diff --git a/docs/dev/setup.md b/docs/dev/setup.md index b41810e1b..f61695293 100644 --- a/docs/dev/setup.md +++ b/docs/dev/setup.md @@ -81,6 +81,14 @@ You may want to consider [using the VM's docker daemon](https://github.com/kubernetes/minikube/blob/master/README.md#reusing-the-docker-daemon) when developing. +### CoreOS Kubernetes + +[CoreOS Kubernetes](https://github.com/coreos/coreos-kubernetes/) repository has `Vagrantfile` +scripts to easily create a new Kubernetes cluster on VirtualBox, VMware or AWS. + +Follow the CoreOS [doc](https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html) +for detailed instructions. + ## Deploy the ingress controller You can deploy an ingress controller on the cluster setup in the previous step diff --git a/examples/deployment/haproxy/README.md b/examples/deployment/haproxy/README.md index 61f2660d1..f33769362 100644 --- a/examples/deployment/haproxy/README.md +++ b/examples/deployment/haproxy/README.md @@ -1,107 +1,151 @@ # Deploying HAProxy Ingress Controller -Don't have a Kubernetes cluster? Single-node of [CoreOS Kubernetes](https://github.com/coreos/coreos-kubernetes/) is a good starting point. +If you don't have a Kubernetes cluster, please refer to [setup](/docs/dev/setup.md) +for instructions on how to create a new one. + +## Prerequisites + +This ingress controller doesn't yet have support for +[ingress classes](/examples/PREREQUISITES.md#ingress-class). You MUST turn +down any existing ingress controllers before running HAProxy Ingress controller or +they will fight for Ingresses. This includes any cloudprovider controller. + +This document has also the following prerequisites: + +* Deploy a [web app](/examples/PREREQUISITES.md#test-http-service) for testing +* Create a [TLS secret](/examples/PREREQUISITES.md#tls-certificates) named `tls-secret` to be used as default TLS certificate + +The web app can be created as follow: + +```console +$ kubectl run http-svc \ + --image=gcr.io/google_containers/echoserver:1.3 \ + --port=8080 \ + --replicas=2 \ + --expose +``` + +Creating the TLS secret: + +```console +$ openssl req \ + -x509 -newkey rsa:2048 -nodes -days 365 \ + -keyout tls.key -out tls.crt -subj '/CN=localhost' +$ kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key +$ rm -v tls.crt tls.key +``` + +## Default backend Deploy a default backend used to serve `404 Not Found` pages: - kubectl run ingress-default-backend \ - --image=gcr.io/google_containers/defaultbackend:1.0 \ - --port=8080 \ - --limits=cpu=10m,memory=20Mi \ - --expose +```console +$ kubectl run ingress-default-backend \ + --image=gcr.io/google_containers/defaultbackend:1.0 \ + --port=8080 \ + --limits=cpu=10m,memory=20Mi \ + --expose +``` Check if the default backend is up and running: - kubectl get pod - NAME READY STATUS RESTARTS AGE - ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s +```console +$ kubectl get pod +NAME READY STATUS RESTARTS AGE +ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s +``` -Deploy certificate and private key used to serve https on ingress that doesn't provide it's own certificate. For testing purposes a self signed certificate is ok: +## Controller - openssl req \ - -x509 -newkey rsa:2048 -nodes -days 365 \ - -keyout tls.key -out tls.crt -subj '/CN=localhost' - kubectl create secret tls ingress-default-ssl --cert=tls.crt --key=tls.key - rm -v tls.crt tls.key +Deploy HAProxy Ingress: -Deploy HAProxy Ingress. Note that `hostNetwork: true` could be uncommented if your cluster has IPs that doesn't use ports 80, 443 and 1936. - - kubectl create -f haproxy-ingress.yaml +```console +$ kubectl create -f haproxy-ingress.yaml +``` Check if the controller was successfully deployed: - kubectl get pod -w - NAME READY STATUS RESTARTS AGE - haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s - ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m - ^C +```console +$ kubectl get pod -w +NAME READY STATUS RESTARTS AGE +haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s +ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m +^C +``` -Problem? Check logs and events of the POD: +Deploy the ingress resource of our already deployed web app: - kubectl logs haproxy-ingress-2556761959-tv20k - kubectl describe haproxy-ingress-2556761959-tv20k +```console +$ kubectl create -f - < - - - Welcome to nginx! - ... +CLIENT VALUES: +client_address=10.2.18.5 +command=GET +real path=/ +query=nil +request_version=1.1 +request_uri=http://foo.bar:8080/ +... +``` -Not what you were looking for? Have a look at controller's logs: +## Troubleshooting - kubectl get pod - NAME READY STATUS RESTARTS AGE - haproxy-ingress-2556761959-tv20k 1/1 Running 0 9m - ... +If you have any problem, check logs and events of HAProxy Ingress POD: - kubectl logs haproxy-ingress-2556761959-tv20k | less -S +```console +$ kubectl get pod +NAME READY STATUS RESTARTS AGE +haproxy-ingress-2556761959-tv20k 1/1 Running 0 9m +... + +$ kubectl logs haproxy-ingress-2556761959-tv20k +$ kubectl describe haproxy-ingress-2556761959-tv20k +``` diff --git a/examples/deployment/haproxy/haproxy-ingress.yaml b/examples/deployment/haproxy/haproxy-ingress.yaml index 5dffb9aa0..619b2d9cc 100644 --- a/examples/deployment/haproxy/haproxy-ingress.yaml +++ b/examples/deployment/haproxy/haproxy-ingress.yaml @@ -14,13 +14,12 @@ spec: labels: run: haproxy-ingress spec: - # hostNetwork: true containers: - name: haproxy-ingress image: quay.io/jcmoraisjr/haproxy-ingress args: - --default-backend-service=default/ingress-default-backend - - --default-ssl-certificate=default/ingress-default-ssl + - --default-ssl-certificate=default/tls-secret ports: - name: http containerPort: 80 diff --git a/examples/tls-termination/haproxy/README.md b/examples/tls-termination/haproxy/README.md index 26a76e9ce..2393ef2c2 100644 --- a/examples/tls-termination/haproxy/README.md +++ b/examples/tls-termination/haproxy/README.md @@ -1,71 +1,116 @@ # TLS termination -Before continue, follow [deploying HAProxy Ingress](/examples/deployment/haproxy) in order to have a functional ingress controller. +## Prerequisites -Update ingress resource in order to add tls termination to host `foo.bar`: +This document has the following prerequisites: - kubectl replace -f ingress-tls-default.yaml +* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret +* Create [*another* secret](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` and subject `'/CN=foo.bar'` + +As mentioned in the deployment instructions, you MUST turn down any existing +ingress controllers before running HAProxy Ingress. + +## Using default TLS certificate + +Update ingress resource in order to add TLS termination to host `foo.bar`: + +```console +$ kubectl replace -f ingress-tls-default.yaml +``` + +The difference from the starting ingress resource: + +```console + metadata: + name: app + spec: ++ tls: ++ - hosts: ++ - foo.bar + rules: + - host: foo.bar + http: +``` Trying default backend: - curl -iL 172.17.4.99:30876 - HTTP/1.1 404 Not Found - Date: Tue, 07 Feb 2017 00:06:07 GMT - Content-Length: 21 - Content-Type: text/plain; charset=utf-8 +```console +$ curl -iL 172.17.4.99:30876 +HTTP/1.1 404 Not Found +Date: Tue, 07 Feb 2017 00:06:07 GMT +Content-Length: 21 +Content-Type: text/plain; charset=utf-8 - default backend - 404 +default backend - 404 +``` Now telling the controller we are `foo.bar`: - curl -iL 172.17.4.99:30876 -H 'Host: foo.bar' - HTTP/1.1 302 Found - Cache-Control: no-cache - Content-length: 0 - Location: https://foo.bar/ - Connection: close - ^C +```console +$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar' +HTTP/1.1 302 Found +Cache-Control: no-cache +Content-length: 0 +Location: https://foo.bar/ +Connection: close +^C +``` Note the `Location` header - this would redirect us to the correct server. Checking the default certificate - change below `31692` to the TLS port: - openssl s_client -connect 172.17.4.99:31692 - ... - subject=/CN=localhost - issuer=/CN=localhost - --- +```console +$ openssl s_client -connect 172.17.4.99:31692 +... +subject=/CN=localhost +issuer=/CN=localhost +--- +``` ... and `foo.bar` certificate: - openssl s_client -connect 172.17.4.99:31692 -servername foo.bar - ... - subject=/CN=localhost - issuer=/CN=localhost - --- +```console +$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar +... +subject=/CN=localhost +issuer=/CN=localhost +--- +``` -Let's create a new certificate to our domain: +## Using a new TLS certificate - openssl req \ - -x509 -newkey rsa:2048 -nodes -days 365 \ - -keyout tls.key -out tls.crt -subj '/CN=foo.bar' - kubectl create secret tls foobar-ssl --cert=tls.crt --key=tls.key - rm -v tls.crt tls.key +Now let's reference the new certificate to our domain. Note that secret +`foobar-ssl` should be created as described in the [prerequisites](#prerequisites) -... and reference in the ingress resource: +```console +$ kubectl replace -f ingress-tls-foobar.yaml +``` - kubectl replace -f ingress-tls-foobar.yaml +Here is the difference: -Now `foo.bar` certificate should be used to terminate tls: +```console + tls: + - hosts: + - foo.bar ++ secretName: foobar-ssl + rules: + - host: foo.bar + http: +``` - openssl s_client -connect 172.17.4.99:31692 - ... - subject=/CN=localhost - issuer=/CN=localhost - --- +Now `foo.bar` certificate should be used to terminate TLS: - openssl s_client -connect 172.17.4.99:31692 -servername foo.bar - ... - subject=/CN=foo.bar - issuer=/CN=foo.bar - --- +```console +openssl s_client -connect 172.17.4.99:31692 +... +subject=/CN=localhost +issuer=/CN=localhost +--- + +openssl s_client -connect 172.17.4.99:31692 -servername foo.bar +... +subject=/CN=foo.bar +issuer=/CN=foo.bar +--- +```