DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge ba586b1f89 into ed675fd8f9

Browse source
This commit is contained in:
Jonathan Pulsifer 2017-06-28 21:37:53 +00:00 committed by GitHub
commit 5a6bdb10e1
9 changed files with 67 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
controllers/nginx/pkg/cmd/controller/nginx.go
View file

@ -85,20 +85,20 @@ func newNGINXController() ingress.Controller {
Default: &server{ Default: &server{
Hostname: "localhost", Hostname: "localhost",
IP: "127.0.0.1", IP: "127.0.0.1",
Port: 442, Port: 8442,
ProxyProtocol: true, ProxyProtocol: true,
}, },
}, },
} }
listener, err := net.Listen("tcp", ":443") listener, err := net.Listen("tcp", ":8443")
if err != nil { if err != nil {
glog.Fatalf("%v", err) glog.Fatalf("%v", err)
} }
proxyList := &proxyproto.Listener{Listener: listener} proxyList := &proxyproto.Listener{Listener: listener}
// start goroutine that accepts tcp connections in port 443 // start goroutine that accepts tcp connections in port 8443
go func() { go func() {
for { for {
var conn net.Conn var conn net.Conn
@ -204,7 +204,7 @@ NGINX master process died (%v): %v
cmd = exec.Command(n.binary, "-c", cfgPath) cmd = exec.Command(n.binary, "-c", cfgPath)
// we wait until the workers are killed // we wait until the workers are killed
for { for {
conn, err := net.DialTimeout("tcp", "127.0.0.1:80", 1*time.Second) conn, err := net.DialTimeout("tcp", "127.0.0.1:8080", 1*time.Second)
if err != nil { if err != nil {
break break
} }

2
controllers/nginx/rootfs/Dockerfile
View file

@ -14,6 +14,7 @@
FROM gcr.io/google_containers/nginx-slim-amd64:0.19 FROM gcr.io/google_containers/nginx-slim-amd64:0.19
USER root
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \ RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
diffutils \ diffutils \
--no-install-recommends \ --no-install-recommends \
@ -26,4 +27,5 @@ ENTRYPOINT ["/sbin/tini", "--"]
COPY . / COPY . /
USER nginx
CMD ["/nginx-ingress-controller"] CMD ["/nginx-ingress-controller"]

2
controllers/nginx/rootfs/etc/nginx/nginx.conf
View file

@ -1,5 +1,5 @@
# A very simple nginx configuration file that forces nginx to start. # A very simple nginx configuration file that forces nginx to start.
pid /run/nginx.pid; pid /run/nginx/nginx.pid;
events {} events {}
http {} http {}

2
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -6,7 +6,7 @@
daemon off; daemon off;
worker_processes {{ $cfg.WorkerProcesses }}; worker_processes {{ $cfg.WorkerProcesses }};
pid /run/nginx.pid; pid /run/nginx/nginx.pid;
{{ if ne .MaxOpenFiles 0 }} {{ if ne .MaxOpenFiles 0 }}
worker_rlimit_nofile {{ .MaxOpenFiles }}; worker_rlimit_nofile {{ .MaxOpenFiles }};
{{ end}} {{ end}}

2
images/echoheaders/Dockerfile
View file

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
FROM gcr.io/google_containers/nginx-slim:0.18 FROM gcr.io/google_containers/nginx-slim:0.19
ADD nginx.conf /etc/nginx/nginx.conf ADD nginx.conf /etc/nginx/nginx.conf
ADD template.lua /usr/local/share/lua/5.1/ ADD template.lua /usr/local/share/lua/5.1/

2
images/echoheaders/Makefile
View file

@ -1,7 +1,7 @@
all: push all: push
# TAG 0.0 shouldn't clobber any release builds # TAG 0.0 shouldn't clobber any release builds
TAG = 1.6 TAG = 1.7
PREFIX = gcr.io/google_containers/echoserver PREFIX = gcr.io/google_containers/echoserver
container: container:

3
images/nginx-slim/Dockerfile
View file

@ -26,6 +26,7 @@ RUN /tmp/build.sh
RUN ln -sf /dev/stdout /var/log/nginx/access.log RUN ln -sf /dev/stdout /var/log/nginx/access.log
RUN ln -sf /dev/stderr /var/log/nginx/error.log RUN ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80 443 EXPOSE 8080 8443
USER nginx
CMD ["nginx", "-g", "daemon off;"] CMD ["nginx", "-g", "daemon off;"]

25
images/nginx-slim/build.sh
View file

@ -55,6 +55,9 @@ if [[ ${ARCH} == "ppc64le" ]]; then
apt-get update && apt-get install --no-install-recommends -y lua5.1 lua5.1-dev apt-get update && apt-get install --no-install-recommends -y lua5.1 lua5.1-dev
fi fi
# add user and group
adduser --system --group nginx
# install required packages to build # install required packages to build
apt-get update && apt-get install --no-install-recommends -y \ apt-get update && apt-get install --no-install-recommends -y \
bash \ bash \
@ -161,7 +164,7 @@ fi
--http-log-path=/var/log/nginx/access.log \ --http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \ --error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \ --lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \ --pid-path=/run/nginx/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \ --http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \ --http-proxy-temp-path=/var/lib/nginx/proxy \
@ -240,7 +243,19 @@ apt-get remove -y --purge \
apt-get autoremove -y apt-get autoremove -y
mkdir -p /var/lib/nginx/body /usr/share/nginx/html # Download of GeoIP databases
curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
&& curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /etc/nginx/GeoIP.dat.gz \
&& gunzip /etc/nginx/GeoLiteCity.dat.gz
# create runtime directories
mkdir -p /var/lib/nginx/body /usr/share/nginx/html /run/nginx
chown -R nginx:nginx /etc/nginx /var/lib/nginx /run/nginx
# use non privileged port by default
sed -i 's/listen 80;/listen 8080;/' /etc/nginx/nginx.conf
mv /usr/share/nginx/sbin/nginx /usr/sbin mv /usr/share/nginx/sbin/nginx /usr/sbin
@ -249,9 +264,3 @@ rm -Rf /usr/share/man /usr/share/doc
rm -rf /tmp/* /var/tmp/* rm -rf /tmp/* /var/tmp/*
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /var/cache/apt/archives/* rm -rf /var/cache/apt/archives/*
# Download of GeoIP databases
curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
&& curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /etc/nginx/GeoIP.dat.gz \
&& gunzip /etc/nginx/GeoLiteCity.dat.gz

39
images/nginx-slim/rc.yaml
View file

@ -31,4 +31,41 @@ spec:
- name: nginxslim - name: nginxslim
image: gcr.io/google_containers/nginx-slim:0.19 image: gcr.io/google_containers/nginx-slim:0.19
ports: ports:
- containerPort: 80 - containerPort: 8080
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 105
privileged: false
capabilities:
drop:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- NET_RAW
- SETFCAP
- SETGID
- SETUID
- SETPCAP
- SYS_CHROOT
volumeMounts:
- name: proxy
mountPath: /var/lib/nginx/proxy
- name: fastcgi
mountPath: /var/lib/nginx/fastcgi
- name: pidfile
mountPath: /run/nginx
securityContext:
fsGroup: 106
volumes:
- name: proxy
emptyDir: {}
- name: fastcgi
emptyDir: {}
- name: pidfile
emptyDir: {}