DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-09-04 23:47:40 +00:00
parent b479f09b97
commit a03213218f
58 changed files with 2308 additions and 376 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
404.html
View file

@ -352,6 +352,18 @@
<li class="md-nav__item">
<a href="/deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="/deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

1470
deploy/baremetal/index.html Normal file
View file

File diff suppressed because it is too large Load diff

47
deploy/index.html
View file

@ -461,8 +461,8 @@
</li>
<li class="md-nav__item">
<a href="#baremetal" title="Baremetal" class="md-nav__link">
Baremetal
<a href="#bare-metal" title="Bare-metal" class="md-nav__link">
Bare-metal
</a>
</li>
@ -514,6 +514,18 @@
<li class="md-nav__item">
<a href="baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1268,8 +1280,8 @@
</li>
<li class="md-nav__item">
<a href="#baremetal" title="Baremetal" class="md-nav__link">
Baremetal
<a href="#bare-metal" title="Bare-metal" class="md-nav__link">
Bare-metal
</a>
</li>
@ -1335,7 +1347,7 @@
<li><a href="#aws">AWS</a></li>
<li><a href="#gce-gke">GCE - GKE</a></li>
<li><a href="#azure">Azure</a></li>
<li><a href="#baremetal">Baremetal</a></li>
<li><a href="#bare-metal">Bare-metal</a></li>
</ul>
</li>
<li><a href="#verify-installation">Verify installation</a></li>
@ -1348,7 +1360,6 @@
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml</span>
</pre></div>
<h3 id="provider-specific-steps">Provider Specific Steps<a class="headerlink" href="#provider-specific-steps" title="Permanent link">&para;</a></h3>
<p>There are cloud provider specific yaml files.</p>
<h4 id="docker-for-mac">Docker for Mac<a class="headerlink" href="#docker-for-mac" title="Permanent link">&para;</a></h4>
@ -1357,13 +1368,11 @@
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
</pre></div>
<h4 id="minikube">minikube<a class="headerlink" href="#minikube" title="Permanent link">&para;</a></h4>
<p>For standard usage:</p>
<div class="codehilite"><pre><span></span><span class="go">minikube addons enable ingress</span>
</pre></div>
<p>For development:</p>
<ol>
<li>Disable the ingress addon:</li>
@ -1371,7 +1380,6 @@
<div class="codehilite"><pre><span></span><span class="gp">$</span> minikube addons disable ingress
</pre></div>
<ol>
<li>Execute <code class="codehilite">make dev-env</code></li>
<li>Confirm the <code class="codehilite">nginx-ingress-controller</code> deployment exists:</li>
@ -1382,7 +1390,6 @@
<span class="go">nginx-ingress-controller-fdcdcd6dd-vvpgs 1/1 Running 0 11s</span>
</pre></div>
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link">&para;</a></h4>
<p>In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of <code class="codehilite">Type=LoadBalancer</code>.
Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
@ -1398,7 +1405,6 @@ Please check the <a href="https://aws.amazon.com/es/elasticloadbalancing/details
<span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/patch-configmap-l4.yaml</span>
</pre></div>
<p>For L7:</p>
<p>Change line of the file <code class="codehilite">provider/aws/service-l7.yaml</code> replacing the dummy id with a valid one <code class="codehilite">&quot;arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX&quot;</code>
Then execute:</p>
@ -1406,7 +1412,6 @@ Then execute:</p>
<span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/patch-configmap-l7.yaml</span>
</pre></div>
<p>This example creates an ELB with just two listeners, one in port 80 and another in port 443</p>
<p><img alt="Listeners" src="./../images/elb-l7-listener.png" /></p>
<h5 id="network-load-balancer-nlb">Network Load Balancer (NLB)<a class="headerlink" href="#network-load-balancer-nlb" title="Permanent link">&para;</a></h5>
@ -1414,30 +1419,29 @@ Then execute:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-nlb.yaml</span>
</pre></div>
<h4 id="gce-gke">GCE - GKE<a class="headerlink" href="#gce-gke" title="Permanent link">&para;</a></h4>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
</pre></div>
<p><strong>Important Note:</strong> proxy protocol is not supported in GCE/GKE</p>
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link">&para;</a></h4>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
</pre></div>
<h4 id="baremetal">Baremetal<a class="headerlink" href="#baremetal" title="Permanent link">&para;</a></h4>
<h4 id="bare-metal">Bare-metal<a class="headerlink" href="#bare-metal" title="Permanent link">&para;</a></h4>
<p>Using <a href="https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport">NodePort</a>:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml</span>
</pre></div>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>For extended notes regarding deployments on bare-metal, see <a href="./baremetal/">Bare-metal considerations</a>.</p>
</div>
<h3 id="verify-installation">Verify installation<a class="headerlink" href="#verify-installation" title="Permanent link">&para;</a></h3>
<p>To check if the ingress controller pods have started, run the following command:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get pods --all-namespaces -l app=ingress-nginx --watch</span>
</pre></div>
<p>Once the operator pods are running, you can cancel the above command by typing <code class="codehilite">Ctrl+C</code>.
Now, you are ready to create your first ingress.</p>
<h3 id="detect-installed-version">Detect installed version<a class="headerlink" href="#detect-installed-version" title="Permanent link">&para;</a></h3>
@ -1447,19 +1451,16 @@ Now, you are ready to create your first ingress.</p>
<span class="go">kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version</span>
</pre></div>
<h2 id="using-helm">Using Helm<a class="headerlink" href="#using-helm" title="Permanent link">&para;</a></h2>
<p>NGINX Ingress controller can be installed via <a href="https://helm.sh/">Helm</a> using the chart <a href="https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress">stable/nginx-ingress</a> from the official charts repository.
To install the chart with the release name <code class="codehilite">my-nginx</code>:</p>
<div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx</span>
</pre></div>
<p>If the kubernetes cluster has RBAC enabled, then run:</p>
<div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx --set rbac.create=true</span>
</pre></div>
<p>Detect installed version:</p>
<div class="codehilite"><pre><span></span><span class="go">POD_NAME=$(kubectl get pods -l app=nginx-ingress -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<span class="go">kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version</span>
@ -1499,13 +1500,13 @@ To install the chart with the release name <code class="codehilite">my-nginx</co
</a>
<a href="rbac/" title="Role Based Access Control (RBAC)" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<a href="baremetal/" title="Bare-metal considerations" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Role Based Access Control (RBAC)
Bare-metal considerations
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">

16
deploy/rbac/index.html
View file

@ -360,6 +360,18 @@
<li class="md-nav__item">
<a href="../baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item md-nav__item--active">
@ -1258,7 +1270,7 @@ container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../" title="Installation Guide" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<a href="../baremetal/" title="Bare-metal considerations" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
@ -1267,7 +1279,7 @@ container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.
<span class="md-footer-nav__direction">
Previous
</span>
Installation Guide
Bare-metal considerations
</span>
</div>
</a>

14
deploy/upgrade/index.html
View file

@ -360,6 +360,18 @@
<li class="md-nav__item">
<a href="../baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1132,14 +1144,12 @@ in the controller Deployment.</p>
<span class="l l-Scalar l-Scalar-Plain">args</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">...</span>
</pre></div>
<p>simply change the <code class="codehilite">0.9.0</code> tag to the version you wish to upgrade to.
The easiest way to do this is e.g. (do note you may need to change the name parameter according to your installation):</p>
<div class="codehilite"><pre><span></span>kubectl set image deployment/nginx-ingress-controller \
nginx-ingress-controller=nginx:quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.18.0
</pre></div>
<p>For interactive editing, use <code class="codehilite">kubectl edit deployment nginx-ingress-controller</code>.</p>
<h2 id="with-helm">With Helm<a class="headerlink" href="#with-helm" title="Permanent link">&para;</a></h2>
<p>If you installed ingress-nginx using the Helm command in the deployment docs so its name is <code class="codehilite">ngx-ingress</code>,

47
development/index.html
View file

@ -356,6 +356,18 @@
<li class="md-nav__item">
<a href="../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1251,7 +1263,6 @@ git clone https://github.com/$YOUR_GITHUB_USERNAME/ingress-nginx.git
cd ingress-nginx
</pre></div>
<h3 id="initial-developer-environment-build">Initial developer environment build<a class="headerlink" href="#initial-developer-environment-build" title="Permanent link">&para;</a></h3>
<blockquote>
<p><strong>Prequisites</strong>: Minikube must be installed.
@ -1261,19 +1272,14 @@ See <a href="https://github.com/kubernetes/minikube/releases">releases</a> for i
<div class="codehilite"><pre><span></span>$ make dev-env
</pre></div>
<h3 id="updating-the-deployment">Updating the deployment<a class="headerlink" href="#updating-the-deployment" title="Permanent link">&para;</a></h3>
<p>The nginx controller container image can be rebuilt using:</p>
<p>The nginx controller container image can be rebuilt using:
<div class="codehilite"><pre><span></span>$ <span class="nv">ARCH</span><span class="o">=</span>amd64 <span class="nv">TAG</span><span class="o">=</span>dev <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make build container
</pre></div>
<p>The image will only be used by pods created after the rebuild. To delete old pods which will cause new ones to spin up:</p>
</pre></div></p>
<p>The image will only be used by pods created after the rebuild. To delete old pods which will cause new ones to spin up:
<div class="codehilite"><pre><span></span>$ kubectl get pods -n ingress-nginx
$ kubectl delete pod -n ingress-nginx nginx-ingress-controller-&lt;unique-pod-id&gt;
</pre></div>
</pre></div></p>
<h2 id="dependencies">Dependencies<a class="headerlink" href="#dependencies" title="Permanent link">&para;</a></h2>
<p>The build uses dependencies in the <code class="codehilite">vendor</code> directory, which
must be installed before building a binary/image. Occasionally, you
@ -1290,12 +1296,10 @@ might need to update the dependencies.</p>
<span class="go"> platform : linux/amd64</span>
</pre></div>
<p>If you have an older version of <code class="codehilite">dep</code>, you can update it as follows:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> go get -u github.com/golang/dep
</pre></div>
<p>This will automatically save the dependencies to the <code class="codehilite">vendor/</code> directory.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> dep ensure
@ -1303,7 +1307,6 @@ might need to update the dependencies.</p>
<span class="gp">$</span> dep prune
</pre></div>
<h2 id="building">Building<a class="headerlink" href="#building" title="Permanent link">&para;</a></h2>
<p>All ingress controllers are built through a Makefile. Depending on your
requirements you can build a raw server binary, a local container image,
@ -1316,25 +1319,20 @@ or push an image to a remote repository.</p>
<span class="gp">$</span> <span class="nb">export</span> <span class="nv">REGISTRY</span><span class="o">=</span>&lt;your-docker-registry&gt;
</pre></div>
<p>To find the registry simply run: <code class="codehilite">docker system info | grep Registry</code></p>
<h3 id="nginx-controller">Nginx Controller<a class="headerlink" href="#nginx-controller" title="Permanent link">&para;</a></h3>
<p>Build a raw server binary</p>
<p>Build a raw server binary
<div class="codehilite"><pre><span></span><span class="gp">$</span> make build
</pre></div>
</pre></div></p>
<p><a href="https://github.com/kubernetes/ingress-nginx/issues/387">TODO</a>: add more specific instructions needed for raw server binary.</p>
<p>Build a local container image</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nv">TAG</span><span class="o">=</span>&lt;tag&gt; <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make docker-build
</pre></div>
<p>Push the container image to a remote repository</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nv">TAG</span><span class="o">=</span>&lt;tag&gt; <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make docker-push
</pre></div>
<h2 id="deploying">Deploying<a class="headerlink" href="#deploying" title="Permanent link">&para;</a></h2>
<p>There are several ways to deploy the ingress controller onto a cluster.
Please check the <a href="../deploy">deployment guide</a></p>
@ -1344,31 +1342,26 @@ Please check the <a href="../deploy">deployment guide</a></p>
<span class="gp">$</span> make <span class="nb">test</span>
</pre></div>
<p>If you have access to a Kubernetes cluster, you can also run e2e tests using ginkgo.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> make e2e-test
</pre></div>
<p>To run unit-tests for lua code locally, run:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> ./rootfs/etc/nginx/lua/test/up.sh
<span class="gp">$</span> make lua-test
</pre></div>
<p>Lua tests are located in <code class="codehilite">$GOPATH/src/k8s.io/ingress-nginx/rootfs/etc/nginx/lua/test</code>. When creating a new test file it must follow the naming convention <code class="codehilite">&lt;mytest&gt;_test.lua</code> or it will be ignored. </p>
<h2 id="releasing">Releasing<a class="headerlink" href="#releasing" title="Permanent link">&para;</a></h2>
<p>All Makefiles will produce a release binary, as shown above. To publish this
to a wider Kubernetes user base, push the image to a container registry, like
<a href="https://cloud.google.com/container-registry/">gcr.io</a>. All release images are hosted under <code class="codehilite">gcr.io/google_containers</code> and
tagged according to a <a href="http://semver.org/">semver</a> scheme.</p>
<p>An example release might look like:</p>
<p>An example release might look like:
<div class="codehilite"><pre><span></span>$ make release
</pre></div>
</pre></div></p>
<p>Please follow these guidelines to cut a release:</p>
<ul>
<li>Update the <a href="https://help.github.com/articles/creating-releases/">release</a>

29
examples/PREREQUISITES/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1190,7 +1202,6 @@ key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<span class="go">secret &quot;tls-secret&quot; created</span>
</pre></div>
<h2 id="ca-authentication">CA Authentication<a class="headerlink" href="#ca-authentication" title="Permanent link">&para;</a></h2>
<p>You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
own CA, and also generate a client certificate.</p>
@ -1210,13 +1221,11 @@ In real production world, you may face CAs with intermediate certificates, as th
<span class="go"> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority</span>
</pre></div>
<p>To generate our CA Certificate, we've to run the following commands:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -x509 -new -nodes -key ca.key -days <span class="m">10000</span> -out ca.crt -subj <span class="s2">&quot;/CN=example-ca&quot;</span>
</pre></div>
<p>This will generate two files: A private key (ca.key) and a public key (ca.crt). This CA is valid for 10000 days.
The ca.crt can be used later in the step of creation of CA authentication secret.</p>
<h3 id="generating-the-client-certificate">Generating the client certificate<a class="headerlink" href="#generating-the-client-certificate" title="Permanent link">&para;</a></h3>
@ -1232,19 +1241,16 @@ used to authenticate in a tls-auth configured ingress.</p>
<span class="go">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</span>
</pre></div>
<p>Then, a user generates his very own private key (that he needs to keep secret)
and a CSR (Certificate Signing Request) that will be sent to the CA to sign and generate a certificate.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -new -key client1.key -out client1.csr -subj <span class="s2">&quot;/CN=client1&quot;</span> -config openssl.cnf
</pre></div>
<p>As the CA receives the generated 'client1.csr' file, it signs it and generates a client.crt certificate:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
</pre></div>
<p>Then, you'll have 3 files: the client.key (user's private key), client.crt (user's public key) and client.csr (disposable CSR).</p>
<h3 id="creating-the-ca-authentication-secret">Creating the CA Authentication secret<a class="headerlink" href="#creating-the-ca-authentication-secret" title="Permanent link">&para;</a></h3>
<p>If you're using the CA Authentication feature, you need to generate a secret containing
@ -1254,29 +1260,23 @@ all the authorized CAs. You must download them from your CA site in PEM format (
-----END CERTIFICATE-----
</pre></div>
<p>You can have as many certificates as you want. If they're in the binary DER format,
you can convert them as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
<p>Then, you've to concatenate them all in only one file, named 'ca.crt' as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
<p>The final step is to create a secret with the content of this file. This secret is going to be used in
the TLS Auth directive:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
</pre></div>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:</p>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div>
</pre></div></p>
<h2 id="test-http-service">Test HTTP Service<a class="headerlink" href="#test-http-service" title="Permanent link">&para;</a></h2>
<p>All examples that require a test HTTP Service use the standard http-svc pod,
which you can deploy as follows</p>
@ -1293,7 +1293,6 @@ which you can deploy as follows</p>
<span class="go">http-svc 10.0.122.116 &lt;pending&gt; 80:30301/TCP 1d</span>
</pre></div>
<p>You can test that the HTTP Service works by exposing it temporarily</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;LoadBalancer&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>

19
examples/affinity/cookie/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1140,10 +1152,9 @@
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f ingress.yaml</span>
</pre></div>
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<p>You can confirm that the Ingress works.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<p><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<span class="go">Name: nginx-test</span>
<span class="go">Namespace: default</span>
<span class="go">Address: </span>
@ -1175,9 +1186,7 @@
<span class="go">ETag: &quot;58875e6b-264&quot;</span>
<span class="go">Accept-Ranges: bytes</span>
</pre></div>
<p>In the example above, you can see a line containing the 'Set-Cookie: INGRESSCOOKIE' setting the right defined stickiness cookie.
In the example above, you can see a line containing the 'Set-Cookie: INGRESSCOOKIE' setting the right defined stickiness cookie.
This cookie is created by NGINX containing the hash of the used upstream in that request.
If the user changes this cookie, NGINX creates a new one and redirect the user to another upstream.</p>
<p>If the backend pool grows up NGINX will keep sending the requests through the same server of the first request, even if it's overloaded.</p>

17
examples/auth/basic/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1059,12 +1071,10 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go">Adding password for user foo</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<span class="go">secret &quot;basic-auth&quot; created</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
@ -1076,7 +1086,6 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go">type: Opaque</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<span class="go">apiVersion: extensions/v1beta1</span>
<span class="go">kind: Ingress</span>
@ -1101,7 +1110,6 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
* Trying 10.2.29.4...
* Connected to 10.2.29.4 (10.2.29.4) port 80 (#0)
@ -1128,7 +1136,6 @@ It's important the file generated is named <code class="codehilite">auth</code>
* Connection #0 to host 10.2.29.4 left intact
</pre></div>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
* Trying <span class="m">10</span>.2.29.4...
* Connected to <span class="m">10</span>.2.29.4 <span class="o">(</span><span class="m">10</span>.2.29.4<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>

12
examples/auth/client-certs/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

24
examples/auth/external-auth/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1133,7 +1145,6 @@ status:
$
</pre></div>
<p>Test 1: no username/password (expect code 401)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<span class="go">* Rebuilt URL to: http://172.17.4.99/</span>
@ -1162,8 +1173,7 @@ $
<span class="go">* Connection #0 to host 172.17.4.99 left intact</span>
</pre></div>
<p>Test 2: valid username/password (expect code 200)</p>
<p>Test 2: valid username/password (expect code 200)
<div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
* Rebuilt URL to: http://172.17.4.99/
* Trying <span class="m">172</span>.17.4.99...
@ -1207,10 +1217,8 @@ x-real-ip<span class="o">=</span><span class="m">10</span>.2.60.1
BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div>
<p>Test 3: invalid username/password (expect code 401)</p>
</pre></div></p>
<p>Test 3: invalid username/password (expect code 401)
<div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
* Rebuilt URL to: http://172.17.4.99/
* Trying 172.17.4.99...
@ -1239,7 +1247,7 @@ BODY:
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 172.17.4.99 left intact
</pre></div>
</pre></div></p>

15
examples/auth/oauth-external-auth/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1172,7 +1184,6 @@ same endpoint.</p>
<span class="nn">...</span>
</pre></div>
<h3 id="example-oauth2-proxy-kubernetes-dashboard">Example: OAuth2 Proxy + Kubernetes-Dashboard<a class="headerlink" href="#example-oauth2-proxy-kubernetes-dashboard" title="Permanent link">&para;</a></h3>
<p>This example will show you how to deploy <a href="https://github.com/bitly/oauth2_proxy"><code class="codehilite">oauth2_proxy</code></a>
into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using github as oAuth2 provider</p>
@ -1183,7 +1194,6 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
</pre></div>
<ol>
<li>Create a <a href="https://github.com/settings/applications/new">custom Github OAuth application</a></li>
</ol>
@ -1215,7 +1225,6 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
</pre></div>
<p>Test the oauth integration accessing the configured URL, like <code class="codehilite">https://foo.bar.com</code></p>
<p><img alt="Register OAuth2 Application" src="../images/github-auth.png" /></p>
<p><img alt="Github authentication" src="../images/oauth-login.png" /></p>

13
examples/customization/configuration-snippets/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1114,7 +1126,6 @@
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl apply -f ingress.yaml
</pre></div>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check if the contents of the annotation are present in the nginx.conf file using:
<code class="codehilite">kubectl exec nginx-ingress-controller-873061567-4n3k2 -n kube-system cat /etc/nginx/nginx.conf</code></p>

14
examples/customization/custom-configuration/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1063,12 +1075,10 @@ metadata:
name: nginx-load-balancer-conf
</pre></div>
<div class="codehilite"><pre><span></span>curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-configuration/configmap.yaml \
| kubectl apply -f -
</pre></div>
<p>If the Configmap it is updated, NGINX will be reloaded with the new configuration.</p>

21
examples/customization/custom-errors/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1131,7 +1143,6 @@ service <span class="s2">&quot;nginx-errors&quot;</span> created
deployment.apps <span class="s2">&quot;nginx-errors&quot;</span> created
</pre></div>
<p>This should have created a Deployment and a Service with the name <code class="codehilite">nginx-errors</code>.</p>
<div class="codehilite"><pre><span></span>$ kubectl get deploy,svc
NAME DESIRED CURRENT READY AGE
@ -1141,7 +1152,6 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o"
service/nginx-errors ClusterIP <span class="m">10</span>.0.0.12 &lt;none&gt; <span class="m">80</span>/TCP 10s
</pre></div>
<h2 id="ingress-controller-configuration">Ingress controller configuration<a class="headerlink" href="#ingress-controller-configuration" title="Permanent link">&para;</a></h2>
<p>If you do not already have an instance of the the NGINX Ingress controller running, deploy it according to the
<a href="../../../../deploy/">deployment guide</a>, then follow these steps:</p>
@ -1155,7 +1165,10 @@ service/nginx-errors ClusterIP <span class="m">10</span>.0.0.12 &lt;none&g
</li>
<li>
<p>Take note of the IP address assigned to the NGINX Ingress controller Service.
<code class="codehilite">$ kubectl get svc ingress-nginxNAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGEingress-nginx ClusterIP <span class="m">10</span>.0.0.13 &lt;none&gt; <span class="m">80</span>/TCP,443/TCP 10m</code></p>
<div class="codehilite"><pre><span></span>$ kubectl get svc ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE
ingress-nginx ClusterIP <span class="m">10</span>.0.0.13 &lt;none&gt; <span class="m">80</span>/TCP,443/TCP 10m
</pre></div></p>
</li>
</ol>
<div class="admonition note">
@ -1177,7 +1190,6 @@ Connection: keep-alive
<span class="nt">&lt;span&gt;</span>The page you&#39;re looking for could not be found.<span class="nt">&lt;/span&gt;</span>
</pre></div>
<p>A request with a custom <code class="codehilite">Accept</code> header returns the corresponding document type (JSON):</p>
<div class="codehilite"><pre><span></span>$ curl -D- -H <span class="s1">&#39;Accept: application/json&#39;</span> http://10.0.0.13/
HTTP/1.1 <span class="m">404</span> Not Found
@ -1191,7 +1203,6 @@ Vary: Accept-Encoding
<span class="o">{</span> <span class="s2">&quot;message&quot;</span>: <span class="s2">&quot;The page you&#39;re looking for could not be found&quot;</span> <span class="o">}</span>
</pre></div>
<p>To go further with this example, feel free to deploy your own applications and Ingress objects, and validate that the
responses are still in the correct format when a backend returns 503 (eg. if you scale a Deployment down to 0 replica).</p>

13
examples/customization/custom-headers/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1105,7 +1117,6 @@ server</p>
<span class="go"> | kubectl apply -f -</span>
</pre></div>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check the contents of the configmap is present in the nginx.conf file using:
<code class="codehilite">kubectl exec nginx-ingress-controller-873061567-4n3k2 -n kube-system cat /etc/nginx/nginx.conf</code></p>

20
examples/customization/custom-upstream-check/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1070,17 +1082,13 @@ spec:
&quot; | kubectl create -f -
</pre></div>
<p>Check the annotation is present in the Ingress rule:</p>
<p>Check the annotation is present in the Ingress rule:
<div class="codehilite"><pre><span></span>kubectl get ingress http-svc -o yaml
</pre></div>
</pre></div></p>
<p>Check the NGINX configuration is updated using kubectl or the status page:</p>
<div class="codehilite"><pre><span></span>$ kubectl <span class="nb">exec</span> nginx-ingress-controller-v1ppm cat /etc/nginx/nginx.conf
</pre></div>
<div class="codehilite"><pre><span></span><span class="o">....</span>
<span class="nt">upstream</span> <span class="nt">default-http-svc-x-80</span> <span class="p">{</span>
<span class="err">least_conn</span><span class="p">;</span>

16
examples/customization/external-auth-headers/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1085,7 +1097,6 @@ follows:</p>
<span class="go">secure-demo-echo-service secure-demo-echo-service.kube.local 80 1m</span>
</pre></div>
<p>Test 1: public service with no auth header</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
@ -1107,7 +1118,6 @@ follows:</p>
<span class="go">UserID: , UserRole:</span>
</pre></div>
<p>Test 2: secure service with no auth header</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
@ -1135,7 +1145,6 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
</pre></div>
<p>Test 3: public service with valid auth header</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
@ -1158,7 +1167,6 @@ follows:</p>
<span class="go">UserID: 1443635317331776148, UserRole: admin</span>
</pre></div>
<p>Test 4: public service with valid auth header</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>

17
examples/customization/ssl-dh-param/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1139,17 +1151,14 @@ use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
<span class="go"> app: ingress-nginx</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f configmap.yaml
</pre></div>
<h2 id="custom-dh-parameters-secret">Custom DH parameters secret<a class="headerlink" href="#custom-dh-parameters-secret" title="Permanent link">&para;</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">$</span>&gt; openssl dhparam <span class="m">1024</span> <span class="m">2</span>&gt; /dev/null <span class="p">|</span> base64
<span class="go">LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat ssl-dh-param.yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
@ -1162,11 +1171,9 @@ use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
<span class="go"> app: ingress-nginx</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f ssl-dh-param.yaml
</pre></div>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check the contents of the configmap is present in the nginx.conf file using:
<code class="codehilite">kubectl exec nginx-ingress-controller-873061567-4n3k2 -n kube-system cat /etc/nginx/nginx.conf</code></p>

12
examples/customization/sysctl/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

16
examples/docker-registry/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1153,7 +1165,6 @@
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml</span>
</pre></div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p><strong>DO NOT RUN THIS IN PRODUCTION</strong></p>
@ -1165,7 +1176,6 @@
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml</span>
</pre></div>
<div class="admonition important">
<p class="admonition-title">Important</p>
</div>
@ -1176,7 +1186,6 @@
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml</span>
</pre></div>
<p>Deploy <a href="https://github.com/jetstack/kube-lego">kube lego</a> use <a href="https://letsencrypt.org/">Let's Encrypt</a> certificates or edit the ingress rule to use a secret with an existing SSL certificate.</p>
<h3 id="testing">Testing<a class="headerlink" href="#testing" title="Permanent link">&para;</a></h3>
<p>To test the registry is working correctly we download a known image from <a href="https://hub.docker.com">docker hub</a>, create a tag pointing to the new registry and upload the image:</p>
@ -1185,7 +1194,6 @@
<span class="go">docker push `registry.&lt;your domain&gt;/ubuntu:16.04`</span>
</pre></div>
<p>Please replace <code class="codehilite">registry.&lt;your domain&gt;</code> with your domain.</p>

17
examples/grpc/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1198,7 +1210,6 @@ nginx controller.</p>
<div class="codehilite"><pre><span></span>$ kubectl create -f app.yaml
</pre></div>
<p>This is a standard kubernetes deployment object. It is running a grpc service
listening on port <code class="codehilite">50051</code>.</p>
<p>The sample application
@ -1212,7 +1223,6 @@ is a grpc server implemented in go. Here's the stripped-down implementation:</p>
<span class="p">}</span>
</pre></div>
<p>The takeaway is that we are not doing any TLS configuration on the server (as we
are terminating TLS at the ingress level, grpc traffic will travel unencrypted
inside the cluster and arrive "insecure").</p>
@ -1223,14 +1233,12 @@ itself, add the ingress annotation <code class="codehilite">nginx.ingress.kubern
<div class="codehilite"><pre><span></span>$ kubectl create -f svc.yaml
</pre></div>
<p>Here we have a typical service. Nothing special, just routing traffic to the
backend application on port <code class="codehilite">50051</code>.</p>
<h3 id="step-3-the-kubernetes-ingress">Step 3: the kubernetes <code class="codehilite">Ingress</code><a class="headerlink" href="#step-3-the-kubernetes-ingress" title="Permanent link">&para;</a></h3>
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
</pre></div>
<p>A few things to note:</p>
<ol>
<li>We've tagged the ingress with the annotation
@ -1252,7 +1260,6 @@ can actually talk to the backend. To do this, we'll use the
<span class="o">}</span>
</pre></div>
<h3 id="debugging-hints">Debugging Hints<a class="headerlink" href="#debugging-hints" title="Permanent link">&para;</a></h3>
<ol>
<li>Obviously, watch the logs on your app.</li>

12
examples/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

22
examples/multi-tls/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1054,7 +1066,7 @@
<li>Create tls secrets for foo.bar.com and bar.baz.com as indicated in the yaml</li>
<li>Create multi-tls.yaml</li>
</ol>
<p>This should generate a segment like:</p>
<p>This should generate a segment like:
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl <span class="nb">exec</span> -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf <span class="p">|</span> grep <span class="s2">&quot;foo.bar.com&quot;</span> -B <span class="m">7</span> -A <span class="m">35</span>
<span class="go"> server {</span>
<span class="go"> listen 80;</span>
@ -1097,10 +1109,8 @@
<span class="go"> proxy_pass http://default-http-svc-80;</span>
<span class="go"> }</span>
</pre></div>
<p>And you should be able to reach your nginx service or http-svc service using a hostname switch:</p>
</pre></div></p>
<p>And you should be able to reach your nginx service or http-svc service using a hostname switch:
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing
<span class="go">NAME RULE BACKEND ADDRESS AGE</span>
<span class="go">foo-tls - 104.154.30.67 13m</span>
@ -1138,7 +1148,7 @@
<span class="gp">$</span> curl <span class="m">104</span>.154.30.67
<span class="go">default backend - 404</span>
</pre></div>
</pre></div></p>

20
examples/rewrite/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1232,7 +1244,6 @@ and that you have an ingress controller <a href="../../../deploy">running</a> in
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
<p>Check the rewrite is working</p>
<div class="codehilite"><pre><span></span>$ curl -v http://172.17.4.99/something -H <span class="s1">&#39;Host: rewrite.bar.com&#39;</span>
* Trying <span class="m">172</span>.17.4.99...
@ -1275,9 +1286,8 @@ BODY:
-no body in request-
</pre></div>
<h3 id="app-root">App Root<a class="headerlink" href="#app-root" title="Permanent link">&para;</a></h3>
<p>Create an Ingress rule with a app-root annotation:</p>
<p>Create an Ingress rule with a app-root annotation:
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span>
<span class="s2">apiVersion: extensions/v1beta1</span>
<span class="s2">kind: Ingress</span>
@ -1296,9 +1306,7 @@ BODY:
<span class="s2"> servicePort: 80</span>
<span class="s2"> path: /</span>
<span class="s2">&quot;</span> <span class="p">|</span> kubectl create -f -
</pre></div>
</pre></div></p>
<p>Check the rewrite is working</p>
<div class="codehilite"><pre><span></span>$ curl -I -k http://approot.bar.com/
HTTP/1.1 <span class="m">302</span> Moved Temporarily

23
examples/static-ip/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1171,7 +1183,6 @@ behind a Service of <code class="codehilite">Type=LoadBalancer</code>.</p>
<span class="go">nginx-ingress-lb 10.0.138.113 104.154.109.191 80:31457/TCP,443:32240/TCP 15m</span>
</pre></div>
<p>then, update the ingress controller so it adopts the static IP of the Service
by passing the <code class="codehilite">--publish-service</code> flag (the example yaml used in the next step
already has it set to "nginx-ingress-lb").</p>
@ -1179,7 +1190,6 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">deployment &quot;nginx-ingress-controller&quot; created</span>
</pre></div>
<h2 id="assigning-the-ip-to-an-ingress">Assigning the IP to an Ingress<a class="headerlink" href="#assigning-the-ip-to-an-ingress" title="Permanent link">&para;</a></h2>
<p>From here on every Ingress created with the <code class="codehilite">ingress.class</code> annotation set to
<code class="codehilite">nginx</code> will get the IP allocated in the previous step</p>
@ -1201,7 +1211,6 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">...</span>
</pre></div>
<h2 id="retaining-the-ip">Retaining the IP<a class="headerlink" href="#retaining-the-ip" title="Permanent link">&para;</a></h2>
<p>You can test retention by deleting the Ingress</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl delete ing nginx-ingress
@ -1215,7 +1224,6 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">nginx-ingress * 104.154.109.191 80, 443 13m</span>
</pre></div>
<blockquote>
<p>Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all
Ingresses, because all requests are proxied through the same set of nginx
@ -1227,10 +1235,9 @@ controllers.</p>
<span class="go">&quot;nginx-ingress-lb&quot; patched</span>
</pre></div>
<p>and promote the IP to static (promotion works differently for cloudproviders,
provided example is for GKE/GCE)
`</p>
`
<div class="codehilite"><pre><span></span><span class="gp">$</span> gcloud compute addresses create nginx-ingress-lb --addresses <span class="m">104</span>.154.109.191 --region us-central1
<span class="go">Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/nginx-ingress-lb].</span>
<span class="go">---</span>
@ -1245,9 +1252,7 @@ provided example is for GKE/GCE)
<span class="go">status: IN_USE</span>
<span class="go">users:</span>
<span class="go">- us-central1/forwardingRules/a09f6913ae80e11e6a8c542010af0000</span>
</pre></div>
</pre></div></p>
<p>Now even if the Service is deleted, the IP will persist, so you can recreate the
Service with <code class="codehilite">spec.loadBalancerIP</code> set to <code class="codehilite">104.154.109.191</code>.</p>

13
examples/tls-termination/README/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1130,7 +1142,6 @@ TLS cert, and forward un-encrypted HTTP traffic to the test HTTP service.</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f ingress.yaml</span>
</pre></div>
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<p>You can confirm that the Ingress works.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test

12
how-it-works/index.html
View file

@ -356,6 +356,18 @@
<li class="md-nav__item">
<a href="../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

1
images/baremetal/baremetal_overview.gliffy Normal file
View file

File diff suppressed because one or more lines are too long

BIN
images/baremetal/baremetal_overview.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 37 KiB

1
images/baremetal/cloud_overview.gliffy Normal file
View file

File diff suppressed because one or more lines are too long

BIN
images/baremetal/cloud_overview.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 47 KiB

1
images/baremetal/hostnetwork.gliffy Normal file
View file

File diff suppressed because one or more lines are too long

BIN
images/baremetal/hostnetwork.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 40 KiB

1
images/baremetal/nodeport.gliffy Normal file
View file

File diff suppressed because one or more lines are too long

BIN
images/baremetal/nodeport.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 47 KiB

1
images/baremetal/user_edge.gliffy Normal file
View file

File diff suppressed because one or more lines are too long

BIN
images/baremetal/user_edge.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 62 KiB

12
index.html
View file

@ -394,6 +394,18 @@
<li class="md-nav__item">
<a href="deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

144
search/search_index.json
View file

File diff suppressed because one or more lines are too long

93
sitemap.xml
View file

@ -2,222 +2,227 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/deploy/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/deploy/baremetal/</loc>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/deploy/rbac/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/deploy/upgrade/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/nginx-configuration/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/nginx-configuration/annotations/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/nginx-configuration/configmap/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/nginx-configuration/custom-template/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/nginx-configuration/log-format/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/cli-arguments/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/custom-errors/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/default-backend/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/exposing-tcp-udp-services/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/external-articles/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/miscellaneous/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/monitoring/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/multiple-ingress/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/tls/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/third-party-addons/modsecurity/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/user-guide/third-party-addons/opentracing/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/PREREQUISITES/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/affinity/cookie/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/auth/basic/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/auth/client-certs/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/auth/external-auth/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/auth/oauth-external-auth/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/configuration-snippets/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/custom-configuration/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/custom-errors/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/custom-headers/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/custom-upstream-check/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/external-auth-headers/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/ssl-dh-param/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/customization/sysctl/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/docker-registry/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/grpc/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/multi-tls/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/rewrite/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/static-ip/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/examples/tls-termination/README/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/development/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/how-it-works/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/troubleshooting/</loc>
<lastmod>2018-08-30</lastmod>
<lastmod>2018-09-04</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

27
troubleshooting/index.html
View file

@ -356,6 +356,18 @@
<li class="md-nav__item">
<a href="../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1208,7 +1220,6 @@ methods to obtain more information.</p>
<span class="go"> Normal UPDATE 58s nginx-ingress-controller Ingress default/cafe-ingress</span>
</pre></div>
<p>Check the Ingress Controller Logs</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n &lt;namespace-of-ingress-controller&gt;
<span class="go">NAME READY STATUS RESTARTS AGE</span>
@ -1224,7 +1235,6 @@ methods to obtain more information.</p>
<span class="go">....</span>
</pre></div>
<p>Check the Nginx Configuration</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n &lt;namespace-of-ingress-controller&gt;
<span class="go">NAME READY STATUS RESTARTS AGE</span>
@ -1245,7 +1255,6 @@ methods to obtain more information.</p>
<span class="go">....</span>
</pre></div>
<p>Check if used Services Exist</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get svc --all-namespaces
<span class="go">NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
@ -1257,7 +1266,6 @@ methods to obtain more information.</p>
<span class="go">kube-system kubernetes-dashboard NodePort 10.103.128.17 &lt;none&gt; 80:30000/TCP 30m</span>
</pre></div>
<h2 id="debug-logging">Debug Logging<a class="headerlink" href="#debug-logging" title="Permanent link">&para;</a></h2>
<p>Using the flag <code class="codehilite">--v=XX</code> it is possible to increase the level of logging. This is performed by editing
the deployment.</p>
@ -1270,7 +1278,6 @@ the deployment.</p>
<span class="gp">#</span> Add --v<span class="o">=</span>X to <span class="s2">&quot;- args&quot;</span>, where X is an integer
</pre></div>
<ul>
<li><code class="codehilite">--v=2</code> shows details using <code class="codehilite">diff</code> about the changes in the configuration in nginx</li>
<li><code class="codehilite">--v=3</code> shows details about the service, Ingress rule, endpoint changes and it dumps the nginx configuration in JSON format</li>
@ -1288,7 +1295,6 @@ with the kubeconfig file.</p>
+-------------+ +------------+
</pre></div>
<p><strong>Service authentication</strong></p>
<p>The Ingress controller needs information from apiserver. Therefore, authentication is required, which can be achieved in two different ways:</p>
<ol>
@ -1325,7 +1331,6 @@ on the lower left hand side.</p>
+---------------------------------------------------+ +------------------+
</pre></div>
<h3 id="service-account">Service Account<a class="headerlink" href="#service-account" title="Permanent link">&para;</a></h3>
<p>If using a service account to connect to the API server, Dashboard expects the file
<code class="codehilite">/var/run/secrets/kubernetes.io/serviceaccount/token</code> to be present. It provides a secret
@ -1396,7 +1401,6 @@ token that is required to authenticate with the API server.</p>
<span class="go">}</span>
</pre></div>
<p>If it is not working, there are two possible reasons:</p>
<ol>
<li>
@ -1432,7 +1436,6 @@ dump. This allows us to see which configuration is being used, as well as older
<div class="codehilite"><pre><span></span><span class="gp">$</span> ssh user@workerIP
</pre></div>
<ol>
<li>Obtain the Docker Container Running nginx</li>
</ol>
@ -1441,21 +1444,18 @@ dump. This allows us to see which configuration is being used, as well as older
<span class="go">d9e1d243156a quay.io/kubernetes-ingress-controller/nginx-ingress-controller &quot;/usr/bin/dumb-init …&quot; 19 minutes ago Up 19 minutes k8s_nginx-ingress-controller_nginx-ingress-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0</span>
</pre></div>
<ol>
<li>Exec into the container</li>
</ol>
<div class="codehilite"><pre><span></span><span class="gp">$</span> docker <span class="nb">exec</span> -it --user<span class="o">=</span><span class="m">0</span> --privileged d9e1d243156a bash
</pre></div>
<ol>
<li>Make sure nginx is running in <code class="codehilite">--with-debug</code></li>
</ol>
<div class="codehilite"><pre><span></span><span class="gp">$</span> nginx -V <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">|</span> grep -- <span class="s1">&#39;--with-debug&#39;</span>
</pre></div>
<ol>
<li>Get list of processes running on container</li>
</ol>
@ -1469,7 +1469,6 @@ dump. This allows us to see which configuration is being used, as well as older
<span class="go">root 172 0 0 20:43 pts/0 00:00:00 bash</span>
</pre></div>
<ol>
<li>Attach gdb to the nginx master process</li>
</ol>
@ -1481,7 +1480,6 @@ dump. This allows us to see which configuration is being used, as well as older
<span class="go">(gdb)</span>
</pre></div>
<ol>
<li>Copy and paste the following:</li>
</ol>
@ -1496,7 +1494,6 @@ dump. This allows us to see which configuration is being used, as well as older
<span class="go">end</span>
</pre></div>
<ol>
<li>
<p>Quit GDB by pressing CTRL+D</p>

12
user-guide/cli-arguments/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

12
user-guide/custom-errors/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

12
user-guide/default-backend/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

13
user-guide/exposing-tcp-udp-services/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1062,7 +1074,6 @@ Adding <code class="codehilite">PROXY</code> in either or both of the two last f
<span class="l l-Scalar l-Scalar-Plain">9000</span><span class="p p-Indicator">:</span> <span class="s">&quot;default/example-go:8080&quot;</span>
</pre></div>
<p>Since 1.9.13 NGINX provides <a href="https://www.nginx.com/blog/announcing-udp-load-balancing/">UDP Load Balancing</a>.
The next example shows how to expose the service <code class="codehilite">kube-dns</code> running in the namespace <code class="codehilite">kube-system</code> in the port <code class="codehilite">53</code> using the port <code class="codehilite">53</code></p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>

12
user-guide/external-articles/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

12
user-guide/miscellaneous/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

19
user-guide/monitoring/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1163,7 +1175,6 @@
<span class="go">configmap &quot;prometheus-configuration&quot; created</span>
</pre></div>
<p>Running the following command deploys prometheus in Kubernetes:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/prometheus.yaml</span>
<span class="go">clusterrole &quot;prometheus-server&quot; created</span>
@ -1173,7 +1184,6 @@
<span class="go">service &quot;prometheus-service&quot; created</span>
</pre></div>
<h3 id="prometheus-dashboard">Prometheus Dashboard<a class="headerlink" href="#prometheus-dashboard" title="Permanent link">&para;</a></h3>
<p>Open Prometheus dashboard in a web browser:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
@ -1183,18 +1193,15 @@
<span class="go">prometheus NodePort 10.98.233.86 &lt;none&gt; 9090:32630/TCP 1m</span>
</pre></div>
<p>Obtain the IP address of the nodes in the running cluster:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get nodes -o wide</span>
</pre></div>
<p>In some cases where the node only have internal IP adresses we need to execute:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[*].status.addresses[?\(@.type==\&quot;InternalIP\&quot;\)].address}</span>
<span class="go">10.192.0.2 10.192.0.3 10.192.0.4</span>
</pre></div>
<p>Open your browser and visit the following URL: <em>http://{node IP address}:{prometheus-svc-nodeport}</em> to load the Prometheus Dashboard.</p>
<p>According to the above example, this URL will be http://10.192.0.3:32630</p>
<p><img alt="Dashboard" src="../../images/prometheus-dashboard.png" /></p>
@ -1202,7 +1209,6 @@
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/grafana.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
<span class="go">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">default-http-backend ClusterIP 10.103.59.201 &lt;none&gt; 80/TCP 3d</span>
@ -1211,7 +1217,6 @@
<span class="go">grafana NodePort 10.98.233.86 &lt;none&gt; 9090:31086/TCP 10m</span>
</pre></div>
<p>Open your browser and visit the following URL: <em>http://{node IP address}:{grafana-svc-nodeport}</em> to load the Grafana Dashboard.
According to the above example, this URL will be http://10.192.0.3:31086</p>
<p>The username and password is <code class="codehilite">admin</code></p>

15
user-guide/multiple-ingress/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1102,7 +1114,6 @@ you need to specify the annotation <code class="codehilite">kubernetes.io/ingres
<span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ingress.class</span><span class="p p-Indicator">:</span> <span class="s">&quot;gce&quot;</span>
</pre></div>
<p>will target the GCE controller, forcing the nginx controller to ignore it, while an annotation like</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo</span>
@ -1110,7 +1121,6 @@ you need to specify the annotation <code class="codehilite">kubernetes.io/ingres
<span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ingress.class</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx&quot;</span>
</pre></div>
<p>will target the nginx controller, forcing the GCE controller to ignore it.</p>
<p>To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress.
If you are only running a single NGINX ingress controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string.</p>
@ -1132,7 +1142,6 @@ Here is a partial example:</p>
<span class="p p-Indicator">-</span> <span class="s">&#39;--configmap=ingress/nginx-ingress-internal-controller&#39;</span>
</pre></div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>Deploying multiple Ingress controllers, of different types (e.g., <code class="codehilite">ingress-nginx</code> &amp; <code class="codehilite">gce</code>), and not specifying a class annotation will

82
user-guide/nginx-configuration/annotations/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -2003,22 +2015,18 @@ So, at reload, if upstream servers have changed, index values are not guaranteed
<p>In NGINX this feature is implemented by the third party module <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng">nginx-sticky-module-ng</a>. The workflow used to define which upstream server will be used is explained <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/raw/08a395c66e425540982c00482f55034e1fee67b6/docs/sticky.pdf">here</a></p>
<h3 id="authentication">Authentication<a class="headerlink" href="#authentication" title="Permanent link">&para;</a></h3>
<p>Is possible to add authentication adding additional annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords inside the key <code class="codehilite">auth</code>.</p>
<p>The annotations are:</p>
<p>The annotations are:
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-type: [basic|digest]
</pre></div>
</pre></div></p>
<p>Indicates the <a href="https://tools.ietf.org/html/rfc2617">HTTP Authentication Type: Basic or Digest Access Authentication</a>.</p>
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-secret: secretName
</pre></div>
<p>The name of the Secret that contains the usernames and passwords which are granted access to the <code class="codehilite">path</code>s defined in the Ingress rules.
This annotation also accepts the alternative form "namespace/secretName", in which case the Secret lookup is performed in the referenced namespace instead of the Ingress namespace.</p>
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-realm: &quot;realm string&quot;
</pre></div>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Please check the <a href="../../../examples/auth/basic/README/">auth</a> example.</p>
@ -2085,49 +2093,59 @@ Only one of the Ingress rules should define annotations to configure the upstrea
<span class="no">more_set_headers &quot;Request-Id: $req_id&quot;;</span>
</pre></div>
<h3 id="default-backend">Default Backend<a class="headerlink" href="#default-backend" title="Permanent link">&para;</a></h3>
<p>The ingress controller requires a <a href="../../default-backend/">default backend</a>.
This service handles the response when the service in the Ingress rule does not have endpoints.
This is a global configuration for the ingress controller. In some cases could be required to return a custom content or format. In this scenario we can use the annotation <code class="codehilite">nginx.ingress.kubernetes.io/default-backend: &lt;svc name&gt;</code> to specify a custom default backend.</p>
<h3 id="enable-cors">Enable CORS<a class="headerlink" href="#enable-cors" title="Permanent link">&para;</a></h3>
<p>To enable Cross-Origin Resource Sharing (CORS) in an Ingress rule,
add the annotation <code class="codehilite">nginx.ingress.kubernetes.io/enable-cors: &quot;true&quot;</code>.
This will add a section in the server location enabling this functionality.</p>
<p>To enable Cross-Origin Resource Sharing (CORS) in an Ingress rule, add the annotation
<code class="codehilite">nginx.ingress.kubernetes.io/enable-cors: &quot;true&quot;</code>. This will add a section in the server
location enabling this functionality.</p>
<p>CORS can be controlled with the following annotations:</p>
<ul>
<li><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods</code>
controls which methods are accepted. This is a multi-valued field, separated by ',' and
accepts only letters (upper and lower case).</li>
<li>Default: <code class="codehilite">GET, PUT, POST, DELETE, PATCH, OPTIONS</code></li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods</code>
controls which methods are accepted.
This is a multi-valued field, separated by ',' and accepts only letters (upper and lower case).
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods: &quot;PUT, GET, POST, OPTIONS&quot;</code></p>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-methods: &quot;PUT, GET, POST, OPTIONS&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-headers</code>
controls which headers are accepted.
This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -.
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-headers: &quot;X-Forwarded-For, X-app123-XPTO&quot;</code></p>
controls which headers are accepted. This is a multi-valued field, separated by ',' and accepts letters,
numbers, _ and -.</p>
</li>
<li>Default: <code class="codehilite">DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization</code></li>
<li>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-headers: &quot;X-Forwarded-For, X-app123-XPTO&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-origin</code>
controls what's the accepted Origin for CORS and defaults to '*'.
This is a single field value, with the following format: <code class="codehilite">http(s)://origin-site.com</code> or <code class="codehilite">http(s)://origin-site.com:port</code>
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-origin: &quot;https://origin-site.com:4443&quot;</code></p>
controls what's the accepted Origin for CORS.
This is a single field value, with the following format: <code class="codehilite">http(s)://origin-site.com</code> or <code class="codehilite">http(s)://origin-site.com:port</code></p>
</li>
<li>Default: <code class="codehilite">*</code></li>
<li>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-origin: &quot;https://origin-site.com:4443&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-credentials</code>
controls if credentials can be passed during CORS operations.
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-credentials: &quot;true&quot;</code></p>
controls if credentials can be passed during CORS operations.</p>
</li>
<li>Default: <code class="codehilite">true</code></li>
<li>
<p>Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-allow-credentials: &quot;false&quot;</code></p>
</li>
<li>
<p><code class="codehilite">nginx.ingress.kubernetes.io/cors-max-age</code>
controls how long preflight requests can be cached.
Default: <code class="codehilite">1728000</code>
Example: <code class="codehilite">nginx.ingress.kubernetes.io/cors-max-age: 600</code></p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>For more information please see <a href="https://enable-cors.org/server_nginx.html">https://enable-cors.org</a></p>
<p>For more information please see <a href="https://enable-cors.org/server_nginx.html">https://enable-cors.org</a> </p>
</div>
<h3 id="server-alias">Server Alias<a class="headerlink" href="#server-alias" title="Permanent link">&para;</a></h3>
<p>To add Server Aliases to an Ingress rule add the annotation <code class="codehilite">nginx.ingress.kubernetes.io/server-alias: &quot;&lt;alias&gt;&quot;</code>.
@ -2157,7 +2175,6 @@ the new server configuration will take place over the alias configuration.</p>
<span class="err">}</span>
</pre></div>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This annotation can be used only once per host.</p>
@ -2187,7 +2204,6 @@ applied to each location provided in the ingress rule.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-url</span><span class="p p-Indicator">:</span> <span class="s">&quot;URL</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">authentication</span><span class="nv"> </span><span class="s">service&quot;</span>
</pre></div>
<p>Additionally it is possible to set:</p>
<ul>
<li><code class="codehilite">nginx.ingress.kubernetes.io/auth-method</code>:
@ -2299,7 +2315,6 @@ To use custom values in an Ingress rule define these annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">8m</span>
</pre></div>
<h3 id="proxy-cookie-domain">Proxy cookie domain<a class="headerlink" href="#proxy-cookie-domain" title="Permanent link">&para;</a></h3>
<p>Sets a text that <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain">should be changed in the domain attribute</a> of the "Set-Cookie" header fields of a proxied server response.</p>
<p>To configure this setting globally for all Ingress rules, the <code class="codehilite">proxy-cookie-domain</code> value may be set in the <a href="../configmap/">NGINX ConfigMap</a>.</p>
@ -2311,43 +2326,36 @@ To use custom values in an Ingress rule define these annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffering</span><span class="p p-Indicator">:</span> <span class="s">&quot;on&quot;</span>
</pre></div>
<h3 id="proxy-buffer-size">Proxy buffer size<a class="headerlink" href="#proxy-buffer-size" title="Permanent link">&para;</a></h3>
<p>Sets the size of the buffer <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size"><code class="codehilite">proxy_buffer_size</code></a> used for reading the first part of the response received from the proxied server.
By default proxy buffer size is set as "4k"</p>
<p>To configure this setting globally, set <code class="codehilite">proxy-buffer-size</code> in <a href="../configmap/">NGINX ConfigMap</a>. To use custom values in an Ingress rule, define this annotation:</p>
<p>To configure this setting globally, set <code class="codehilite">proxy-buffer-size</code> in <a href="../configmap/">NGINX ConfigMap</a>. To use custom values in an Ingress rule, define this annotation:
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffer-size</span><span class="p p-Indicator">:</span> <span class="s">&quot;8k&quot;</span>
</pre></div>
</pre></div></p>
<h3 id="ssl-ciphers">SSL ciphers<a class="headerlink" href="#ssl-ciphers" title="Permanent link">&para;</a></h3>
<p>Specifies the <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers">enabled ciphers</a>.</p>
<p>Using this annotation will set the <code class="codehilite">ssl_ciphers</code> directive at the server level. This configuration is active for all the paths in the host.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/ssl-ciphers</span><span class="p p-Indicator">:</span> <span class="s">&quot;ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP&quot;</span>
</pre></div>
<h3 id="connection-proxy-header">Connection proxy header<a class="headerlink" href="#connection-proxy-header" title="Permanent link">&para;</a></h3>
<p>Using this annotation will override the default connection header set by NGINX.
To use custom values in an Ingress rule, define the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/connection-proxy-header</span><span class="p p-Indicator">:</span> <span class="s">&quot;keep-alive&quot;</span>
</pre></div>
<h3 id="enable-access-log">Enable Access Log<a class="headerlink" href="#enable-access-log" title="Permanent link">&para;</a></h3>
<p>Access logs are enabled by default, but in some scenarios access logs might be required to be disabled for a given
ingress. To do this, use the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-access-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;false&quot;</span>
</pre></div>
<h3 id="enable-rewrite-log">Enable Rewrite Log<a class="headerlink" href="#enable-rewrite-log" title="Permanent link">&para;</a></h3>
<p>Rewrite logs are not enabled by default. In some scenarios it could be required to enable NGINX rewrite logs.
Note that rewrite logs are sent to the error_log file at the notice level. To enable this feature use the annotation:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-rewrite-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
</pre></div>
<h3 id="lua-resty-waf">Lua Resty WAF<a class="headerlink" href="#lua-resty-waf" title="Permanent link">&para;</a></h3>
<p>Using <code class="codehilite">lua-resty-waf-*</code> annotations we can enable and control the <a href="https://github.com/p0pr0ck5/lua-resty-waf">lua-resty-waf</a>
Web Application Firewall per location.</p>
@ -2355,7 +2363,6 @@ Web Application Firewall per location.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf</span><span class="p p-Indicator">:</span> <span class="s">&quot;active&quot;</span>
</pre></div>
<p>In order to run it in debugging mode you can set <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-debug</code> to <code class="codehilite">&quot;true&quot;</code> in addition to the above configuration.
The other possible values for <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf</code> are <code class="codehilite">inactive</code> and <code class="codehilite">simulate</code>.
In <code class="codehilite">inactive</code> mode WAF won't do anything, whereas in <code class="codehilite">simulate</code> mode it will log a warning message if there's a matching WAF rule for given request. This is useful to debug a rule and eliminate possible false positives before fully deploying it.</p>
@ -2364,13 +2371,11 @@ You can use <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-i
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</span><span class="p p-Indicator">:</span> <span class="s">&quot;41000_sqli,</span><span class="nv"> </span><span class="s">42000_xss&quot;</span>
</pre></div>
<p>will ignore the two mentioned rulesets.</p>
<p>It is also possible to configure custom WAF rules per ingress using the <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</code> annotation. For an example the following snippet will configure a WAF rule to deny requests with query string value that contains word <code class="codehilite">foo</code>:</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</span><span class="p p-Indicator">:</span> <span class="s">&#39;[=[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;access&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;actions&quot;:</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;disrupt&quot;</span><span class="nv"> </span><span class="s">:</span><span class="nv"> </span><span class="s">&quot;DENY&quot;</span><span class="nv"> </span><span class="s">},</span><span class="nv"> </span><span class="s">&quot;id&quot;:</span><span class="nv"> </span><span class="s">10001,</span><span class="nv"> </span><span class="s">&quot;msg&quot;:</span><span class="nv"> </span><span class="s">&quot;my</span><span class="nv"> </span><span class="s">custom</span><span class="nv"> </span><span class="s">rule&quot;,</span><span class="nv"> </span><span class="s">&quot;operator&quot;:</span><span class="nv"> </span><span class="s">&quot;STR_CONTAINS&quot;,</span><span class="nv"> </span><span class="s">&quot;pattern&quot;:</span><span class="nv"> </span><span class="s">&quot;foo&quot;,</span><span class="nv"> </span><span class="s">&quot;vars&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;parse&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">&quot;values&quot;,</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;type&quot;:</span><span class="nv"> </span><span class="s">&quot;REQUEST_ARGS&quot;</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;body_filter&quot;:</span><span class="nv"> </span><span class="s">[],</span><span class="nv"> </span><span class="s">&quot;header_filter&quot;:[]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]=]&#39;</span>
</pre></div>
<p>For details on how to write WAF rules, please refer to <a href="https://github.com/p0pr0ck5/lua-resty-waf">https://github.com/p0pr0ck5/lua-resty-waf</a>.</p>
<h3 id="grpc-backend-deprecated-since-0180">gRPC backend DEPRECATED (since 0.18.0)<a class="headerlink" href="#grpc-backend-deprecated-since-0180" title="Permanent link">&para;</a></h3>
<p>Please use <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPC&quot;</code> or <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPCS&quot;</code></p>
@ -2392,7 +2397,6 @@ using the <a href="https://github.com/influxdata/nginx-influxdb-module/">nginx-i
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/influxdb-server-name</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx-ingress&quot;</span>
</pre></div>
<p>For the <code class="codehilite">influxdb-host</code> parameter you have two options:</p>
<ul>
<li>Use an InfluxDB server configured with the <a href="https://docs.influxdata.com/influxdb/v1.5/supported_protocols/udp/">UDP protocol</a> enabled. </li>

36
user-guide/nginx-configuration/configmap/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -632,6 +644,13 @@
http2-max-header-size
</a>
</li>
<li class="md-nav__item">
<a href="#http2-max-requests" title="http2-max-requests" class="md-nav__link">
http2-max-requests
</a>
</li>
<li class="md-nav__item">
@ -2018,6 +2037,13 @@
http2-max-header-size
</a>
</li>
<li class="md-nav__item">
<a href="#http2-max-requests" title="http2-max-requests" class="md-nav__link">
http2-max-requests
</a>
</li>
<li class="md-nav__item">
@ -2701,7 +2727,6 @@ you can add key-value pairs to the data section of the config-map. For Example:<
<span class="l l-Scalar l-Scalar-Plain">ssl-protocols</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">SSLv2</span>
</pre></div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The key and values in a ConfigMap can only be strings.
@ -2826,6 +2851,11 @@ Same for numbers, like "100".</p>
<td align="left">"16k"</td>
</tr>
<tr>
<td align="left"><a href="#http2-max-requests">http2-max-requests</a></td>
<td align="left">int</td>
<td align="left">1000</td>
</tr>
<tr>
<td align="left"><a href="#hsts">hsts</a></td>
<td align="left">bool</td>
<td align="left">"true"</td>
@ -3370,6 +3400,10 @@ Same for numbers, like "100".</p>
<p>Limits the maximum size of the entire request header list after HPACK decompression.</p>
<p><em>References:</em>
<a href="https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size">https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size</a></p>
<h2 id="http2-max-requests">http2-max-requests<a class="headerlink" href="#http2-max-requests" title="Permanent link">&para;</a></h2>
<p>Sets the maximum number of requests (including push requests) that can be served through one HTTP/2 connection, after which the next client request will lead to connection closing and the need of establishing a new connection.</p>
<p><em>References:</em>
<a href="http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests">http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests</a></p>
<h2 id="hsts">hsts<a class="headerlink" href="#hsts" title="Permanent link">&para;</a></h2>
<p>Enables or disables the header HSTS in servers running SSL.
HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. It provides protection against protocol downgrade attacks and cookie theft.</p>

13
user-guide/nginx-configuration/custom-template/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1066,7 +1078,6 @@ This includes using a <a href="https://kubernetes.io/docs/concepts/storage/volum
<span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx.tmpl</span>
</pre></div>
<p><strong>Please note the template is tied to the Go code. Do not change names in the variable <code class="codehilite">$cfg</code>.</strong></p>
<p>For more information about the template syntax please check the <a href="https://golang.org/pkg/text/template/">Go template package</a>.
In addition to the built-in functions provided by the Go package the following functions are also available:</p>

12
user-guide/nginx-configuration/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

13
user-guide/nginx-configuration/log-format/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1059,7 +1071,6 @@
<span class="x"> &#39;$upstream_response_length $upstream_response_time $upstream_status&#39;;</span>
</pre></div>
<table>
<thead>
<tr>

12
user-guide/third-party-addons/modsecurity/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)

130
user-guide/third-party-addons/opentracing/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1153,21 +1165,18 @@
<p>Using the third party module <a href="https://github.com/opentracing-contrib/nginx-opentracing">opentracing-contrib/nginx-opentracing</a> the NGINX ingress controller can configure NGINX to enable <a href="http://opentracing.io">OpenTracing</a> instrumentation.
By default this feature is disabled.</p>
<h2 id="usage">Usage<a class="headerlink" href="#usage" title="Permanent link">&para;</a></h2>
<p>To enable the instrumentation we must enable opentracing in the configuration configmap:</p>
<p>To enable the instrumentation we must enable opentracing in the configuration configmap:
<div class="codehilite"><pre><span></span><span class="n">data</span><span class="o">:</span>
<span class="n">enable</span><span class="o">-</span><span class="n">opentracing</span><span class="o">:</span> <span class="s2">&quot;true&quot;</span>
</pre></div>
</pre></div></p>
<p>We must also set the host to use when uploading traces:</p>
<div class="codehilite"><pre><span></span>zipkin-collector-host: zipkin.default.svc.cluster.local
jaeger-collector-host: jaeger-collector.default.svc.cluster.local
</pre></div>
<p>Next you will need to deploy a distributed tracing system which uses OpenTracing. Both <a href="https://github.com/openzipkin/zipkin">Zipkin</a> and
<a href="https://github.com/jaegertracing/jaeger">Jaeger</a> have been tested.</p>
<p>Other optional configuration options:</p>
<p>Other optional configuration options:
<div class="codehilite"><pre><span></span># specifies the port to use when uploading traces
zipkin-collector-port
@ -1189,9 +1198,7 @@ jaeger-sampler-type
# specifies the argument to be passed to the sampler constructor, Default: 1
jaeger-sampler-param
</pre></div>
</pre></div></p>
<h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent link">&para;</a></h2>
<p>The following examples show how to deploy and test different distributed tracing systems. These example can be performed
using Minikube.</p>
@ -1202,7 +1209,6 @@ github repository is an example of a dockerized date service. To install the exa
kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/deployment.yaml
</pre></div>
<p>Also we need to configure the NGINX controller configmap with the required values:</p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<span class="s1">apiVersion: v1</span>
@ -1216,28 +1222,30 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
<span class="s1">&#39;</span> <span class="p">|</span> kubectl replace -f -
</pre></div>
<p>In the zipkin interface we can see the details:
<img alt="zipkin screenshot" src="../../../images/zipkin-demo.png" title="zipkin collector screenshot" /></p>
<h3 id="jaeger">Jaeger<a class="headerlink" href="#jaeger" title="Permanent link">&para;</a></h3>
<ol>
<li>
<p>Enable Ingress addon in minikube:
<code class="codehilite">$ minikube addons <span class="nb">enable</span> ingress</code></p>
<div class="codehilite"><pre><span></span>$ minikube addons <span class="nb">enable</span> ingress
</pre></div></p>
</li>
<li>
<p>Add minikube IP to /etc/hosts:
<code class="codehilite">$ <span class="nb">echo</span> <span class="s2">&quot;</span><span class="k">$(</span>minikube ip<span class="k">)</span><span class="s2"> example.com&quot;</span> <span class="p">|</span> sudo tee -a /etc/hosts</code></p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span><span class="k">$(</span>minikube ip<span class="k">)</span><span class="s2"> example.com&quot;</span> <span class="p">|</span> sudo tee -a /etc/hosts
</pre></div></p>
</li>
<li>
<p>Apply a Basic Service and Ingress Resource:
```
# Create Echoheaders Deployment
$ kubectl run echoheaders --image=k8s.gcr.io/echoserver:1.4 --replicas=1 --port=8080</p>
<h1 id="expose-as-a-cluster-ip">Expose as a Cluster-IP<a class="headerlink" href="#expose-as-a-cluster-ip" title="Permanent link">&para;</a></h1>
<p>$ kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-x</p>
<h1 id="apply-the-ingress-resource">Apply the Ingress Resource<a class="headerlink" href="#apply-the-ingress-resource" title="Permanent link">&para;</a></h1>
<p>$ echo '
<div class="codehilite"><pre><span></span># Create Echoheaders Deployment
$ kubectl run echoheaders --image=k8s.gcr.io/echoserver:1.4 --replicas=1 --port=8080
# Expose as a Cluster-IP
$ kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-x
# Apply the Ingress Resource
$ echo &#39;
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
@ -1251,54 +1259,68 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
serviceName: echoheaders-x
servicePort: 80
path: /echo
' | kubectl apply -f -
```</p>
&#39; | kubectl apply -f -
</pre></div></p>
</li>
<li>
<p>Enable OpenTracing and set the zipkin-collector-host:
<code class="codehilite">$ <span class="nb">echo</span> <span class="s1">&#39;</span><span class="s1"> apiVersion: v1</span><span class="s1"> kind: ConfigMap</span><span class="s1"> data:</span><span class="s1"> enable-opentracing: &quot;true&quot;</span><span class="s1"> zipkin-collector-host: zipkin.default.svc.cluster.local</span><span class="s1"> jaeger-collector-host: jaeger-collector.default.svc.cluster.local</span><span class="s1"> metadata:</span><span class="s1"> name: nginx-load-balancer-conf</span><span class="s1"> namespace: kube-system</span><span class="s1"> &#39;</span> <span class="p">|</span> kubectl replace -f -</code></p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<span class="s1"> apiVersion: v1</span>
<span class="s1"> kind: ConfigMap</span>
<span class="s1"> data:</span>
<span class="s1"> enable-opentracing: &quot;true&quot;</span>
<span class="s1"> zipkin-collector-host: zipkin.default.svc.cluster.local</span>
<span class="s1"> jaeger-collector-host: jaeger-collector.default.svc.cluster.local</span>
<span class="s1"> metadata:</span>
<span class="s1"> name: nginx-load-balancer-conf</span>
<span class="s1"> namespace: kube-system</span>
<span class="s1"> &#39;</span> <span class="p">|</span> kubectl replace -f -
</pre></div></p>
</li>
<li>
<p>Apply the Jaeger All-In-One Template:
<code class="codehilite">$ kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml</code></p>
<div class="codehilite"><pre><span></span>$ kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
</pre></div></p>
</li>
<li>
<p>Make a few requests to the Service:
```
$ curl example.com/echo -d "meow"</p>
<p>CLIENT VALUES:
client_address=172.17.0.5
command=POST
real path=/echo
query=nil
request_version=1.1
request_uri=http://example.com:8080/echo</p>
<p>SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001</p>
<p>HEADERS RECEIVED:
accept=<em>/</em>
connection=close
content-length=4
content-type=application/x-www-form-urlencoded
host=example.com
user-agent=curl/7.54.0
x-forwarded-for=192.168.99.1
x-forwarded-host=example.com
x-forwarded-port=80
x-forwarded-proto=http
x-original-uri=/echo
x-real-ip=192.168.99.1
x-scheme=http
<div class="codehilite"><pre><span></span>$ curl example.com/echo -d <span class="s2">&quot;meow&quot;</span>
CLIENT VALUES:
<span class="nv">client_address</span><span class="o">=</span><span class="m">172</span>.17.0.5
<span class="nv">command</span><span class="o">=</span>POST
real <span class="nv">path</span><span class="o">=</span>/echo
<span class="nv">query</span><span class="o">=</span>nil
<span class="nv">request_version</span><span class="o">=</span><span class="m">1</span>.1
<span class="nv">request_uri</span><span class="o">=</span>http://example.com:8080/echo
SERVER VALUES:
<span class="nv">server_version</span><span class="o">=</span>nginx: <span class="m">1</span>.10.0 - lua: <span class="m">10001</span>
HEADERS RECEIVED:
<span class="nv">accept</span><span class="o">=</span>*/*
<span class="nv">connection</span><span class="o">=</span>close
content-length<span class="o">=</span><span class="m">4</span>
content-type<span class="o">=</span>application/x-www-form-urlencoded
<span class="nv">host</span><span class="o">=</span>example.com
user-agent<span class="o">=</span>curl/7.54.0
x-forwarded-for<span class="o">=</span><span class="m">192</span>.168.99.1
x-forwarded-host<span class="o">=</span>example.com
x-forwarded-port<span class="o">=</span><span class="m">80</span>
x-forwarded-proto<span class="o">=</span>http
x-original-uri<span class="o">=</span>/echo
x-real-ip<span class="o">=</span><span class="m">192</span>.168.99.1
x-scheme<span class="o">=</span>http
BODY:
meow
```</p>
</pre></div></p>
</li>
<li>
<p>View the Jaeger UI:
```
$ minikube service jaeger-query --url</p>
<p>http://192.168.99.100:30183
```</p>
<div class="codehilite"><pre><span></span>$ minikube service jaeger-query --url
http://192.168.99.100:30183
</pre></div></p>
<p>In the jaeger interface we can see the details:
<img alt="jaeger screenshot" src="../../../images/jaeger-demo.png" title="jaeger collector screenshot" /></p>
</li>

15
user-guide/tls/index.html
View file

@ -358,6 +358,18 @@
<li class="md-nav__item">
<a href="../../deploy/baremetal/" title="Bare-metal considerations" class="md-nav__link">
Bare-metal considerations
</a>
</li>
<li class="md-nav__item">
<a href="../../deploy/rbac/" title="Role Based Access Control (RBAC)" class="md-nav__link">
Role Based Access Control (RBAC)
@ -1209,12 +1221,10 @@
<div class="codehilite"><pre><span></span>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span><span class="sb">`</span>
</pre></div>
<p>Then create the secret in the cluster via:</p>
<div class="codehilite"><pre><span></span>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
</pre></div>
<p>The resulting secret will be of type <code class="codehilite">kubernetes.io/tls</code>.</p>
<h2 id="default-ssl-certificate">Default SSL Certificate<a class="headerlink" href="#default-ssl-certificate" title="Permanent link">&para;</a></h2>
<p>NGINX provides the option to configure a server as a catch-all with
@ -1265,7 +1275,6 @@ by monitoring ingress resources and their referenced secrets.</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
</pre></div>
<p>To setup Kube-Lego you can take a look at this <a href="https://github.com/jetstack/kube-lego/tree/master/examples">full example</a>.
The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p>
<h2 id="default-tls-version-and-ciphers">Default TLS Version and Ciphers<a class="headerlink" href="#default-tls-version-and-ciphers" title="Permanent link">&para;</a></h2>