DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Consistency editing of HAProxy Ingress docs

Browse source
This commit is contained in:
Joao Morais 2017-02-07 21:45:12 -02:00
parent b579cbba74
commit 8d19531b26
4 changed files with 218 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docs/dev/setup.md
View file

@ -81,6 +81,14 @@ You may want to consider [using the VM's docker
daemon](https://github.com/kubernetes/minikube/blob/master/README.md#reusing-the-docker-daemon) daemon](https://github.com/kubernetes/minikube/blob/master/README.md#reusing-the-docker-daemon)
when developing. when developing.
### CoreOS Kubernetes
[CoreOS Kubernetes](https://github.com/coreos/coreos-kubernetes/) repository has `Vagrantfile`
scripts to easily create a new Kubernetes cluster on VirtualBox, VMware or AWS.
Follow the CoreOS [doc](https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html)
for detailed instructions.
## Deploy the ingress controller ## Deploy the ingress controller
You can deploy an ingress controller on the cluster setup in the previous step You can deploy an ingress controller on the cluster setup in the previous step

194
examples/deployment/haproxy/README.md
View file

@ -1,107 +1,151 @@
# Deploying HAProxy Ingress Controller # Deploying HAProxy Ingress Controller
Don't have a Kubernetes cluster? Single-node of [CoreOS Kubernetes](https://github.com/coreos/coreos-kubernetes/) is a good starting point. If you don't have a Kubernetes cluster, please refer to [setup](/docs/dev/setup.md)
for instructions on how to create a new one.
## Prerequisites
This ingress controller doesn't yet have support for
[ingress classes](/examples/PREREQUISITES.md#ingress-class). You MUST turn
down any existing ingress controllers before running HAProxy Ingress controller or
they will fight for Ingresses. This includes any cloudprovider controller.
This document has also the following prerequisites:
* Deploy a [web app](/examples/PREREQUISITES.md#test-http-service) for testing
* Create a [TLS secret](/examples/PREREQUISITES.md#tls-certificates) named `tls-secret` to be used as default TLS certificate
The web app can be created as follow:
```console
$ kubectl run http-svc \
--image=gcr.io/google_containers/echoserver:1.3 \
--port=8080 \
--replicas=2 \
--expose
```
Creating the TLS secret:
```console
$ openssl req \
-x509 -newkey rsa:2048 -nodes -days 365 \
-keyout tls.key -out tls.crt -subj '/CN=localhost'
$ kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
$ rm -v tls.crt tls.key
```
## Default backend
Deploy a default backend used to serve `404 Not Found` pages: Deploy a default backend used to serve `404 Not Found` pages:
kubectl run ingress-default-backend \ ```console
--image=gcr.io/google_containers/defaultbackend:1.0 \ $ kubectl run ingress-default-backend \
--port=8080 \ --image=gcr.io/google_containers/defaultbackend:1.0 \
--limits=cpu=10m,memory=20Mi \ --port=8080 \
--expose --limits=cpu=10m,memory=20Mi \
--expose
```
Check if the default backend is up and running: Check if the default backend is up and running:
kubectl get pod ```console
NAME READY STATUS RESTARTS AGE $ kubectl get pod
ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s NAME READY STATUS RESTARTS AGE
ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s
```
Deploy certificate and private key used to serve https on ingress that doesn't provide it's own certificate. For testing purposes a self signed certificate is ok: ## Controller
openssl req \ Deploy HAProxy Ingress:
-x509 -newkey rsa:2048 -nodes -days 365 \
-keyout tls.key -out tls.crt -subj '/CN=localhost'
kubectl create secret tls ingress-default-ssl --cert=tls.crt --key=tls.key
rm -v tls.crt tls.key
Deploy HAProxy Ingress. Note that `hostNetwork: true` could be uncommented if your cluster has IPs that doesn't use ports 80, 443 and 1936. ```console
$ kubectl create -f haproxy-ingress.yaml
kubectl create -f haproxy-ingress.yaml ```
Check if the controller was successfully deployed: Check if the controller was successfully deployed:
kubectl get pod -w ```console
NAME READY STATUS RESTARTS AGE $ kubectl get pod -w
haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s NAME READY STATUS RESTARTS AGE
ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s
^C ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m
^C
```
Problem? Check logs and events of the POD: Deploy the ingress resource of our already deployed web app:
kubectl logs haproxy-ingress-2556761959-tv20k ```console
kubectl describe haproxy-ingress-2556761959-tv20k $ kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app
spec:
rules:
- host: foo.bar
http:
paths:
- path: /
backend:
serviceName: http-svc
servicePort: 80
EOF
```
Deploy some web application and it's ingress resource: Exposing the controller as a `type=NodePort` service:
kubectl run nginx --image=nginx:alpine --port=80 --expose ```console
kubectl create -f - <<EOF $ kubectl expose deploy/haproxy-ingress --type=NodePort
apiVersion: extensions/v1beta1 $ kubectl get svc/haproxy-ingress -oyaml
kind: Ingress ```
metadata:
name: app
spec:
rules:
- host: foo.bar
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
EOF
Exposing HAProxy Ingress depend on your Kubernetes environment. If `hostNetwork` was defined just use host's public IP, otherwise expose the controller as a `type=NodePort` service:
kubectl expose deploy/haproxy-ingress --type=NodePort
kubectl get svc/haproxy-ingress -oyaml
Look for `nodePort` field next to `port: 80`. Look for `nodePort` field next to `port: 80`.
Change below `172.17.4.99` to the host's IP and `30876` to the `nodePort`, or remove `:30876` if using `hostNetwork`: Change below `172.17.4.99` to the host's IP and `30876` to the `nodePort`:
curl -i 172.17.4.99:30876 ```console
HTTP/1.1 404 Not Found $ curl -i 172.17.4.99:30876
Date: Mon, 05 Feb 2017 22:59:36 GMT HTTP/1.1 404 Not Found
Content-Length: 21 Date: Mon, 05 Feb 2017 22:59:36 GMT
Content-Type: text/plain; charset=utf-8 Content-Length: 21
Content-Type: text/plain; charset=utf-8
default backend - 404 default backend - 404
```
Using default backend because host was not found. Using default backend because host was not found.
Now try to send a header: Now try to send a header:
curl -i 172.17.4.99:30876 -H 'Host: foo.bar' ```console
HTTP/1.1 200 OK $ curl -i 172.17.4.99:30876 -H 'Host: foo.bar'
Server: nginx/1.11.9 HTTP/1.1 200 OK
Date: Mon, 05 Feb 2017 23:00:33 GMT Server: nginx/1.9.11
Content-Type: text/html Date: Mon, 05 Feb 2017 23:00:33 GMT
Content-Length: 612 Content-Type: text/plain
Last-Modified: Tue, 24 Jan 2017 18:53:46 GMT Transfer-Encoding: chunked
ETag: "5887a2ba-264"
Accept-Ranges: bytes
<!DOCTYPE html> CLIENT VALUES:
<html> client_address=10.2.18.5
<head> command=GET
<title>Welcome to nginx!</title> real path=/
... query=nil
request_version=1.1
request_uri=http://foo.bar:8080/
...
```
Not what you were looking for? Have a look at controller's logs: ## Troubleshooting
kubectl get pod If you have any problem, check logs and events of HAProxy Ingress POD:
NAME READY STATUS RESTARTS AGE
haproxy-ingress-2556761959-tv20k 1/1 Running 0 9m
...
kubectl logs haproxy-ingress-2556761959-tv20k | less -S ```console
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
haproxy-ingress-2556761959-tv20k 1/1 Running 0 9m
...
$ kubectl logs haproxy-ingress-2556761959-tv20k
$ kubectl describe haproxy-ingress-2556761959-tv20k
```

3
examples/deployment/haproxy/haproxy-ingress.yaml
View file

@ -14,13 +14,12 @@ spec:
labels: labels:
run: haproxy-ingress run: haproxy-ingress
spec: spec:
# hostNetwork: true
containers: containers:
- name: haproxy-ingress - name: haproxy-ingress
image: quay.io/jcmoraisjr/haproxy-ingress image: quay.io/jcmoraisjr/haproxy-ingress
args: args:
- --default-backend-service=default/ingress-default-backend - --default-backend-service=default/ingress-default-backend
- --default-ssl-certificate=default/ingress-default-ssl - --default-ssl-certificate=default/tls-secret
ports: ports:
- name: http - name: http
containerPort: 80 containerPort: 80

135
examples/tls-termination/haproxy/README.md
View file

@ -1,71 +1,116 @@
# TLS termination # TLS termination
Before continue, follow [deploying HAProxy Ingress](/examples/deployment/haproxy) in order to have a functional ingress controller. ## Prerequisites
Update ingress resource in order to add tls termination to host `foo.bar`: This document has the following prerequisites:
kubectl replace -f ingress-tls-default.yaml * Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret
* Create [*another* secret](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` and subject `'/CN=foo.bar'`
As mentioned in the deployment instructions, you MUST turn down any existing
ingress controllers before running HAProxy Ingress.
## Using default TLS certificate
Update ingress resource in order to add TLS termination to host `foo.bar`:
```console
$ kubectl replace -f ingress-tls-default.yaml
```
The difference from the starting ingress resource:
```console
metadata:
name: app
spec:
+ tls:
+ - hosts:
+ - foo.bar
rules:
- host: foo.bar
http:
```
Trying default backend: Trying default backend:
curl -iL 172.17.4.99:30876 ```console
HTTP/1.1 404 Not Found $ curl -iL 172.17.4.99:30876
Date: Tue, 07 Feb 2017 00:06:07 GMT HTTP/1.1 404 Not Found
Content-Length: 21 Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Type: text/plain; charset=utf-8 Content-Length: 21
Content-Type: text/plain; charset=utf-8
default backend - 404 default backend - 404
```
Now telling the controller we are `foo.bar`: Now telling the controller we are `foo.bar`:
curl -iL 172.17.4.99:30876 -H 'Host: foo.bar' ```console
HTTP/1.1 302 Found $ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
Cache-Control: no-cache HTTP/1.1 302 Found
Content-length: 0 Cache-Control: no-cache
Location: https://foo.bar/ Content-length: 0
Connection: close Location: https://foo.bar/
^C Connection: close
^C
```
Note the `Location` header - this would redirect us to the correct server. Note the `Location` header - this would redirect us to the correct server.
Checking the default certificate - change below `31692` to the TLS port: Checking the default certificate - change below `31692` to the TLS port:
openssl s_client -connect 172.17.4.99:31692 ```console
... $ openssl s_client -connect 172.17.4.99:31692
subject=/CN=localhost ...
issuer=/CN=localhost subject=/CN=localhost
--- issuer=/CN=localhost
---
```
... and `foo.bar` certificate: ... and `foo.bar` certificate:
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar ```console
... $ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
subject=/CN=localhost ...
issuer=/CN=localhost subject=/CN=localhost
--- issuer=/CN=localhost
---
```
Let's create a new certificate to our domain: ## Using a new TLS certificate
openssl req \ Now let's reference the new certificate to our domain. Note that secret
-x509 -newkey rsa:2048 -nodes -days 365 \ `foobar-ssl` should be created as described in the [prerequisites](#prerequisites)
-keyout tls.key -out tls.crt -subj '/CN=foo.bar'
kubectl create secret tls foobar-ssl --cert=tls.crt --key=tls.key
rm -v tls.crt tls.key
... and reference in the ingress resource: ```console
$ kubectl replace -f ingress-tls-foobar.yaml
```
kubectl replace -f ingress-tls-foobar.yaml Here is the difference:
Now `foo.bar` certificate should be used to terminate tls: ```console
tls:
- hosts:
- foo.bar
+ secretName: foobar-ssl
rules:
- host: foo.bar
http:
```
openssl s_client -connect 172.17.4.99:31692 Now `foo.bar` certificate should be used to terminate TLS:
...
subject=/CN=localhost
issuer=/CN=localhost
---
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar ```console
... openssl s_client -connect 172.17.4.99:31692
subject=/CN=foo.bar ...
issuer=/CN=foo.bar subject=/CN=localhost
--- issuer=/CN=localhost
---
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---
```