From 40a9eb0ba2c7395f2bb01ecd7a3085e64181900c Mon Sep 17 00:00:00 2001 From: Prashanth Balasubramanian Date: Wed, 13 Apr 2016 10:08:48 -0700 Subject: [PATCH] Add a multi-tls example. --- .../nginx/examples/multi-tls/README.md | 94 ++++++++++++++++ .../nginx/examples/multi-tls/multi-tls.yaml | 102 ++++++++++++++++++ controllers/nginx/rc.yaml | 2 +- 3 files changed, 197 insertions(+), 1 deletion(-) create mode 100644 controllers/nginx/examples/multi-tls/README.md create mode 100644 controllers/nginx/examples/multi-tls/multi-tls.yaml diff --git a/controllers/nginx/examples/multi-tls/README.md b/controllers/nginx/examples/multi-tls/README.md new file mode 100644 index 000000000..12f4b76e9 --- /dev/null +++ b/controllers/nginx/examples/multi-tls/README.md @@ -0,0 +1,94 @@ +# Multi TLS certificate termination + +This examples uses 2 different certificates to terminate SSL for 2 hostnames. + +1. Deploy the controller by creating the rc in the parent dir +2. Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml +3. Create multi-tls.yaml + +This should generate a segment like: +```console +$ kubectl exec -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf | grep "foo.bar.com" -B 7 -A 35 + server { + listen 80; + listen 443 ssl http2; + ssl_certificate /etc/nginx-ssl/default-foobar.pem; + ssl_certificate_key /etc/nginx-ssl/default-foobar.pem; + + + server_name foo.bar.com; + + + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + + + location / { + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + + proxy_http_version 1.1; + + proxy_pass http://default-echoheaders-80; + } +``` + +And you should be able to reach your nginx service or echoheaders service using a hostname switch: +```console +$ kubectl get ing +NAME RULE BACKEND ADDRESS AGE +foo-tls - 104.154.30.67 13m + foo.bar.com + / echoheaders:80 + bar.baz.com + / nginx:80 + +$ curl https://104.154.30.67 -H 'Host:foo.bar.com' -k +CLIENT VALUES: +client_address=10.245.0.6 +command=GET +real path=/ +query=nil +request_version=1.1 +request_uri=http://foo.bar.com:8080/ + +SERVER VALUES: +server_version=nginx: 1.9.11 - lua: 10001 + +HEADERS RECEIVED: +accept=*/* +connection=close +host=foo.bar.com +user-agent=curl/7.35.0 +x-forwarded-for=10.245.0.1 +x-forwarded-host=foo.bar.com +x-forwarded-proto=https + +$ curl https://104.154.30.67 -H 'Host:bar.baz.com' -k + + + +Welcome to nginx on Debian! + +$ curl 104.154.30.67 +default backend - 404 +``` diff --git a/controllers/nginx/examples/multi-tls/multi-tls.yaml b/controllers/nginx/examples/multi-tls/multi-tls.yaml new file mode 100644 index 000000000..ace26fab2 --- /dev/null +++ b/controllers/nginx/examples/multi-tls/multi-tls.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx + labels: + app: nginx +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: nginx +--- +apiVersion: v1 +kind: ReplicationController +metadata: + name: nginx +spec: + replicas: 1 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: gcr.io/google_containers/nginx + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: echoheaders + labels: + app: echoheaders +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: echoheaders +--- +apiVersion: v1 +kind: ReplicationController +metadata: + name: echoheaders +spec: + replicas: 1 + template: + metadata: + labels: + app: echoheaders + spec: + containers: + - name: echoheaders + image: gcr.io/google_containers/echoserver:1.3 + ports: + - containerPort: 8080 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: foo-tls + namespace: default +spec: + tls: + - hosts: + - foo.bar.com + # This secret must exist beforehand + # The cert must also contain the subj-name foo.bar.com + # You can create it via: + # make keys secret SECRET=/tmp/foobar.json HOST=foo.bar.com NAME=foobar + # https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce/https_example + secretName: foobar + - hosts: + - bar.baz.com + # This secret must exist beforehand + # The cert must also contain the subj-name bar.baz.com + # You can create it via: + # make keys secret SECRET=/tmp/barbaz.json HOST=bar.baz.com NAME=barbaz + # https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce/https_example + secretName: barbaz + rules: + - host: foo.bar.com + http: + paths: + - backend: + serviceName: echoheaders + servicePort: 80 + path: / + - host: bar.baz.com + http: + paths: + - backend: + serviceName: nginx + servicePort: 80 + path: / diff --git a/controllers/nginx/rc.yaml b/controllers/nginx/rc.yaml index 8c1beff6f..527ef42e5 100644 --- a/controllers/nginx/rc.yaml +++ b/controllers/nginx/rc.yaml @@ -92,7 +92,7 @@ spec: - containerPort: 80 hostPort: 80 - containerPort: 443 - hostPort: 4444 + hostPort: 443 args: - /nginx-ingress-controller - --default-backend-service=default/default-http-backend