Add a multi-tls example.

2016-04-13 10:08:48 -07:00 · 2016-04-13 10:08:48 -07:00 · 40a9eb0ba2
commit 40a9eb0ba2
parent 71845f3b89
3 changed files with 197 additions and 1 deletions
--- a/controllers/nginx/examples/multi-tls/README.md
+++ b/controllers/nginx/examples/multi-tls/README.md
@ -0,0 +1,94 @@
+# Multi TLS certificate termination
+
+This examples uses 2 different certificates to terminate SSL for 2 hostnames.
+
+1. Deploy the controller by creating the rc in the parent dir
+2. Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml
+3. Create multi-tls.yaml
+
+This should generate a segment like:
+```console
+$ kubectl exec -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf | grep "foo.bar.com" -B 7 -A 35
+    server {
+        listen 80;
+        listen 443 ssl http2;
+        ssl_certificate /etc/nginx-ssl/default-foobar.pem;
+        ssl_certificate_key /etc/nginx-ssl/default-foobar.pem;
+
+
+        server_name foo.bar.com;
+
+
+        if ($scheme = http) {
+            return 301 https://$host$request_uri;
+        }
+
+
+
+        location / {
+            proxy_set_header Host                   $host;
+
+            # Pass Real IP
+            proxy_set_header X-Real-IP              $remote_addr;
+
+            # Allow websocket connections
+            proxy_set_header                        Upgrade           $http_upgrade;
+            proxy_set_header                        Connection        $connection_upgrade;
+
+            proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host       $host;
+            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
+
+            proxy_connect_timeout                   5s;
+            proxy_send_timeout                      60s;
+            proxy_read_timeout                      60s;
+
+            proxy_redirect                          off;
+            proxy_buffering                         off;
+
+            proxy_http_version                      1.1;
+
+            proxy_pass http://default-echoheaders-80;
+        }
+```
+
+And you should be able to reach your nginx service or echoheaders service using a hostname switch:
+```console
+$  kubectl get ing
+NAME      RULE          BACKEND   ADDRESS                         AGE
+foo-tls   -                       104.154.30.67                   13m
+          foo.bar.com
+          /             echoheaders:80
+          bar.baz.com
+          /             nginx:80
+
+$ curl https://104.154.30.67 -H 'Host:foo.bar.com' -k
+CLIENT VALUES:
+client_address=10.245.0.6
+command=GET
+real path=/
+query=nil
+request_version=1.1
+request_uri=http://foo.bar.com:8080/
+
+SERVER VALUES:
+server_version=nginx: 1.9.11 - lua: 10001
+
+HEADERS RECEIVED:
+accept=*/*
+connection=close
+host=foo.bar.com
+user-agent=curl/7.35.0
+x-forwarded-for=10.245.0.1
+x-forwarded-host=foo.bar.com
+x-forwarded-proto=https
+
+$ curl https://104.154.30.67 -H 'Host:bar.baz.com' -k
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx on Debian!</title>
+
+$ curl 104.154.30.67
+default backend - 404
+```
--- a/controllers/nginx/examples/multi-tls/multi-tls.yaml
+++ b/controllers/nginx/examples/multi-tls/multi-tls.yaml
@ -0,0 +1,102 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: nginx
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: gcr.io/google_containers/nginx
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: echoheaders
+  labels:
+    app: echoheaders
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: echoheaders
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: echoheaders
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: echoheaders
+    spec:
+      containers:
+      - name: echoheaders
+        image: gcr.io/google_containers/echoserver:1.3
+        ports:
+        - containerPort: 8080
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: foo-tls
+  namespace: default
+spec:
+  tls:
+  - hosts:
+    - foo.bar.com
+    # This secret must exist beforehand
+    # The cert must also contain the subj-name foo.bar.com
+    # You can create it via:
+    # make keys secret SECRET=/tmp/foobar.json HOST=foo.bar.com NAME=foobar
+    # https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce/https_example
+    secretName: foobar
+  - hosts:
+    - bar.baz.com
+    # This secret must exist beforehand
+    # The cert must also contain the subj-name bar.baz.com
+    # You can create it via:
+    # make keys secret SECRET=/tmp/barbaz.json HOST=bar.baz.com NAME=barbaz
+    # https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce/https_example
+    secretName: barbaz
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - backend:
+          serviceName: echoheaders
+          servicePort: 80
+        path: /
+  - host: bar.baz.com
+    http:
+      paths:
+      - backend:
+          serviceName: nginx
+          servicePort: 80
+        path: /
--- a/controllers/nginx/rc.yaml
+++ b/controllers/nginx/rc.yaml
@ -92,7 +92,7 @@ spec:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
-          hostPort: 4444
+          hostPort: 443
        args:
        - /nginx-ingress-controller
        - --default-backend-service=default/default-http-backend