</span>
|
||||
</code></pre></div> <h5 id=nlb-idle-timeouts>NLB Idle Timeouts<a class=headerlink href=#nlb-idle-timeouts title="Permanent link"> ¶</a></h5> <p>Idle timeout value for TCP flows is 350 seconds and <a href=https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#connection-idle-timeout>cannot be modified</a>.</p> <p>For this reason, you need to ensure the <a href=http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout>keepalive_timeout</a> value is configured less than 350 seconds to work as expected.</p> <p>By default NGINX <code>keepalive_timeout</code> is set to <code>75s</code>.</p> <p>More information with regards to timeouts can be found in the <a href=https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#connection-idle-timeout>official AWS documentation</a></p> <h4 id=gce-gke>GCE-GKE<a class=headerlink href=#gce-gke title="Permanent link"> ¶</a></h4> <div class="admonition info"> <p class=admonition-title>Info</p> <p>Initialize your user as a cluster-admin with the following command: <div class=highlight><pre><span></span><code><span class=go>kubectl create clusterrolebinding cluster-admin-binding \</span>
|
||||
<span class=go> --clusterrole cluster-admin \</span>
|
||||
<span class=go> --user $(gcloud config get-value account)</span>
|
||||
</code></pre></div></p> </div> <div class="admonition danger"> <p class=admonition-title>Danger</p> <p>For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port <code>8443/tcp</code> on worker nodes, or change the existing rule that allows access to ports <code>80/tcp</code>, <code>443/tcp</code> and <code>10254/tcp</code> to also allow access to port <code>8443/tcp</code>.</p> <p>See the <a href=https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules>GKE documentation</a> on adding rules and the <a href=https://github.com/kubernetes/kubernetes/issues/79739>Kubernetes issue</a> for more detail.</p> </div> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <div class="admonition failure important"> <p class=admonition-title>Failure</p> <p>Proxy protocol is not supported in GCE/GKE</p> </div> <h4 id=azure>Azure<a class=headerlink href=#azure title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <p>More information with regards to Azure annotations for ingress controller can be found in the <a href=https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller>official AKS documentation</a>.</p> <h4 id=digital-ocean>Digital Ocean<a class=headerlink href=#digital-ocean title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/do/deploy.yaml</span>
|
||||
</code></pre></div> <h4 id=scaleway>Scaleway<a class=headerlink href=#scaleway title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/scw/deploy.yaml</span>
|
||||
</code></pre></div></p> </div> <div class="admonition danger"> <p class=admonition-title>Danger</p> <p>For private clusters, you will need to either add an additional firewall rule that allows master nodes access to port <code>8443/tcp</code> on worker nodes, or change the existing rule that allows access to ports <code>80/tcp</code>, <code>443/tcp</code> and <code>10254/tcp</code> to also allow access to port <code>8443/tcp</code>.</p> <p>See the <a href=https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules>GKE documentation</a> on adding rules and the <a href=https://github.com/kubernetes/kubernetes/issues/79739>Kubernetes issue</a> for more detail.</p> </div> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <div class="admonition failure important"> <p class=admonition-title>Failure</p> <p>Proxy protocol is not supported in GCE/GKE</p> </div> <h4 id=azure>Azure<a class=headerlink href=#azure title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <p>More information with regards to Azure annotations for ingress controller can be found in the <a href=https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller>official AKS documentation</a>.</p> <h4 id=digital-ocean>Digital Ocean<a class=headerlink href=#digital-ocean title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/do/deploy.yaml</span>
|
||||
</code></pre></div> <h4 id=scaleway>Scaleway<a class=headerlink href=#scaleway title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/scw/deploy.yaml</span>
|
||||
</code></pre></div> <h4 id=exoscale>Exoscale<a class=headerlink href=#exoscale title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/exoscale/deploy.yaml</span>
|
||||
</code></pre></div> <p>The full list of annotations supported by Exoscale is available in the Exoscale Cloud Controller Manager <a href=https://github.com/exoscale/exoscale-cloud-controller-manager/blob/master/docs/service-loadbalancer.md>documentation</a>.</p> <h4 id=oracle-cloud-infrastructure>Oracle Cloud Infrastructure<a class=headerlink href=#oracle-cloud-infrastructure title="Permanent link"> ¶</a></h4> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/cloud/deploy.yaml</span>
|
||||
</code></pre></div> <p>A <a href=https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md>complete list of available annotations for Oracle Cloud Infrastructure</a> can be found in the <a href=https://github.com/oracle/oci-cloud-controller-manager>OCI Cloud Controller Manager</a> documentation.</p> <h4 id=bare-metal>Bare-metal<a class=headerlink href=#bare-metal title="Permanent link"> ¶</a></h4> <p>Using <a href=https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport>NodePort</a>:</p> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml</span>
|
||||
</code></pre></div> <p>A <a href=https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md>complete list of available annotations for Oracle Cloud Infrastructure</a> can be found in the <a href=https://github.com/oracle/oci-cloud-controller-manager>OCI Cloud Controller Manager</a> documentation.</p> <h4 id=bare-metal>Bare-metal<a class=headerlink href=#bare-metal title="Permanent link"> ¶</a></h4> <p>Using <a href=https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport>NodePort</a>:</p> <div class=highlight><pre><span></span><code><span class=go>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/baremetal/deploy.yaml</span>
|
||||
</code></pre></div> <div class="admonition tip"> <p class=admonition-title>Tip</p> <p>Applicable on kubernetes clusters deployed on bare-metal with generic Linux distro(Such as CentOs, Ubuntu ...).</p> </div> <div class="admonition info"> <p class=admonition-title>Info</p> <p>For extended notes regarding deployments on bare-metal, see <a href=baremetal/ >Bare-metal considerations</a>.</p> </div> <h3 id=verify-installation>Verify installation<a class=headerlink href=#verify-installation title="Permanent link"> ¶</a></h3> <p>To check if the ingress controller pods have started, run the following command:</p> <div class=highlight><pre><span></span><code><span class=go>kubectl get pods -n ingress-nginx \</span>
|
||||
<span class=go> -l app.kubernetes.io/name=ingress-nginx --watch</span>
|
||||
</code></pre></div> <p>Once the ingress controller pods are running, you can cancel the command typing <code>Ctrl+C</code>.</p> <p>Now, you are ready to create your first ingress.</p> <h3 id=detect-installed-version>Detect installed version<a class=headerlink href=#detect-installed-version title="Permanent link"> ¶</a></h3> <p>To detect which version of the ingress controller is running, exec into the pod and run <code>nginx-ingress-controller --version</code>.</p> <div class=highlight><pre><span></span><code><span class=go>POD_NAMESPACE=ingress-nginx</span>
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
</code></pre></div> <p><strong>Run unit-tests for lua code</strong></p> <div class=highlight><pre><span></span><code><span class=go>make lua-test</span>
|
||||
</code></pre></div> <p>Lua tests are located in the directory <code>rootfs/etc/nginx/lua/test</code></p> <div class="admonition important"> <p class=admonition-title>Important</p> <p>Test files must follow the naming convention <code><mytest>_test.lua</code> or it will be ignored</p> </div> <p><strong>Run e2e test suite</strong></p> <div class=highlight><pre><span></span><code><span class=go>make kind-e2e-test</span>
|
||||
</code></pre></div> <p>To limit the scope of the tests to execute, we can use the environment variable <code>FOCUS</code></p> <div class=highlight><pre><span></span><code><span class=go>FOCUS="no-auth-locations" make kind-e2e-test</span>
|
||||
</code></pre></div> <div class="admonition note"> <p class=admonition-title>Note</p> <p>The variable <code>FOCUS</code> defines Ginkgo <a href=https://onsi.github.io/ginkgo/#focused-specs>Focused Specs</a></p> </div> <p>Valid values are defined in the describe definition of the e2e tests like <a href=https://github.com/kubernetes/ingress-nginx/blob/master/test/e2e/defaultbackend/default_backend.go#L29>Default Backend</a></p> <p>The complete list of tests can be found <a href=../../e2e-tests/ >here</a></p> <h3 id=custom-docker-image>Custom docker image<a class=headerlink href=#custom-docker-image title="Permanent link"> ¶</a></h3> <p>In some cases, it can be useful to build a docker image and publish such an image to a private or custom registry location.</p> <p>This can be done setting two environment variables, <code>REGISTRY</code> and <code>TAG</code></p> <div class=highlight><pre><span></span><code><span class=go>export TAG="dev"</span>
|
||||
</code></pre></div> <div class="admonition note"> <p class=admonition-title>Note</p> <p>The variable <code>FOCUS</code> defines Ginkgo <a href=https://onsi.github.io/ginkgo/#focused-specs>Focused Specs</a></p> </div> <p>Valid values are defined in the describe definition of the e2e tests like <a href=https://github.com/kubernetes/ingress-nginx/blob/master/test/e2e/defaultbackend/default_backend.go#L29>Default Backend</a></p> <p>The complete list of tests can be found <a href=e2e-tests.md>here</a></p> <h3 id=custom-docker-image>Custom docker image<a class=headerlink href=#custom-docker-image title="Permanent link"> ¶</a></h3> <p>In some cases, it can be useful to build a docker image and publish such an image to a private or custom registry location.</p> <p>This can be done setting two environment variables, <code>REGISTRY</code> and <code>TAG</code></p> <div class=highlight><pre><span></span><code><span class=go>export TAG="dev"</span>
|
||||
<span class=go>export REGISTRY="$USER"</span>
|
||||
|
||||
<span class=go>make build image</span>
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: cookie-samesite-none
|
||||
|
|
@ -19,7 +19,7 @@ spec:
|
|||
servicePort: 80
|
||||
path: /
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: cookie-samesite-strict
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: nginx-test
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
<span class=go> namespace: default</span>
|
||||
<span class=go>type: Opaque</span>
|
||||
</code></pre></div> <div class=highlight><pre><span></span><code><span class=go>echo "</span>
|
||||
<span class=go>apiVersion: networking.k8s.io/v1</span>
|
||||
<span class=go>apiVersion: networking.k8s.io/v1beta1</span>
|
||||
<span class=go>kind: Ingress</span>
|
||||
<span class=go>metadata:</span>
|
||||
<span class=go> name: ingress-with-auth</span>
|
||||
|
|
@ -31,13 +31,10 @@
|
|||
<span class=go> - host: foo.bar.com</span>
|
||||
<span class=go> http:</span>
|
||||
<span class=go> paths:</span>
|
||||
<span class=go> pathType: ImplementationSpecific</span>
|
||||
<span class=go> - path: /</span>
|
||||
<span class=go> backend:</span>
|
||||
<span class=go> service</span>
|
||||
<span class=go> name: http-svc</span>
|
||||
<span class=go> port: </span>
|
||||
<span class=go> number: 80</span>
|
||||
<span class=go> serviceName: http-svc</span>
|
||||
<span class=go> servicePort: 80</span>
|
||||
<span class=go>" | kubectl create -f -</span>
|
||||
</code></pre></div> <div class=highlight><pre><span></span><code>$ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com'
|
||||
* Trying 10.2.29.4...
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ NAME HOSTS ADDRESS PORTS AGE
|
|||
external-auth external-auth-01.sample.com 172.17.4.99 80 13s
|
||||
|
||||
$ kubectl get ing external-auth -o yaml
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
@ -16,7 +16,7 @@ metadata:
|
|||
name: external-auth
|
||||
namespace: default
|
||||
resourceVersion: "2068378"
|
||||
selfLink: /apis/networking/v1/namespaces/default/ingresses/external-auth
|
||||
selfLink: /apis/networking/v1beta1/namespaces/default/ingresses/external-auth
|
||||
uid: 5c388f1d-8970-11e6-9004-080027d2dc94
|
||||
spec:
|
||||
rules:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
@ -18,7 +18,7 @@ spec:
|
|||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: oauth2-proxy
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ spec:
|
|||
targetPort: 8080
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: nginx-configuration-snippet
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ spec:
|
|||
selector:
|
||||
k8s-app: demo-echo-service
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: public-demo-echo-service
|
||||
|
|
@ -61,7 +61,7 @@ spec:
|
|||
servicePort: 80
|
||||
path: /
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: secure-demo-echo-service
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -1,23 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: fortune-teller-app
|
||||
labels:
|
||||
k8s-app: fortune-teller-app
|
||||
namespace: default
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: fortune-teller-app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: fortune-teller-app
|
||||
spec:
|
||||
containers:
|
||||
- name: fortune-teller-app
|
||||
image: quay.io/kubernetes-ingress-controller/grpc-fortune-teller:0.1
|
||||
ports:
|
||||
- containerPort: 50051
|
||||
name: grpc
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
apiVersion: "stable.k8s.psg.io/v1"
|
||||
kind: "Certificate"
|
||||
metadata:
|
||||
name: fortune-teller.stack.build
|
||||
namespace: default
|
||||
spec:
|
||||
domain: "fortune-teller.stack.build"
|
||||
File diff suppressed because one or more lines are too long
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
|
||||
name: fortune-ingress
|
||||
namespace: default
|
||||
spec:
|
||||
rules:
|
||||
- host: fortune-teller.stack.build
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
serviceName: fortune-teller-service
|
||||
servicePort: grpc
|
||||
tls:
|
||||
# This secret must exist beforehand
|
||||
# The cert must also contain the subj-name fortune-teller.stack.build
|
||||
# https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
|
||||
- secretName: fortune-teller.stack.build
|
||||
hosts:
|
||||
- fortune-teller.stack.build
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: fortune-teller-service
|
||||
namespace: default
|
||||
spec:
|
||||
selector:
|
||||
k8s-app: fortune-teller-app
|
||||
ports:
|
||||
- port: 50051
|
||||
targetPort: 50051
|
||||
name: grpc
|
||||
|
|
@ -92,7 +92,7 @@ spec:
|
|||
fieldPath: status.podIP
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: foo-tls
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: ingress-nginx
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: nginx-test
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
BIN
sitemap.xml.gz
BIN
sitemap.xml.gz
Binary file not shown.
|
|
@ -20,7 +20,7 @@ Do not move it without providing redirects.
|
|||
<span class=go> /tea tea-svc:80 (<none>)</span>
|
||||
<span class=go> /coffee coffee-svc:80 (<none>)</span>
|
||||
<span class=go>Annotations:</span>
|
||||
<span class=go> kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{},"name":"cafe-ingress","namespace":"default","selfLink":"/apis/networking/v1/namespaces/default/ingresses/cafe-ingress"},"spec":{"rules":[{"host":"cafe.com","http":{"paths":[{"backend":{"serviceName":"tea-svc","servicePort":80},"path":"/tea"},{"backend":{"serviceName":"coffee-svc","servicePort":80},"path":"/coffee"}]}}]},"status":{"loadBalancer":{"ingress":[{"ip":"169.48.142.110"}]}}}</span>
|
||||
<span class=go> kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"networking.k8s.io/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"cafe-ingress","namespace":"default","selfLink":"/apis/networking/v1beta1/namespaces/default/ingresses/cafe-ingress"},"spec":{"rules":[{"host":"cafe.com","http":{"paths":[{"backend":{"serviceName":"tea-svc","servicePort":80},"path":"/tea"},{"backend":{"serviceName":"coffee-svc","servicePort":80},"path":"/coffee"}]}}]},"status":{"loadBalancer":{"ingress":[{"ip":"169.48.142.110"}]}}}</span>
|
||||
|
||||
<span class=go>Events:</span>
|
||||
<span class=go> Type Reason Age From Message</span>
|
||||
|
|
@ -94,68 +94,47 @@ Do not move it without providing redirects.
|
|||
| | | |
|
||||
+---------------------------------------------------+ +------------------+
|
||||
</code></pre></div> <h3 id=service-account>Service Account<a class=headerlink href=#service-account title="Permanent link"> ¶</a></h3> <p>If using a service account to connect to the API server, the ingress-controller expects the file <code>/var/run/secrets/kubernetes.io/serviceaccount/token</code> to be present. It provides a secret token that is required to authenticate with the API server.</p> <p>Verify with the following commands:</p> <div class=highlight><pre><span></span><code><span class=gp>#</span> start a container that contains curl
|
||||
<span class=gp>$</span> kubectl run <span class=nb>test</span> --image<span class=o>=</span>tutum/curl -- sleep <span class=m>10000</span>
|
||||
|
||||
<span class=gp>#</span> check that container is running
|
||||
<span class=gp>$</span> kubectl get pods
|
||||
<span class=go>NAME READY STATUS RESTARTS AGE</span>
|
||||
<span class=go>test-701078429-s5kca 1/1 Running 0 16s</span>
|
||||
<span class=gp>$</span> kubectl run -it --rm <span class=nb>test</span> --image<span class=o>=</span>curlimages/curl --restart<span class=o>=</span>Never -- /bin/sh
|
||||
|
||||
<span class=gp>#</span> check <span class=k>if</span> secret exists
|
||||
<span class=gp>$</span> kubectl <span class=nb>exec</span> test-701078429-s5kca -- ls /var/run/secrets/kubernetes.io/serviceaccount/
|
||||
<span class=go>ca.crt</span>
|
||||
<span class=go>namespace</span>
|
||||
<span class=go>token</span>
|
||||
|
||||
<span class=gp>#</span> get service IP of master
|
||||
<span class=gp>$</span> kubectl get services
|
||||
<span class=go>NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
|
||||
<span class=go>kubernetes 10.0.0.1 <none> 443/TCP 1d</span>
|
||||
<span class=go>/ $ ls /var/run/secrets/kubernetes.io/serviceaccount/</span>
|
||||
<span class=go>ca.crt namespace token</span>
|
||||
<span class=go>/ $</span>
|
||||
|
||||
<span class=gp>#</span> check base connectivity from cluster inside
|
||||
<span class=gp>$</span> kubectl <span class=nb>exec</span> test-701078429-s5kca -- curl -k https://10.0.0.1
|
||||
<span class=go>Unauthorized</span>
|
||||
<span class=go>/ $ curl -k https://kubernetes.default.svc.cluster.local</span>
|
||||
<span class=go>{</span>
|
||||
<span class=go> "kind": "Status",</span>
|
||||
<span class=go> "apiVersion": "v1",</span>
|
||||
<span class=go> "metadata": {</span>
|
||||
|
||||
<span class=go> },</span>
|
||||
<span class=go> "status": "Failure",</span>
|
||||
<span class=go> "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",</span>
|
||||
<span class=go> "reason": "Forbidden",</span>
|
||||
<span class=go> "details": {</span>
|
||||
|
||||
<span class=go> },</span>
|
||||
<span class=go> "code": 403</span>
|
||||
<span class=go>}/ $</span>
|
||||
|
||||
<span class=gp>#</span> connect using tokens
|
||||
<span class=gp>$</span> <span class=nv>TOKEN_VALUE</span><span class=o>=</span><span class=k>$(</span>kubectl <span class=nb>exec</span> test-701078429-s5kca -- cat /var/run/secrets/kubernetes.io/serviceaccount/token<span class=k>)</span>
|
||||
<span class=gp>$</span> <span class=nb>echo</span> <span class=nv>$TOKEN_VALUE</span>
|
||||
<span class=go>eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi....9A</span>
|
||||
<span class=gp>$</span> kubectl <span class=nb>exec</span> test-701078429-s5kca -- curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H <span class=s2>"Authorization: Bearer </span><span class=nv>$TOKEN_VALUE</span><span class=s2>"</span> https://10.0.0.1
|
||||
<span class=go>}/ $ curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc.cluster.local</span>
|
||||
<span class=go>&& echo</span>
|
||||
<span class=go>{</span>
|
||||
<span class=go> "paths": [</span>
|
||||
<span class=go> "/api",</span>
|
||||
<span class=go> "/api/v1",</span>
|
||||
<span class=go> "/apis",</span>
|
||||
<span class=go> "/apis/apps",</span>
|
||||
<span class=go> "/apis/apps/v1alpha1",</span>
|
||||
<span class=go> "/apis/authentication.k8s.io",</span>
|
||||
<span class=go> "/apis/authentication.k8s.io/v1",</span>
|
||||
<span class=go> "/apis/authorization.k8s.io",</span>
|
||||
<span class=go> "/apis/authorization.k8s.io/v1",</span>
|
||||
<span class=go> "/apis/autoscaling",</span>
|
||||
<span class=go> "/apis/autoscaling/v1",</span>
|
||||
<span class=go> "/apis/batch",</span>
|
||||
<span class=go> "/apis/batch/v1",</span>
|
||||
<span class=go> "/apis/batch/v2alpha1",</span>
|
||||
<span class=go> "/apis/certificates.k8s.io",</span>
|
||||
<span class=go> "/apis/certificates.k8s.io/v1alpha1",</span>
|
||||
<span class=go> "/apis/networking",</span>
|
||||
<span class=go> "/apis/networking/v1",</span>
|
||||
<span class=go> "/apis/policy",</span>
|
||||
<span class=go> "/apis/policy/v1alpha1",</span>
|
||||
<span class=go> "/apis/rbac.authorization.k8s.io",</span>
|
||||
<span class=go> "/apis/rbac.authorization.k8s.io/v1alpha1",</span>
|
||||
<span class=go> "/apis/storage.k8s.io",</span>
|
||||
<span class=go> "/apis/storage.k8s.io/v1",</span>
|
||||
<span class=go> "/healthz",</span>
|
||||
<span class=go> "/healthz/ping",</span>
|
||||
<span class=go> "/logs",</span>
|
||||
<span class=go> "/metrics",</span>
|
||||
<span class=go> "/swaggerapi/",</span>
|
||||
<span class=go> "/ui/",</span>
|
||||
<span class=go> "/apis/",</span>
|
||||
<span class=go> ... TRUNCATED</span>
|
||||
<span class=go> "/readyz/shutdown",</span>
|
||||
<span class=go> "/version"</span>
|
||||
<span class=go> ]</span>
|
||||
<span class=go>}</span>
|
||||
<span class=go>/ $</span>
|
||||
|
||||
<span class=gp>#</span> when you <span class=nb>type</span> <span class=sb>`</span><span class=nb>exit</span><span class=sb>`</span> or <span class=sb>`</span>^D<span class=sb>`</span> the <span class=nb>test</span> pod will be deleted.
|
||||
</code></pre></div> <p>If it is not working, there are two possible reasons:</p> <ol> <li> <p>The contents of the tokens are invalid. Find the secret name with <code>kubectl get secrets | grep service-account</code> and delete it with <code>kubectl delete secret <name></code>. It will automatically be recreated.</p> </li> <li> <p>You have a non-standard Kubernetes installation and the file containing the token may not be present. The API server will mount a volume containing this file, but only if the API server is configured to use the ServiceAccount admission controller. If you experience this error, verify that your API server is using the ServiceAccount admission controller. If you are configuring the API server by hand, you can set this with the <code>--admission-control</code> parameter.</p> <blockquote> <p>Note that you should use other admission controllers as well. Before configuring this option, you should read about admission controllers.</p> </blockquote> </li> </ol> <p>More information:</p> <ul> <li><a href=http://kubernetes.io/docs/user-guide/service-accounts/ >User Guide: Service Accounts</a></li> <li><a href=http://kubernetes.io/docs/admin/service-accounts-admin/ >Cluster Administrator Guide: Managing Service Accounts</a></li> </ul> <h2 id=kube-config>Kube-Config<a class=headerlink href=#kube-config title="Permanent link"> ¶</a></h2> <p>If you want to use a kubeconfig file for authentication, follow the <a href=../deploy/ >deploy procedure</a> and add the flag <code>--kubeconfig=/etc/kubernetes/kubeconfig.yaml</code> to the args section of the deployment.</p> <h2 id=using-gdb-with-nginx>Using GDB with Nginx<a class=headerlink href=#using-gdb-with-nginx title="Permanent link"> ¶</a></h2> <p><a href=https://www.gnu.org/software/gdb/ >Gdb</a> can be used to with nginx to perform a configuration dump. This allows us to see which configuration is being used, as well as older configurations.</p> <p>Note: The below is based on the nginx <a href=https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#dumping-nginx-configuration-from-a-running-process>documentation</a>.</p> <ol> <li>SSH into the worker</li> </ol> <div class=highlight><pre><span></span><code><span class=gp>$</span> ssh user@workerIP
|
||||
</code></pre></div> <ol> <li>Obtain the Docker Container Running nginx</li> </ol> <div class=highlight><pre><span></span><code><span class=gp>$</span> docker ps <span class=p>|</span> grep nginx-ingress-controller
|
||||
<span class=go>CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES</span>
|
||||
|
|
|
|||
|
|
@ -11,9 +11,12 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
serviceName: myservicea
|
||||
servicePort: 80
|
||||
service:
|
||||
name: myservicea
|
||||
port:
|
||||
number: 80
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
|
|
@ -28,9 +31,12 @@ spec:
|
|||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
serviceName: myserviceb
|
||||
servicePort: 80
|
||||
service:
|
||||
name: myserviceb
|
||||
port:
|
||||
number: 80
|
||||
</code></pre></div> <p>When you apply this yaml, 2 ingress resources will be created managed by the <strong>ingress-nginx</strong> instance. Nginx is configured to automatically discover all ingress with the <code>kubernetes.io/ingress.class: "nginx"</code> annotation. Please note that the ingress resource should be placed inside the same namespace of the backend resource.</p> <p>On many cloud providers ingress-nginx will also create the corresponding Load Balancer resource. All you have to do is get the external IP and add a DNS <code>A record</code> inside your DNS provider that point myServiceA.foo.org and myServiceB.foo.org to the nginx external IP. Get the external IP by running:</p> <div class=highlight><pre><span></span><code>kubectl get services -n ingress-nginx
|
||||
</code></pre></div> </article> </div> </div> </main> <footer class=md-footer> <div class=md-footer-nav> <nav class="md-footer-nav__inner md-grid" aria-label=Footer> <a href=../nginx-configuration/ class="md-footer-nav__link md-footer-nav__link--prev" rel=prev> <div class="md-footer-nav__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg> </div> <div class=md-footer-nav__title> <div class=md-ellipsis> <span class=md-footer-nav__direction> Previous </span> Introduction </div> </div> </a> <a href=../nginx-configuration/annotations/ class="md-footer-nav__link md-footer-nav__link--next" rel=next> <div class=md-footer-nav__title> <div class=md-ellipsis> <span class=md-footer-nav__direction> Next </span> Annotations </div> </div> <div class="md-footer-nav__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg> </div> </a> </nav> </div> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-footer-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <script src=../../assets/javascripts/vendor.93c04032.min.js></script> <script src=../../assets/javascripts/bundle.83e5331e.min.js></script><script id=__lang type=application/json>{"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing"}</script> <script>
|
||||
app = initialize({
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -34,7 +34,7 @@
|
|||
|
||||
<span class=nn>---</span>
|
||||
|
||||
<span class=nt>apiVersion</span><span class=p>:</span> <span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1</span>
|
||||
<span class=nt>apiVersion</span><span class=p>:</span> <span class="l l-Scalar l-Scalar-Plain">networking.k8s.io/v1beta1</span>
|
||||
<span class=nt>kind</span><span class=p>:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
|
||||
<span class=nt>metadata</span><span class=p>:</span>
|
||||
<span class=nt>annotations</span><span class=p>:</span>
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -99,7 +99,7 @@ $ kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echo
|
|||
|
||||
# Apply the Ingress Resource
|
||||
$ echo '
|
||||
apiVersion: networking.k8s.io/v1
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: echo-ingress
|
||||
|
|
|
|||
Loading…
Reference in a new issue