DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Consistency editing of HAProxy Ingress docs

Browse source
This commit is contained in:
Joao Morais 2017-02-07 21:45:12 -02:00
parent b579cbba74
commit 8d19531b26
4 changed files with 218 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docs/dev/setup.md
View file

@ -81,6 +81,14 @@ You may want to consider [using the VM's docker
daemon](https://github.com/kubernetes/minikube/blob/master/README.md#reusing-the-docker-daemon)
when developing.
### CoreOS Kubernetes
[CoreOS Kubernetes](https://github.com/coreos/coreos-kubernetes/) repository has `Vagrantfile`
scripts to easily create a new Kubernetes cluster on VirtualBox, VMware or AWS.
Follow the CoreOS [doc](https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html)
for detailed instructions.
## Deploy the ingress controller
You can deploy an ingress controller on the cluster setup in the previous step

170
examples/deployment/haproxy/README.md
View file

@ -1,107 +1,151 @@
# Deploying HAProxy Ingress Controller
Don't have a Kubernetes cluster? Single-node of [CoreOS Kubernetes](https://github.com/coreos/coreos-kubernetes/) is a good starting point.
If you don't have a Kubernetes cluster, please refer to [setup](/docs/dev/setup.md)
for instructions on how to create a new one.
## Prerequisites
This ingress controller doesn't yet have support for
[ingress classes](/examples/PREREQUISITES.md#ingress-class). You MUST turn
down any existing ingress controllers before running HAProxy Ingress controller or
they will fight for Ingresses. This includes any cloudprovider controller.
This document has also the following prerequisites:
* Deploy a [web app](/examples/PREREQUISITES.md#test-http-service) for testing
* Create a [TLS secret](/examples/PREREQUISITES.md#tls-certificates) named `tls-secret` to be used as default TLS certificate
The web app can be created as follow:
```console
$ kubectl run http-svc \
--image=gcr.io/google_containers/echoserver:1.3 \
--port=8080 \
--replicas=2 \
--expose
```
Creating the TLS secret:
```console
$ openssl req \
-x509 -newkey rsa:2048 -nodes -days 365 \
-keyout tls.key -out tls.crt -subj '/CN=localhost'
$ kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
$ rm -v tls.crt tls.key
```
## Default backend
Deploy a default backend used to serve `404 Not Found` pages:
kubectl run ingress-default-backend \
```console
$ kubectl run ingress-default-backend \
--image=gcr.io/google_containers/defaultbackend:1.0 \
--port=8080 \
--limits=cpu=10m,memory=20Mi \
--expose
```
Check if the default backend is up and running:
kubectl get pod
NAME READY STATUS RESTARTS AGE
ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s
```console
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
ingress-default-backend-1110790216-gqr61 1/1 Running 0 10s
```
Deploy certificate and private key used to serve https on ingress that doesn't provide it's own certificate. For testing purposes a self signed certificate is ok:
## Controller
openssl req \
-x509 -newkey rsa:2048 -nodes -days 365 \
-keyout tls.key -out tls.crt -subj '/CN=localhost'
kubectl create secret tls ingress-default-ssl --cert=tls.crt --key=tls.key
rm -v tls.crt tls.key
Deploy HAProxy Ingress:
Deploy HAProxy Ingress. Note that `hostNetwork: true` could be uncommented if your cluster has IPs that doesn't use ports 80, 443 and 1936.
kubectl create -f haproxy-ingress.yaml
```console
$ kubectl create -f haproxy-ingress.yaml
```
Check if the controller was successfully deployed:
kubectl get pod -w
NAME READY STATUS RESTARTS AGE
haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s
ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m
^C
```console
$ kubectl get pod -w
NAME READY STATUS RESTARTS AGE
haproxy-ingress-2556761959-tv20k 1/1 Running 0 12s
ingress-default-backend-1110790216-gqr61 1/1 Running 0 3m
^C
```
Problem? Check logs and events of the POD:
Deploy the ingress resource of our already deployed web app:
kubectl logs haproxy-ingress-2556761959-tv20k
kubectl describe haproxy-ingress-2556761959-tv20k
Deploy some web application and it's ingress resource:
kubectl run nginx --image=nginx:alpine --port=80 --expose
kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
```console
$ kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app
spec:
spec:
rules:
- host: foo.bar
http:
paths:
- path: /
backend:
serviceName: nginx
serviceName: http-svc
servicePort: 80
EOF
EOF
```
Exposing HAProxy Ingress depend on your Kubernetes environment. If `hostNetwork` was defined just use host's public IP, otherwise expose the controller as a `type=NodePort` service:
Exposing the controller as a `type=NodePort` service:
kubectl expose deploy/haproxy-ingress --type=NodePort
kubectl get svc/haproxy-ingress -oyaml
```console
$ kubectl expose deploy/haproxy-ingress --type=NodePort
$ kubectl get svc/haproxy-ingress -oyaml
```
Look for `nodePort` field next to `port: 80`.
Change below `172.17.4.99` to the host's IP and `30876` to the `nodePort`, or remove `:30876` if using `hostNetwork`:
Change below `172.17.4.99` to the host's IP and `30876` to the `nodePort`:
curl -i 172.17.4.99:30876
HTTP/1.1 404 Not Found
Date: Mon, 05 Feb 2017 22:59:36 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
```console
$ curl -i 172.17.4.99:30876
HTTP/1.1 404 Not Found
Date: Mon, 05 Feb 2017 22:59:36 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
default backend - 404
default backend - 404
```
Using default backend because host was not found.
Now try to send a header:
curl -i 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 200 OK
Server: nginx/1.11.9
Date: Mon, 05 Feb 2017 23:00:33 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 24 Jan 2017 18:53:46 GMT
ETag: "5887a2ba-264"
Accept-Ranges: bytes
```console
$ curl -i 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Mon, 05 Feb 2017 23:00:33 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
CLIENT VALUES:
client_address=10.2.18.5
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://foo.bar:8080/
...
```
Not what you were looking for? Have a look at controller's logs:
## Troubleshooting
kubectl get pod
NAME READY STATUS RESTARTS AGE
haproxy-ingress-2556761959-tv20k 1/1 Running 0 9m
...
If you have any problem, check logs and events of HAProxy Ingress POD:
kubectl logs haproxy-ingress-2556761959-tv20k | less -S
```console
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
haproxy-ingress-2556761959-tv20k 1/1 Running 0 9m
...
$ kubectl logs haproxy-ingress-2556761959-tv20k
$ kubectl describe haproxy-ingress-2556761959-tv20k
```

3
examples/deployment/haproxy/haproxy-ingress.yaml
View file

@ -14,13 +14,12 @@ spec:
labels:
run: haproxy-ingress
spec:
# hostNetwork: true
containers:
- name: haproxy-ingress
image: quay.io/jcmoraisjr/haproxy-ingress
args:
- --default-backend-service=default/ingress-default-backend
- --default-ssl-certificate=default/ingress-default-ssl
- --default-ssl-certificate=default/tls-secret
ports:
- name: http
containerPort: 80

135
examples/tls-termination/haproxy/README.md
View file

@ -1,71 +1,116 @@
# TLS termination
Before continue, follow [deploying HAProxy Ingress](/examples/deployment/haproxy) in order to have a functional ingress controller.
## Prerequisites
Update ingress resource in order to add tls termination to host `foo.bar`:
This document has the following prerequisites:
kubectl replace -f ingress-tls-default.yaml
* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret
* Create [*another* secret](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` and subject `'/CN=foo.bar'`
As mentioned in the deployment instructions, you MUST turn down any existing
ingress controllers before running HAProxy Ingress.
## Using default TLS certificate
Update ingress resource in order to add TLS termination to host `foo.bar`:
```console
$ kubectl replace -f ingress-tls-default.yaml
```
The difference from the starting ingress resource:
```console
metadata:
name: app
spec:
+ tls:
+ - hosts:
+ - foo.bar
rules:
- host: foo.bar
http:
```
Trying default backend:
curl -iL 172.17.4.99:30876
HTTP/1.1 404 Not Found
Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
```console
$ curl -iL 172.17.4.99:30876
HTTP/1.1 404 Not Found
Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
default backend - 404
default backend - 404
```
Now telling the controller we are `foo.bar`:
curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
^C
```console
$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
^C
```
Note the `Location` header - this would redirect us to the correct server.
Checking the default certificate - change below `31692` to the TLS port:
openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
```console
$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
```
... and `foo.bar` certificate:
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=localhost
issuer=/CN=localhost
---
```console
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=localhost
issuer=/CN=localhost
---
```
Let's create a new certificate to our domain:
## Using a new TLS certificate
openssl req \
-x509 -newkey rsa:2048 -nodes -days 365 \
-keyout tls.key -out tls.crt -subj '/CN=foo.bar'
kubectl create secret tls foobar-ssl --cert=tls.crt --key=tls.key
rm -v tls.crt tls.key
Now let's reference the new certificate to our domain. Note that secret
`foobar-ssl` should be created as described in the [prerequisites](#prerequisites)
... and reference in the ingress resource:
```console
$ kubectl replace -f ingress-tls-foobar.yaml
```
kubectl replace -f ingress-tls-foobar.yaml
Here is the difference:
Now `foo.bar` certificate should be used to terminate tls:
```console
tls:
- hosts:
- foo.bar
+ secretName: foobar-ssl
rules:
- host: foo.bar
http:
```
openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
Now `foo.bar` certificate should be used to terminate TLS:
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---
```console
openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---
```