diff --git a/controllers/nginx/Changelog.md b/controllers/nginx/Changelog.md index a7dc039c4..d43193036 100644 --- a/controllers/nginx/Changelog.md +++ b/controllers/nginx/Changelog.md @@ -1,5 +1,165 @@ Changelog +Changelog + +### 0.9-beta.12 + +**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12` + +*Breaking changes:* + +- SSL passthrough is disabled by default. To enable the feature use `--enable-ssl-passthrough` + +*New Features:* + +- Support for arm64 +- New flags to customize listen ports +- Per minute rate limiting +- Rate limit whitelist +- Configuration of nginx worker timeout (to avoid zombie nginx workers processes) +- Redirects from non-www to www +- Custom default backend (per Ingress) +- Graceful shutdown for NGINX + +*Changes:* + +- [X] [#977](https://github.com/kubernetes/ingress/pull/977) Add sort-backends command line option +- [X] [#981](https://github.com/kubernetes/ingress/pull/981) Add annotation to allow use of service ClusterIP for NGINX upstream. +- [X] [#991](https://github.com/kubernetes/ingress/pull/991) Remove secret sync loop +- [X] [#992](https://github.com/kubernetes/ingress/pull/992) Check errors generating pem files +- [X] [#993](https://github.com/kubernetes/ingress/pull/993) Fix the sed command to work on macOS +- [X] [#1013](https://github.com/kubernetes/ingress/pull/1013) The fields of vtsDate are unified in the form of plural +- [X] [#1025](https://github.com/kubernetes/ingress/pull/1025) Fix file watch +- [X] [#1027](https://github.com/kubernetes/ingress/pull/1027) Lint code +- [X] [#1031](https://github.com/kubernetes/ingress/pull/1031) Change missing secret name log level to V(3) +- [X] [#1032](https://github.com/kubernetes/ingress/pull/1032) Alternative syncSecret approach #1030 +- [X] [#1042](https://github.com/kubernetes/ingress/pull/1042) Add function to allow custom values in Ingress status +- [X] [#1043](https://github.com/kubernetes/ingress/pull/1043) Return reference to object providing Endpoint +- [X] [#1046](https://github.com/kubernetes/ingress/pull/1046) Add field FileSHA in BasicDigest struct +- [X] [#1058](https://github.com/kubernetes/ingress/pull/1058) add per minute rate limiting +- [X] [#1060](https://github.com/kubernetes/ingress/pull/1060) Update fsnotify dependency to fix arm64 issue +- [X] [#1065](https://github.com/kubernetes/ingress/pull/1065) Add more descriptive steps in Dev Documentation +- [X] [#1073](https://github.com/kubernetes/ingress/pull/1073) Release nginx-slim 0.22 +- [X] [#1074](https://github.com/kubernetes/ingress/pull/1074) Remove lua and use fastcgi to render errors +- [X] [#1075](https://github.com/kubernetes/ingress/pull/1075) (feat/ #374) support proxy timeout +- [X] [#1076](https://github.com/kubernetes/ingress/pull/1076) Add more ssl test cases +- [X] [#1078](https://github.com/kubernetes/ingress/pull/1078) fix the same udp port and tcp port, update nginx.conf error +- [X] [#1080](https://github.com/kubernetes/ingress/pull/1080) Disable platform s390x +- [X] [#1081](https://github.com/kubernetes/ingress/pull/1081) Spit Static check and Coverage in diff Stages of Travis CI +- [X] [#1082](https://github.com/kubernetes/ingress/pull/1082) Fix build tasks +- [X] [#1087](https://github.com/kubernetes/ingress/pull/1087) Release nginx-slim 0.23 +- [X] [#1088](https://github.com/kubernetes/ingress/pull/1088) Configure nginx worker timeout +- [X] [#1089](https://github.com/kubernetes/ingress/pull/1089) Update nginx to 1.13.4 +- [X] [#1098](https://github.com/kubernetes/ingress/pull/1098) Exposing the event recorder to allow other controllers to create events +- [X] [#1102](https://github.com/kubernetes/ingress/pull/1102) Fix lose SSL Passthrough +- [X] [#1104](https://github.com/kubernetes/ingress/pull/1104) Simplify verification of hostname in ssl certificates +- [X] [#1109](https://github.com/kubernetes/ingress/pull/1109) Cleanup remote address in nginx template +- [X] [#1110](https://github.com/kubernetes/ingress/pull/1110) Fix Endpoint comparison +- [X] [#1118](https://github.com/kubernetes/ingress/pull/1118) feat(#733)Support nginx bandwidth control +- [X] [#1124](https://github.com/kubernetes/ingress/pull/1124) check fields len in dns.go +- [X] [#1130](https://github.com/kubernetes/ingress/pull/1130) Update nginx.go +- [X] [#1134](https://github.com/kubernetes/ingress/pull/1134) replace deprecated interface with versioned ones +- [X] [#1136](https://github.com/kubernetes/ingress/pull/1136) Fix status update - changed in #1074 +- [X] [#1138](https://github.com/kubernetes/ingress/pull/1138) update nginx.go: preformance improve +- [X] [#1139](https://github.com/kubernetes/ingress/pull/1139) Fix Todo:convert sequence to table +- [X] [#1162](https://github.com/kubernetes/ingress/pull/1162) Optimize CI build time +- [X] [#1164](https://github.com/kubernetes/ingress/pull/1164) Use variable request_uri as redirect after auth +- [X] [#1179](https://github.com/kubernetes/ingress/pull/1179) Fix sticky upstream not used when enable rewrite +- [X] [#1184](https://github.com/kubernetes/ingress/pull/1184) Add support for temporal and permanent redirects +- [X] [#1185](https://github.com/kubernetes/ingress/pull/1185) Add more info about Server-Alias usage +- [X] [#1186](https://github.com/kubernetes/ingress/pull/1186) Add annotation for client-body-buffer-size per location +- [X] [#1190](https://github.com/kubernetes/ingress/pull/1190) Add flag to disable SSL passthrough +- [X] [#1193](https://github.com/kubernetes/ingress/pull/1193) fix broken link +- [X] [#1198](https://github.com/kubernetes/ingress/pull/1198) Add option for specific scheme for base url +- [X] [#1202](https://github.com/kubernetes/ingress/pull/1202) formatIP issue +- [X] [#1203](https://github.com/kubernetes/ingress/pull/1203) NGINX not reloading correctly +- [X] [#1204](https://github.com/kubernetes/ingress/pull/1204) Fix template error +- [X] [#1205](https://github.com/kubernetes/ingress/pull/1205) Add initial sync of secrets +- [X] [#1206](https://github.com/kubernetes/ingress/pull/1206) Update ssl-passthrough docs +- [X] [#1207](https://github.com/kubernetes/ingress/pull/1207) delete broken link +- [X] [#1208](https://github.com/kubernetes/ingress/pull/1208) fix some typo +- [X] [#1210](https://github.com/kubernetes/ingress/pull/1210) add rate limit whitelist +- [X] [#1215](https://github.com/kubernetes/ingress/pull/1215) Replace base64 encoding with random uuid +- [X] [#1218](https://github.com/kubernetes/ingress/pull/1218) Trivial fixes in core/pkg/net +- [X] [#1219](https://github.com/kubernetes/ingress/pull/1219) keep zones unique per ingress resource +- [X] [#1221](https://github.com/kubernetes/ingress/pull/1221) Move certificate authentication from location to server +- [X] [#1223](https://github.com/kubernetes/ingress/pull/1223) Add doc for non-www to www annotation +- [X] [#1224](https://github.com/kubernetes/ingress/pull/1224) refactor rate limit whitelist +- [X] [#1226](https://github.com/kubernetes/ingress/pull/1226) Remove useless variable in nginx.tmpl +- [X] [#1227](https://github.com/kubernetes/ingress/pull/1227) Update annotations doc with base-url-scheme +- [X] [#1233](https://github.com/kubernetes/ingress/pull/1233) Fix ClientBodyBufferSize annotation +- [X] [#1234](https://github.com/kubernetes/ingress/pull/1234) Lint code +- [X] [#1235](https://github.com/kubernetes/ingress/pull/1235) Fix Equal comparison +- [X] [#1236](https://github.com/kubernetes/ingress/pull/1236) Add Validation for Client Body Buffer Size +- [X] [#1238](https://github.com/kubernetes/ingress/pull/1238) Add support for 'client_body_timeout' and 'client_header_timeout' +- [X] [#1239](https://github.com/kubernetes/ingress/pull/1239) Add flags to customize listen ports and detect port collisions +- [X] [#1243](https://github.com/kubernetes/ingress/pull/1243) Add support for access-log-path and error-log-path +- [X] [#1244](https://github.com/kubernetes/ingress/pull/1244) Add custom default backend annotation +- [X] [#1246](https://github.com/kubernetes/ingress/pull/1246) Add additional headers when custom default backend is used +- [X] [#1247](https://github.com/kubernetes/ingress/pull/1247) Make Ingress annotations available in template +- [X] [#1248](https://github.com/kubernetes/ingress/pull/1248) Improve nginx controller performance +- [X] [#1254](https://github.com/kubernetes/ingress/pull/1254) fix Type transform panic +- [X] [#1257](https://github.com/kubernetes/ingress/pull/1257) Graceful shutdown for Nginx +- [X] [#1261](https://github.com/kubernetes/ingress/pull/1261) Add support for 'worker-shutdown-timeout' + + +*Documentation:* + +- [X] [#976](https://github.com/kubernetes/ingress/pull/976) Update annotations doc +- [X] [#979](https://github.com/kubernetes/ingress/pull/979) Missing auth example +- [X] [#980](https://github.com/kubernetes/ingress/pull/980) Add nginx basic auth example +- [X] [#1001](https://github.com/kubernetes/ingress/pull/1001) examples/nginx/rbac: Give access to own namespace +- [X] [#1005](https://github.com/kubernetes/ingress/pull/1005) Update configuration.md +- [X] [#1018](https://github.com/kubernetes/ingress/pull/1018) add docs for `proxy-set-headers` and `add-headers` +- [X] [#1038](https://github.com/kubernetes/ingress/pull/1038) typo / spelling in README.md +- [X] [#1039](https://github.com/kubernetes/ingress/pull/1039) typo in examples/tcp/nginx/README.md +- [X] [#1049](https://github.com/kubernetes/ingress/pull/1049) Fix config name in the example. +- [X] [#1054](https://github.com/kubernetes/ingress/pull/1054) Fix link to UDP example +- [X] [#1084](https://github.com/kubernetes/ingress/pull/1084) (issue #310)Fix some broken link +- [X] [#1103](https://github.com/kubernetes/ingress/pull/1103) Add GoDoc Widget +- [X] [#1105](https://github.com/kubernetes/ingress/pull/1105) Make Readme file more readable +- [X] [#1106](https://github.com/kubernetes/ingress/pull/1106) Update annotations.md +- [X] [#1107](https://github.com/kubernetes/ingress/pull/1107) Fix Broken Link +- [X] [#1119](https://github.com/kubernetes/ingress/pull/1119) fix typos in controllers/nginx/README.md +- [X] [#1122](https://github.com/kubernetes/ingress/pull/1122) Fix broken link +- [X] [#1131](https://github.com/kubernetes/ingress/pull/1131) Add short help doc in configuration for nginx limit rate +- [X] [#1143](https://github.com/kubernetes/ingress/pull/1143) Minor Typo Fix +- [X] [#1144](https://github.com/kubernetes/ingress/pull/1144) Minor Typo fix +- [X] [#1145](https://github.com/kubernetes/ingress/pull/1145) Minor Typo fix +- [X] [#1146](https://github.com/kubernetes/ingress/pull/1146) Fix Minor Typo in Readme +- [X] [#1147](https://github.com/kubernetes/ingress/pull/1147) Minor Typo Fix +- [X] [#1148](https://github.com/kubernetes/ingress/pull/1148) Minor Typo Fix in Getting-Started.md +- [X] [#1149](https://github.com/kubernetes/ingress/pull/1149) Fix Minor Typo in TLS authentication +- [X] [#1150](https://github.com/kubernetes/ingress/pull/1150) Fix Minor Typo in Customize the HAProxy configuration +- [X] [#1151](https://github.com/kubernetes/ingress/pull/1151) Fix Minor Typo in customization custom-template +- [X] [#1152](https://github.com/kubernetes/ingress/pull/1152) Fix minor typo in HAProxy Multi TLS certificate termination +- [X] [#1153](https://github.com/kubernetes/ingress/pull/1153) Fix minor typo in Multi TLS certificate termination +- [X] [#1154](https://github.com/kubernetes/ingress/pull/1154) Fix minor typo in Role Based Access Control +- [X] [#1155](https://github.com/kubernetes/ingress/pull/1155) Fix minor typo in TCP loadbalancing +- [X] [#1156](https://github.com/kubernetes/ingress/pull/1156) Fix minor typo in UDP loadbalancing +- [X] [#1157](https://github.com/kubernetes/ingress/pull/1157) Fix minor typos in Prerequisites +- [X] [#1158](https://github.com/kubernetes/ingress/pull/1158) Fix minor typo in Ingress examples +- [X] [#1159](https://github.com/kubernetes/ingress/pull/1159) Fix minor typos in Ingress admin guide +- [X] [#1160](https://github.com/kubernetes/ingress/pull/1160) Fix a broken href and typo in Ingress FAQ +- [X] [#1165](https://github.com/kubernetes/ingress/pull/1165) Update CONTRIBUTING.md +- [X] [#1168](https://github.com/kubernetes/ingress/pull/1168) finx link to running-locally.md +- [X] [#1170](https://github.com/kubernetes/ingress/pull/1170) Update dead link in nginx/HTTPS section +- [X] [#1172](https://github.com/kubernetes/ingress/pull/1172) Update README.md +- [X] [#1173](https://github.com/kubernetes/ingress/pull/1173) Update admin.md +- [X] [#1174](https://github.com/kubernetes/ingress/pull/1174) fix several titles +- [X] [#1177](https://github.com/kubernetes/ingress/pull/1177) fix typos +- [X] [#1188](https://github.com/kubernetes/ingress/pull/1188) Fix minor typo +- [X] [#1189](https://github.com/kubernetes/ingress/pull/1189) Fix sign in URL redirect parameter +- [X] [#1192](https://github.com/kubernetes/ingress/pull/1192) Update README.md +- [X] [#1195](https://github.com/kubernetes/ingress/pull/1195) Update troubleshooting.md +- [X] [#1196](https://github.com/kubernetes/ingress/pull/1196) Update README.md +- [X] [#1209](https://github.com/kubernetes/ingress/pull/1209) Update README.md +- [X] [#1085](https://github.com/kubernetes/ingress/pull/1085) Fix ConfigMap's namespace in custom configuration example for nginx +- [X] [#1142](https://github.com/kubernetes/ingress/pull/1142) Fix typo in multiple docs +- [X] [#1228](https://github.com/kubernetes/ingress/pull/1228) Update release doc in getting-started.md +- [X] [#1230](https://github.com/kubernetes/ingress/pull/1230) Update godep guide link + + ### 0.9-beta.11 **Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11` @@ -111,7 +271,7 @@ Fix release 0.9-beta.9 - [X] [#829](https://github.com/kubernetes/ingress/pull/829) feat(template): wrap IPv6 addresses in [] - [X] [#786](https://github.com/kubernetes/ingress/pull/786) Update echoserver image version in examples - [X] [#825](https://github.com/kubernetes/ingress/pull/825) Create or delete ingress based on class annotation -- [X] [#790](https://github.com/kubernetes/ingress/pull/790) #789 removing duplicate X-Real-IP header +- [X] [#790](https://github.com/kubernetes/ingress/pull/790) #789 removing duplicate X-Real-IP header - [X] [#792](https://github.com/kubernetes/ingress/pull/792) Avoid checking if the controllers are synced - [X] [#798](https://github.com/kubernetes/ingress/pull/798) nginx: RBAC for leader election - [X] [#799](https://github.com/kubernetes/ingress/pull/799) could not build variables_hash @@ -134,7 +294,7 @@ Fix release 0.9-beta.9 *Changes:* -- [X] [#777](https://github.com/kubernetes/ingress/pull/777) Update sniff parser to fix index out of bound error +- [X] [#777](https://github.com/kubernetes/ingress/pull/777) Update sniff parser to fix index out of bound error ### 0.9-beta.6 @@ -191,8 +351,8 @@ Fix release 0.9-beta.9 - [X] [#663](https://github.com/kubernetes/ingress/pull/663) Remove helper required in go < 1.8 - [X] [#662](https://github.com/kubernetes/ingress/pull/662) Add debug information about ingress class -- [X] [#661](https://github.com/kubernetes/ingress/pull/661) Avoid running nginx if the configuration file is empty -- [X] [#660](https://github.com/kubernetes/ingress/pull/660) Rollback queue refactoring +- [X] [#661](https://github.com/kubernetes/ingress/pull/661) Avoid running nginx if the configuration file is empty +- [X] [#660](https://github.com/kubernetes/ingress/pull/660) Rollback queue refactoring - [X] [#654](https://github.com/kubernetes/ingress/pull/654) Update go version to 1.8 @@ -222,13 +382,13 @@ Fix release 0.9-beta.9 - [X] [#595](https://github.com/kubernetes/ingress/pull/595) Remove Host header from auth_request proxy configuration - [X] [#588](https://github.com/kubernetes/ingress/pull/588) Read resolv.conf file just once - [X] [#586](https://github.com/kubernetes/ingress/pull/586) Updated instructions to create an ingress controller build -- [X] [#583](https://github.com/kubernetes/ingress/pull/583) fixed lua_package_path in nginx.tmpl +- [X] [#583](https://github.com/kubernetes/ingress/pull/583) fixed lua_package_path in nginx.tmpl - [X] [#580](https://github.com/kubernetes/ingress/pull/580) Updated faq for running multiple ingress controller - [X] [#579](https://github.com/kubernetes/ingress/pull/579) Detect if the ingress controller is running with multiple replicas - [X] [#578](https://github.com/kubernetes/ingress/pull/578) Set different listeners per protocol version - [X] [#577](https://github.com/kubernetes/ingress/pull/577) Avoid zombie child processes - [X] [#576](https://github.com/kubernetes/ingress/pull/576) Replace secret workqueue -- [X] [#568](https://github.com/kubernetes/ingress/pull/568) Revert merge annotations to the implicit root context +- [X] [#568](https://github.com/kubernetes/ingress/pull/568) Revert merge annotations to the implicit root context - [X] [#563](https://github.com/kubernetes/ingress/pull/563) Add option to disable hsts preload - [X] [#560](https://github.com/kubernetes/ingress/pull/560) Fix intermittent misconfiguration of backend.secure and SessionAffinity - [X] [#556](https://github.com/kubernetes/ingress/pull/556) Update nginx version and remove dumb-init @@ -252,7 +412,7 @@ Fix release 0.9-beta.9 - [X] [#512](https://github.com/kubernetes/ingress/pull/512) Fix typos regarding the ssl-passthrough annotation documentation - [X] [#505](https://github.com/kubernetes/ingress/pull/505) add unit test cases for core/pkg/ingress/controller/annotations - [X] [#503](https://github.com/kubernetes/ingress/pull/503) Add example for nginx in aws -- [X] [#502](https://github.com/kubernetes/ingress/pull/502) Add information about SSL Passthrough annotation +- [X] [#502](https://github.com/kubernetes/ingress/pull/502) Add information about SSL Passthrough annotation - [X] [#500](https://github.com/kubernetes/ingress/pull/500) Improve TLS secret configuration - [X] [#498](https://github.com/kubernetes/ingress/pull/498) Proper enqueue a secret on the secret queue - [X] [#493](https://github.com/kubernetes/ingress/pull/493) Update nginx and vts module @@ -261,7 +421,7 @@ Fix release 0.9-beta.9 - [X] [#485](https://github.com/kubernetes/ingress/pull/485) Fix typo nginx configMap vts metrics customization - [X] [#481](https://github.com/kubernetes/ingress/pull/481) Remove unnecessary quote in nginx log format - [X] [#471](https://github.com/kubernetes/ingress/pull/471) prometheus scrape annotations -- [X] [#460](https://github.com/kubernetes/ingress/pull/460) add example of 'run multiple haproxy ingress controllers as a deployment' +- [X] [#460](https://github.com/kubernetes/ingress/pull/460) add example of 'run multiple haproxy ingress controllers as a deployment' - [X] [#459](https://github.com/kubernetes/ingress/pull/459) Add information about SSL certificates in the default log level - [X] [#456](https://github.com/kubernetes/ingress/pull/456) Avoid upstreams with multiple servers with the same port - [X] [#454](https://github.com/kubernetes/ingress/pull/454) Pass request port to real server @@ -293,55 +453,55 @@ Fix release 0.9-beta.9 *Changes:* -- [X] [#433](https://github.com/kubernetes/ingress/pull/433) close over the ingress variable or the last assignment will be used -- [X] [#424](https://github.com/kubernetes/ingress/pull/424) Manually sync secrets from certificate authentication annotations -- [X] [#423](https://github.com/kubernetes/ingress/pull/423) Scrap json metrics from nginx vts module when enabled -- [X] [#418](https://github.com/kubernetes/ingress/pull/418) Only update Ingress status for the configured class -- [X] [#415](https://github.com/kubernetes/ingress/pull/415) Improve external authentication docs -- [X] [#410](https://github.com/kubernetes/ingress/pull/410) Add support for "signin url" -- [X] [#409](https://github.com/kubernetes/ingress/pull/409) Allow custom http2 header sizes -- [X] [#408](https://github.com/kubernetes/ingress/pull/408) Review docs -- [X] [#406](https://github.com/kubernetes/ingress/pull/406) Add debug info and fix spelling -- [X] [#402](https://github.com/kubernetes/ingress/pull/402) allow specifying custom dh param +- [X] [#433](https://github.com/kubernetes/ingress/pull/433) close over the ingress variable or the last assignment will be used +- [X] [#424](https://github.com/kubernetes/ingress/pull/424) Manually sync secrets from certificate authentication annotations +- [X] [#423](https://github.com/kubernetes/ingress/pull/423) Scrap json metrics from nginx vts module when enabled +- [X] [#418](https://github.com/kubernetes/ingress/pull/418) Only update Ingress status for the configured class +- [X] [#415](https://github.com/kubernetes/ingress/pull/415) Improve external authentication docs +- [X] [#410](https://github.com/kubernetes/ingress/pull/410) Add support for "signin url" +- [X] [#409](https://github.com/kubernetes/ingress/pull/409) Allow custom http2 header sizes +- [X] [#408](https://github.com/kubernetes/ingress/pull/408) Review docs +- [X] [#406](https://github.com/kubernetes/ingress/pull/406) Add debug info and fix spelling +- [X] [#402](https://github.com/kubernetes/ingress/pull/402) allow specifying custom dh param - [X] [#397](https://github.com/kubernetes/ingress/pull/397) Fix external auth -- [X] [#394](https://github.com/kubernetes/ingress/pull/394) Update README.md +- [X] [#394](https://github.com/kubernetes/ingress/pull/394) Update README.md - [X] [#392](https://github.com/kubernetes/ingress/pull/392) Fix http2 header size -- [X] [#391](https://github.com/kubernetes/ingress/pull/391) remove tmp nginx-diff files -- [X] [#390](https://github.com/kubernetes/ingress/pull/390) Fix RateLimit comment -- [X] [#385](https://github.com/kubernetes/ingress/pull/385) add Copyright -- [X] [#382](https://github.com/kubernetes/ingress/pull/382) Ingress Fake Certificate generation -- [X] [#380](https://github.com/kubernetes/ingress/pull/380) Fix custom log format -- [X] [#373](https://github.com/kubernetes/ingress/pull/373) Cleanup -- [X] [#371](https://github.com/kubernetes/ingress/pull/371) add configuration to disable listening on ipv6 -- [X] [#370](https://github.com/kubernetes/ingress/pull/270) Add documentation for ingress.kubernetes.io/force-ssl-redirect -- [X] [#369](https://github.com/kubernetes/ingress/pull/369) Minor text fix for "ApiServer" +- [X] [#391](https://github.com/kubernetes/ingress/pull/391) remove tmp nginx-diff files +- [X] [#390](https://github.com/kubernetes/ingress/pull/390) Fix RateLimit comment +- [X] [#385](https://github.com/kubernetes/ingress/pull/385) add Copyright +- [X] [#382](https://github.com/kubernetes/ingress/pull/382) Ingress Fake Certificate generation +- [X] [#380](https://github.com/kubernetes/ingress/pull/380) Fix custom log format +- [X] [#373](https://github.com/kubernetes/ingress/pull/373) Cleanup +- [X] [#371](https://github.com/kubernetes/ingress/pull/371) add configuration to disable listening on ipv6 +- [X] [#370](https://github.com/kubernetes/ingress/pull/270) Add documentation for ingress.kubernetes.io/force-ssl-redirect +- [X] [#369](https://github.com/kubernetes/ingress/pull/369) Minor text fix for "ApiServer" - [X] [#367](https://github.com/kubernetes/ingress/pull/367) BuildLogFormatUpstream was always using the default log-format -- [X] [#366](https://github.com/kubernetes/ingress/pull/366) add_judgment -- [X] [#365](https://github.com/kubernetes/ingress/pull/365) add ForceSSLRedirect ingress annotation -- [X] [#364](https://github.com/kubernetes/ingress/pull/364) Fix error caused by increasing proxy_buffer_size (#363) -- [X] [#362](https://github.com/kubernetes/ingress/pull/362) Fix ingress class -- [X] [#360](https://github.com/kubernetes/ingress/pull/360) add example of 'run multiple nginx ingress controllers as a deployment' -- [X] [#358](https://github.com/kubernetes/ingress/pull/358) Checks if the TLS secret contains a valid keypair structure -- [X] [#356](https://github.com/kubernetes/ingress/pull/356) Disable listen only on ipv6 and fix proxy_protocol -- [X] [#354](https://github.com/kubernetes/ingress/pull/354) add judgment -- [X] [#352](https://github.com/kubernetes/ingress/pull/352) Add ability to customize upstream and stream log format -- [X] [#351](https://github.com/kubernetes/ingress/pull/351) Enable custom election id for status sync. -- [X] [#347](https://github.com/kubernetes/ingress/pull/347) Fix client source IP address +- [X] [#366](https://github.com/kubernetes/ingress/pull/366) add_judgment +- [X] [#365](https://github.com/kubernetes/ingress/pull/365) add ForceSSLRedirect ingress annotation +- [X] [#364](https://github.com/kubernetes/ingress/pull/364) Fix error caused by increasing proxy_buffer_size (#363) +- [X] [#362](https://github.com/kubernetes/ingress/pull/362) Fix ingress class +- [X] [#360](https://github.com/kubernetes/ingress/pull/360) add example of 'run multiple nginx ingress controllers as a deployment' +- [X] [#358](https://github.com/kubernetes/ingress/pull/358) Checks if the TLS secret contains a valid keypair structure +- [X] [#356](https://github.com/kubernetes/ingress/pull/356) Disable listen only on ipv6 and fix proxy_protocol +- [X] [#354](https://github.com/kubernetes/ingress/pull/354) add judgment +- [X] [#352](https://github.com/kubernetes/ingress/pull/352) Add ability to customize upstream and stream log format +- [X] [#351](https://github.com/kubernetes/ingress/pull/351) Enable custom election id for status sync. +- [X] [#347](https://github.com/kubernetes/ingress/pull/347) Fix client source IP address - [X] [#345](https://github.com/kubernetes/ingress/pull/345) Fix lint error -- [X] [#344](https://github.com/kubernetes/ingress/pull/344) Refactoring of TCP and UDP services -- [X] [#343](https://github.com/kubernetes/ingress/pull/343) Fix node lister when --watch-namespace is used -- [X] [#341](https://github.com/kubernetes/ingress/pull/341) Do not run coverage check in the default target. -- [X] [#340](https://github.com/kubernetes/ingress/pull/340) Add support for specify proxy cookie path/domain -- [X] [#337](https://github.com/kubernetes/ingress/pull/337) Fix for formatting error introduced in #304 -- [X] [#335](https://github.com/kubernetes/ingress/pull/335) Fix for vet complaints: -- [X] [#332](https://github.com/kubernetes/ingress/pull/332) Add annotation to customize nginx configuration -- [X] [#331](https://github.com/kubernetes/ingress/pull/331) Correct spelling mistake -- [X] [#328](https://github.com/kubernetes/ingress/pull/328) fix misspell "affinity" in main.go -- [X] [#326](https://github.com/kubernetes/ingress/pull/326) add nginx daemonset example -- [X] [#311](https://github.com/kubernetes/ingress/pull/311) Sort stream service ports to avoid extra reloads +- [X] [#344](https://github.com/kubernetes/ingress/pull/344) Refactoring of TCP and UDP services +- [X] [#343](https://github.com/kubernetes/ingress/pull/343) Fix node lister when --watch-namespace is used +- [X] [#341](https://github.com/kubernetes/ingress/pull/341) Do not run coverage check in the default target. +- [X] [#340](https://github.com/kubernetes/ingress/pull/340) Add support for specify proxy cookie path/domain +- [X] [#337](https://github.com/kubernetes/ingress/pull/337) Fix for formatting error introduced in #304 +- [X] [#335](https://github.com/kubernetes/ingress/pull/335) Fix for vet complaints: +- [X] [#332](https://github.com/kubernetes/ingress/pull/332) Add annotation to customize nginx configuration +- [X] [#331](https://github.com/kubernetes/ingress/pull/331) Correct spelling mistake +- [X] [#328](https://github.com/kubernetes/ingress/pull/328) fix misspell "affinity" in main.go +- [X] [#326](https://github.com/kubernetes/ingress/pull/326) add nginx daemonset example +- [X] [#311](https://github.com/kubernetes/ingress/pull/311) Sort stream service ports to avoid extra reloads - [X] [#307](https://github.com/kubernetes/ingress/pull/307) Add docs for body-size annotation -- [X] [#306](https://github.com/kubernetes/ingress/pull/306) modify nginx readme -- [X] [#304](https://github.com/kubernetes/ingress/pull/304) change 'buildSSPassthrouthUpstreams' to 'buildSSLPassthroughUpstreams' +- [X] [#306](https://github.com/kubernetes/ingress/pull/306) modify nginx readme +- [X] [#304](https://github.com/kubernetes/ingress/pull/304) change 'buildSSPassthrouthUpstreams' to 'buildSSLPassthroughUpstreams' ### 0.9-beta.2 @@ -382,9 +542,9 @@ Fix release 0.9-beta.9 - [X] [#227](https://github.com/kubernetes/ingress/pull/227) proxy_protocol on ssl_passthrough listener - [X] [#223](https://github.com/kubernetes/ingress/pull/223) Fix panic if a tempfile cannot be created - [X] [#220](https://github.com/kubernetes/ingress/pull/220) Fixes for minikube usage instructions. -- [X] [#219](https://github.com/kubernetes/ingress/pull/219) Fix typo, add a couple of links. +- [X] [#219](https://github.com/kubernetes/ingress/pull/219) Fix typo, add a couple of links. - [X] [#218](https://github.com/kubernetes/ingress/pull/218) Improve links from CONTRIBUTING. -- [X] [#217](https://github.com/kubernetes/ingress/pull/217) Fix an e2e link. +- [X] [#217](https://github.com/kubernetes/ingress/pull/217) Fix an e2e link. - [X] [#212](https://github.com/kubernetes/ingress/pull/212) Simplify code to obtain TCP or UDP services - [X] [#208](https://github.com/kubernetes/ingress/pull/208) Fix nil HTTP field - [X] [#198](https://github.com/kubernetes/ingress/pull/198) Add an example for static-ip and deployment diff --git a/controllers/nginx/Makefile b/controllers/nginx/Makefile index ebd2b8472..4aebd4ac2 100644 --- a/controllers/nginx/Makefile +++ b/controllers/nginx/Makefile @@ -3,7 +3,7 @@ all: push BUILDTAGS= # Use the 0.0 tag for testing, it shouldn't clobber any release builds -TAG?=0.9.0-beta.11 +TAG?=0.9.0-beta.12 REGISTRY?=gcr.io/google_containers GOOS?=linux DOCKER?=gcloud docker -- diff --git a/controllers/nginx/README.md b/controllers/nginx/README.md index bea5b86f0..b8a8869dd 100644 --- a/controllers/nginx/README.md +++ b/controllers/nginx/README.md @@ -95,14 +95,14 @@ $ ./rootfs/nginx-ingress-controller --running-in-cluster=false --default-backend First create a default backend: ``` -$ kubectl create -f examples/deployment/nginx/default-backend.yaml +$ kubectl create -f examples/default-backend.yaml $ kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend ``` Loadbalancers are created via a ReplicationController or Daemonset: ``` -$ kubectl create -f examples/default/rc-default.yaml +$ kubectl create -f examples/rc-default.yaml ``` ## HTTP diff --git a/controllers/nginx/examples/default-backend.yaml b/controllers/nginx/examples/default-backend.yaml new file mode 100644 index 000000000..3c40989a3 --- /dev/null +++ b/controllers/nginx/examples/default-backend.yaml @@ -0,0 +1,51 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: default-http-backend + labels: + k8s-app: default-http-backend + namespace: kube-system +spec: + replicas: 1 + template: + metadata: + labels: + k8s-app: default-http-backend + spec: + terminationGracePeriodSeconds: 60 + containers: + - name: default-http-backend + # Any image is permissable as long as: + # 1. It serves a 404 page at / + # 2. It serves 200 on a /healthz endpoint + image: gcr.io/google_containers/defaultbackend:1.0 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 10m + memory: 20Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: default-http-backend + namespace: kube-system + labels: + k8s-app: default-http-backend +spec: + ports: + - port: 80 + targetPort: 8080 + selector: + k8s-app: default-http-backend diff --git a/controllers/nginx/examples/ingress.yaml b/controllers/nginx/examples/ingress.yaml new file mode 100644 index 000000000..8a78b85b9 --- /dev/null +++ b/controllers/nginx/examples/ingress.yaml @@ -0,0 +1,26 @@ +# This is the Ingress resource that creates a HTTP Loadbalancer configured +# according to the Ingress rules. +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: echomap +spec: + rules: + - host: foo.bar.com + http: + paths: + - path: /foo + backend: + serviceName: echoheaders-x + servicePort: 80 + - host: bar.baz.com + http: + paths: + - path: /bar + backend: + serviceName: echoheaders-y + servicePort: 80 + - path: /foo + backend: + serviceName: echoheaders-x + servicePort: 80 \ No newline at end of file diff --git a/controllers/nginx/pkg/cmd/controller/metrics.go b/controllers/nginx/pkg/cmd/controller/metrics.go index 99614cc93..ee33c6c5e 100644 --- a/controllers/nginx/pkg/cmd/controller/metrics.go +++ b/controllers/nginx/pkg/cmd/controller/metrics.go @@ -24,7 +24,7 @@ import ( ) const ( - ngxStatusPath = "/internal_nginx_status" + ngxStatusPath = "/nginx_status" ngxVtsPath = "/nginx_status/format/json" ) @@ -46,7 +46,7 @@ type statsCollector struct { namespace string watchClass string - healthPort int + port int } func (s *statsCollector) stop(sm statusModule) { @@ -63,18 +63,19 @@ func (s *statsCollector) stop(sm statusModule) { func (s *statsCollector) start(sm statusModule) { switch sm { case defaultStatusModule: - s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.healthPort, ngxStatusPath) + s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.port, ngxStatusPath) prometheus.Register(s.basic) break case vtsStatusModule: - s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.healthPort, ngxVtsPath) + s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.port, ngxVtsPath) prometheus.Register(s.vts) break } } -func newStatsCollector(ns, class, binary string, hz int) *statsCollector { +func newStatsCollector(ns, class, binary string, port int) *statsCollector { glog.Infof("starting new nginx stats collector for Ingress controller running in namespace %v (class %v)", ns, class) + glog.Infof("collector extracting information from port %v", port) pc, err := collector.NewNamedProcess(true, collector.BinaryNameMatcher{ Name: "nginx", Binary: binary, @@ -91,6 +92,6 @@ func newStatsCollector(ns, class, binary string, hz int) *statsCollector { namespace: ns, watchClass: class, process: pc, - healthPort: hz, + port: port, } } diff --git a/controllers/nginx/pkg/cmd/controller/nginx.go b/controllers/nginx/pkg/cmd/controller/nginx.go index b6b23fa3d..9608869c1 100644 --- a/controllers/nginx/pkg/cmd/controller/nginx.go +++ b/controllers/nginx/pkg/cmd/controller/nginx.go @@ -372,7 +372,11 @@ func (n *NGINXController) OverrideFlags(flags *pflag.FlagSet) { } flags.Set("ingress-class", ic) - n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Health) + + h, _ := flags.GetInt("healthz-port") + n.ports.Health = h + + n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Status) if n.isSSLPassthroughEnabled { if !isPortAvailable(n.ports.SSLProxy) { diff --git a/controllers/nginx/pkg/metric/collector/status.go b/controllers/nginx/pkg/metric/collector/status.go index 361838a31..f5e24221a 100644 --- a/controllers/nginx/pkg/metric/collector/status.go +++ b/controllers/nginx/pkg/metric/collector/status.go @@ -143,8 +143,8 @@ func (bit BoolToFloat64) UnmarshalJSON(data []byte) error { return nil } -func getNginxStatus(ngxHealthPort int, ngxStatusPath string) (*basicStatus, error) { - url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxStatusPath) +func getNginxStatus(port int, path string) (*basicStatus, error) { + url := fmt.Sprintf("http://localhost:%v%v", port, path) glog.V(3).Infof("start scrapping url: %v", url) data, err := httpBody(url) @@ -174,8 +174,8 @@ func httpBody(url string) ([]byte, error) { return data, nil } -func getNginxVtsMetrics(ngxHealthPort int, ngxVtsPath string) (*vts, error) { - url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxVtsPath) +func getNginxVtsMetrics(port int, path string) (*vts, error) { + url := fmt.Sprintf("http://localhost:%v%v", port, path) glog.V(3).Infof("start scrapping url: %v", url) data, err := httpBody(url) diff --git a/controllers/nginx/pkg/metric/collector/vts.go b/controllers/nginx/pkg/metric/collector/vts.go index c06e74218..f57cc4dd1 100644 --- a/controllers/nginx/pkg/metric/collector/vts.go +++ b/controllers/nginx/pkg/metric/collector/vts.go @@ -28,8 +28,8 @@ const ns = "nginx" type ( vtsCollector struct { scrapeChan chan scrapeRequest - ngxHealthPort int - ngxVtsPath string + port int + path string data *vtsData watchNamespace string ingressClass string @@ -57,12 +57,12 @@ type ( ) // NewNGINXVTSCollector returns a new prometheus collector for the VTS module -func NewNGINXVTSCollector(watchNamespace, ingressClass string, ngxHealthPort int, ngxVtsPath string) Stopable { +func NewNGINXVTSCollector(watchNamespace, ingressClass string, port int, path string) Stopable { p := vtsCollector{ scrapeChan: make(chan scrapeRequest), - ngxHealthPort: ngxHealthPort, - ngxVtsPath: ngxVtsPath, + port: port, + path: path, watchNamespace: watchNamespace, ingressClass: ingressClass, } @@ -201,7 +201,7 @@ func (p vtsCollector) Stop() { // scrapeVts scrape nginx vts metrics func (p vtsCollector) scrapeVts(ch chan<- prometheus.Metric) { - nginxMetrics, err := getNginxVtsMetrics(p.ngxHealthPort, p.ngxVtsPath) + nginxMetrics, err := getNginxVtsMetrics(p.port, p.path) if err != nil { glog.Warningf("unexpected error obtaining nginx status info: %v", err) return diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go index 8acb192bf..25c487c61 100644 --- a/controllers/nginx/pkg/template/template.go +++ b/controllers/nginx/pkg/template/template.go @@ -301,7 +301,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { return defProxyPass } - if path != slash && !strings.HasSuffix(path, slash) { + if !strings.HasSuffix(path, slash) { path = fmt.Sprintf("%s/", path) } @@ -312,12 +312,12 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { bPath := fmt.Sprintf("%s%s", path, "$baseuri") if len(location.Rewrite.BaseURLScheme) > 0 { abu = fmt.Sprintf(`subs_filter '' '' r; - subs_filter '' '' r; - `, location.Rewrite.BaseURLScheme, bPath, location.Rewrite.BaseURLScheme, bPath) + subs_filter '' '' r; + `, location.Rewrite.BaseURLScheme, bPath, location.Rewrite.BaseURLScheme, bPath) } else { abu = fmt.Sprintf(`subs_filter '' '' r; - subs_filter '' '' r; - `, bPath, bPath) + subs_filter '' '' r; + `, bPath, bPath) } } @@ -325,16 +325,16 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { // special case redirect to / // ie /something to / return fmt.Sprintf(` - rewrite %s(.*) /$1 break; - rewrite %s / break; - proxy_pass %s://%s; - %v`, path, location.Path, proto, upstreamName, abu) + rewrite %s(.*) /$1 break; + rewrite %s / break; + proxy_pass %s://%s; + %v`, path, location.Path, proto, upstreamName, abu) } return fmt.Sprintf(` - rewrite %s(.*) %s/$1 break; - proxy_pass %s://%s; - %v`, path, location.Rewrite.Target, proto, upstreamName, abu) + rewrite %s(.*) %s/$1 break; + proxy_pass %s://%s; + %v`, path, location.Rewrite.Target, proto, upstreamName, abu) } // default proxy_pass diff --git a/controllers/nginx/pkg/template/template_test.go b/controllers/nginx/pkg/template/template_test.go index 268fd471c..87d8c0561 100644 --- a/controllers/nginx/pkg/template/template_test.go +++ b/controllers/nginx/pkg/template/template_test.go @@ -44,54 +44,54 @@ var ( "invalid redirect / to /": {"/", "/", "/", "proxy_pass http://upstream-name;", false, ""}, "redirect / to /jenkins": {"/", "/jenkins", "~* /", ` - rewrite /(.*) /jenkins/$1 break; - proxy_pass http://upstream-name; - `, false, ""}, + rewrite /(.*) /jenkins/$1 break; + proxy_pass http://upstream-name; + `, false, ""}, "redirect /something to /": {"/something", "/", `~* ^/something\/?(?.*)`, ` - rewrite /something/(.*) /$1 break; - rewrite /something / break; - proxy_pass http://upstream-name; - `, false, ""}, + rewrite /something/(.*) /$1 break; + rewrite /something / break; + proxy_pass http://upstream-name; + `, false, ""}, "redirect /end-with-slash/ to /not-root": {"/end-with-slash/", "/not-root", "~* ^/end-with-slash/(?.*)", ` - rewrite /end-with-slash/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - `, false, ""}, + rewrite /end-with-slash/(.*) /not-root/$1 break; + proxy_pass http://upstream-name; + `, false, ""}, "redirect /something-complex to /not-root": {"/something-complex", "/not-root", `~* ^/something-complex\/?(?.*)`, ` - rewrite /something-complex/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - `, false, ""}, + rewrite /something-complex/(.*) /not-root/$1 break; + proxy_pass http://upstream-name; + `, false, ""}, "redirect / to /jenkins and rewrite": {"/", "/jenkins", "~* /", ` - rewrite /(.*) /jenkins/$1 break; - proxy_pass http://upstream-name; - subs_filter '' '' r; - subs_filter '' '' r; - `, true, ""}, + rewrite /(.*) /jenkins/$1 break; + proxy_pass http://upstream-name; + subs_filter '' '' r; + subs_filter '' '' r; + `, true, ""}, "redirect /something to / and rewrite": {"/something", "/", `~* ^/something\/?(?.*)`, ` - rewrite /something/(.*) /$1 break; - rewrite /something / break; - proxy_pass http://upstream-name; - subs_filter '' '' r; - subs_filter '' '' r; - `, true, ""}, + rewrite /something/(.*) /$1 break; + rewrite /something / break; + proxy_pass http://upstream-name; + subs_filter '' '' r; + subs_filter '' '' r; + `, true, ""}, "redirect /end-with-slash/ to /not-root and rewrite": {"/end-with-slash/", "/not-root", `~* ^/end-with-slash/(?.*)`, ` - rewrite /end-with-slash/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - subs_filter '' '' r; - subs_filter '' '' r; - `, true, ""}, + rewrite /end-with-slash/(.*) /not-root/$1 break; + proxy_pass http://upstream-name; + subs_filter '' '' r; + subs_filter '' '' r; + `, true, ""}, "redirect /something-complex to /not-root and rewrite": {"/something-complex", "/not-root", `~* ^/something-complex\/?(?.*)`, ` - rewrite /something-complex/(.*) /not-root/$1 break; - proxy_pass http://upstream-name; - subs_filter '' '' r; - subs_filter '' '' r; - `, true, ""}, + rewrite /something-complex/(.*) /not-root/$1 break; + proxy_pass http://upstream-name; + subs_filter '' '' r; + subs_filter '' '' r; + `, true, ""}, "redirect /something to / and rewrite with specific scheme": {"/something", "/", `~* ^/something\/?(?.*)`, ` - rewrite /something/(.*) /$1 break; - rewrite /something / break; - proxy_pass http://upstream-name; - subs_filter '' '' r; - subs_filter '' '' r; - `, true, "http"}, + rewrite /something/(.*) /$1 break; + rewrite /something / break; + proxy_pass http://upstream-name; + subs_filter '' '' r; + subs_filter '' '' r; + `, true, "http"}, } ) diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index 91ea7b6a6..a971f6be9 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -387,7 +387,7 @@ http { # Changing this value requires a change in: # https://github.com/kubernetes/ingress/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go listen 127.0.0.1:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }}; - {{ if $IsIPV6Enabled }}listen [::1]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }} + {{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }} set $proxy_upstream_name "-"; location {{ $healthzURI }} { @@ -407,21 +407,6 @@ http { {{ end }} } - # this location is used to extract nginx metrics - # using prometheus. - # TODO: enable extraction for vts module. - location /internal_nginx_status { - set $proxy_upstream_name "internal"; - - allow 127.0.0.1; - {{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }} - deny all; - - access_log off; - stub_status on; - } - - fastcgi_param HTTP_X_Code 404; fastcgi_param HTTP_X_Format $http_accept; fastcgi_param HTTP_X_Original_URI $request_uri; @@ -631,196 +616,196 @@ stream { {{ if not (empty $location.Rewrite.AppRoot)}} if ($uri = /) { - return 302 {{ $location.Rewrite.AppRoot }}; + return 302 {{ $location.Rewrite.AppRoot }}; } {{ end }} {{ if not (empty $authPath) }} location = {{ $authPath }} { - internal; - set $proxy_upstream_name "internal"; + internal; + set $proxy_upstream_name "internal"; - {{ if not $location.ExternalAuth.SendBody }} - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - {{ end }} - {{ if not (empty $location.ExternalAuth.Method) }} - proxy_method {{ $location.ExternalAuth.Method }}; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Scheme $pass_access_scheme; - {{ end }} - proxy_pass_request_headers on; - proxy_set_header Host {{ $location.ExternalAuth.Host }}; - proxy_ssl_server_name on; + {{ if not $location.ExternalAuth.SendBody }} + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + {{ end }} + {{ if not (empty $location.ExternalAuth.Method) }} + proxy_method {{ $location.ExternalAuth.Method }}; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Scheme $pass_access_scheme; + {{ end }} + proxy_pass_request_headers on; + proxy_set_header Host {{ $location.ExternalAuth.Host }}; + proxy_ssl_server_name on; - client_max_body_size "{{ $location.Proxy.BodySize }}"; - {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} - client_body_buffer_size {{ $location.ClientBodyBufferSize }}; - {{ end }} + client_max_body_size "{{ $location.Proxy.BodySize }}"; + {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} + client_body_buffer_size {{ $location.ClientBodyBufferSize }}; + {{ end }} - set $target {{ $location.ExternalAuth.URL }}; - proxy_pass $target; + set $target {{ $location.ExternalAuth.URL }}; + proxy_pass $target; } {{ end }} location {{ $path }} { - set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}"; + set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}"; - {{ $ing := (getIngressInformation $location.Ingress $path) }} - {{/* $ing.Metadata contains the Ingress metadata */}} - set $namespace "{{ $ing.Namespace }}"; - set $ingress_name "{{ $ing.Rule }}"; - set $service_name "{{ $ing.Service }}"; - set $base_path "{{ $location.Path }}"; + {{ $ing := (getIngressInformation $location.Ingress $path) }} + {{/* $ing.Metadata contains the Ingress metadata */}} + set $namespace "{{ $ing.Namespace }}"; + set $ingress_name "{{ $ing.Rule }}"; + set $service_name "{{ $ing.Service }}"; + set $base_path "{{ $location.Path }}"; - {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$best_http_host$request_uri; - } - {{ end }} + {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$best_http_host$request_uri; + } + {{ end }} - {{ if isLocationAllowed $location }} - {{ if gt (len $location.Whitelist.CIDR) 0 }} - if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) { - return 403; - } - {{ end }} + {{ if isLocationAllowed $location }} + {{ if gt (len $location.Whitelist.CIDR) 0 }} + if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) { + return 403; + } + {{ end }} - port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }}; + port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }}; - {{ if not (empty $authPath) }} - # this location requires authentication - auth_request {{ $authPath }}; - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - {{- range $idx, $line := buildAuthResponseHeaders $location }} - {{ $line }} - {{- end }} - {{ end }} + {{ if not (empty $authPath) }} + # this location requires authentication + auth_request {{ $authPath }}; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + {{- range $idx, $line := buildAuthResponseHeaders $location }} + {{ $line }} + {{- end }} + {{ end }} - {{ if not (empty $location.ExternalAuth.SigninURL) }} - error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }}; - {{ end }} + {{ if not (empty $location.ExternalAuth.SigninURL) }} + error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }}; + {{ end }} - {{/* if the location contains a rate limit annotation, create one */}} - {{ $limits := buildRateLimit $location }} - {{ range $limit := $limits }} - {{ $limit }}{{ end }} + {{/* if the location contains a rate limit annotation, create one */}} + {{ $limits := buildRateLimit $location }} + {{ range $limit := $limits }} + {{ $limit }}{{ end }} - {{ if $location.BasicDigestAuth.Secured }} - {{ if eq $location.BasicDigestAuth.Type "basic" }} - auth_basic "{{ $location.BasicDigestAuth.Realm }}"; - auth_basic_user_file {{ $location.BasicDigestAuth.File }}; - {{ else }} - auth_digest "{{ $location.BasicDigestAuth.Realm }}"; - auth_digest_user_file {{ $location.BasicDigestAuth.File }}; - {{ end }} - proxy_set_header Authorization ""; - {{ end }} + {{ if $location.BasicDigestAuth.Secured }} + {{ if eq $location.BasicDigestAuth.Type "basic" }} + auth_basic "{{ $location.BasicDigestAuth.Realm }}"; + auth_basic_user_file {{ $location.BasicDigestAuth.File }}; + {{ else }} + auth_digest "{{ $location.BasicDigestAuth.Realm }}"; + auth_digest_user_file {{ $location.BasicDigestAuth.File }}; + {{ end }} + proxy_set_header Authorization ""; + {{ end }} - {{ if $location.EnableCORS }} - {{ template "CORS" }} - {{ end }} + {{ if $location.EnableCORS }} + {{ template "CORS" }} + {{ end }} - {{ if not (empty $location.Redirect.URL) }} - if ($uri ~* {{ $path }}) { - return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }}; - } - {{ end }} + {{ if not (empty $location.Redirect.URL) }} + if ($uri ~* {{ $path }}) { + return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }}; + } + {{ end }} - client_max_body_size "{{ $location.Proxy.BodySize }}"; - {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} - client_body_buffer_size {{ $location.ClientBodyBufferSize }}; - {{ end }} + client_max_body_size "{{ $location.Proxy.BodySize }}"; + {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} + client_body_buffer_size {{ $location.ClientBodyBufferSize }}; + {{ end }} - proxy_set_header Host $best_http_host; + proxy_set_header Host $best_http_host; - # Pass the extracted client certificate to the backend - {{ if not (empty $server.CertificateAuth.CAFileName) }} - proxy_set_header ssl-client-cert $ssl_client_cert; - {{ end }} + # Pass the extracted client certificate to the backend + {{ if not (empty $server.CertificateAuth.CAFileName) }} + proxy_set_header ssl-client-cert $ssl_client_cert; + {{ end }} - # Allow websocket connections - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Real-IP $the_real_ip; - proxy_set_header X-Forwarded-For $the_real_ip; - proxy_set_header X-Forwarded-Host $best_http_host; - proxy_set_header X-Forwarded-Port $pass_port; - proxy_set_header X-Forwarded-Proto $pass_access_scheme; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Scheme $pass_access_scheme; + proxy_set_header X-Real-IP $the_real_ip; + proxy_set_header X-Forwarded-For $the_real_ip; + proxy_set_header X-Forwarded-Host $best_http_host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Scheme $pass_access_scheme; - # mitigate HTTPoxy Vulnerability - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - proxy_set_header Proxy ""; + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; - # Custom headers to proxied server - {{ range $k, $v := $all.ProxySetHeaders }} - proxy_set_header {{ $k }} "{{ $v }}"; - {{ end }} + # Custom headers to proxied server + {{ range $k, $v := $all.ProxySetHeaders }} + proxy_set_header {{ $k }} "{{ $v }}"; + {{ end }} - proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s; - proxy_send_timeout {{ $location.Proxy.SendTimeout }}s; - proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s; + proxy_connect_timeout {{ $location.Proxy.ConnectTimeout }}s; + proxy_send_timeout {{ $location.Proxy.SendTimeout }}s; + proxy_read_timeout {{ $location.Proxy.ReadTimeout }}s; - proxy_redirect off; - proxy_buffering off; - proxy_buffer_size "{{ $location.Proxy.BufferSize }}"; - proxy_buffers 4 "{{ $location.Proxy.BufferSize }}"; + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "{{ $location.Proxy.BufferSize }}"; + proxy_buffers 4 "{{ $location.Proxy.BufferSize }}"; - proxy_http_version 1.1; + proxy_http_version 1.1; - proxy_cookie_domain {{ $location.Proxy.CookieDomain }}; - proxy_cookie_path {{ $location.Proxy.CookiePath }}; + proxy_cookie_domain {{ $location.Proxy.CookieDomain }}; + proxy_cookie_path {{ $location.Proxy.CookiePath }}; - # In case of errors try the next upstream server before returning an error - proxy_next_upstream {{ buildNextUpstream $location.Proxy.NextUpstream }}{{ if $all.Cfg.RetryNonIdempotent }} non_idempotent{{ end }}; + # In case of errors try the next upstream server before returning an error + proxy_next_upstream {{ buildNextUpstream $location.Proxy.NextUpstream }}{{ if $all.Cfg.RetryNonIdempotent }} non_idempotent{{ end }}; - {{/* rewrite only works if the content is not compressed */}} - {{ if $location.Rewrite.AddBaseURL }} - proxy_set_header Accept-Encoding ""; - {{ end }} + {{/* rewrite only works if the content is not compressed */}} + {{ if $location.Rewrite.AddBaseURL }} + proxy_set_header Accept-Encoding ""; + {{ end }} - {{/* Add any additional configuration defined */}} - {{ $location.ConfigurationSnippet }} + {{/* Add any additional configuration defined */}} + {{ $location.ConfigurationSnippet }} - {{/* if we are sending the request to a custom default backend, we add the required headers */}} - {{ if (hasPrefix $location.Backend "custom-default-backend-") }} - proxy_set_header X-Code 503; - proxy_set_header X-Format $http_accept; - proxy_set_header X-Namespace $namespace; - proxy_set_header X-Ingress-Name $ingress_name; - proxy_set_header X-Service-Name $service_name; - {{ end }} + {{/* if we are sending the request to a custom default backend, we add the required headers */}} + {{ if (hasPrefix $location.Backend "custom-default-backend-") }} + proxy_set_header X-Code 503; + proxy_set_header X-Format $http_accept; + proxy_set_header X-Namespace $namespace; + proxy_set_header X-Ingress-Name $ingress_name; + proxy_set_header X-Service-Name $service_name; + {{ end }} - {{ buildProxyPass $server.Hostname $all.Backends $location }} - {{ else }} - # Location denied. Reason: {{ $location.Denied }} - return 503; - {{ end }} + {{ buildProxyPass $server.Hostname $all.Backends $location }} + {{ else }} + # Location denied. Reason: {{ $location.Denied }} + return 503; + {{ end }} } {{ end }} {{ if eq $server.Hostname "_" }} # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }} location {{ $all.HealthzURI }} { - access_log off; - return 200; + access_log off; + return 200; } # this is required to avoid error if nginx is being monitored # with an external software (like sysdig) location /nginx_status { - allow 127.0.0.1; - {{ if $all.IsIPV6Enabled }}allow ::1;{{ end }} - deny all; + allow 127.0.0.1; + {{ if $all.IsIPV6Enabled }}allow ::1;{{ end }} + deny all; - access_log off; - stub_status on; + access_log off; + stub_status on; } {{ end }} diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index e583fe4d6..2fe3253f2 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -259,7 +259,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: ingress-nginx imagePullPolicy: Always ports: diff --git a/examples/aws/nginx/nginx-ingress-controller.yaml b/examples/aws/nginx/nginx-ingress-controller.yaml index c9e6e3cba..5cc561602 100644 --- a/examples/aws/nginx/nginx-ingress-controller.yaml +++ b/examples/aws/nginx/nginx-ingress-controller.yaml @@ -101,7 +101,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: ingress-nginx imagePullPolicy: Always ports: diff --git a/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml b/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml index 29e5f763a..277e661d1 100644 --- a/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml +++ b/examples/customization/configuration-snippets/nginx/nginx-ingress-controller.yaml @@ -19,7 +19,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml b/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml index 554b6f82f..dfacaf1ea 100644 --- a/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml +++ b/examples/customization/custom-configuration/nginx/nginx-custom-configuration.yaml @@ -22,7 +22,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/customization/custom-errors/nginx/rc-custom-errors.yaml b/examples/customization/custom-errors/nginx/rc-custom-errors.yaml index bc4b8ff7e..d26914fdf 100644 --- a/examples/customization/custom-errors/nginx/rc-custom-errors.yaml +++ b/examples/customization/custom-errors/nginx/rc-custom-errors.yaml @@ -16,7 +16,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-lb imagePullPolicy: Always readinessProbe: diff --git a/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml b/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml index 29e5f763a..277e661d1 100644 --- a/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml +++ b/examples/customization/custom-headers/nginx/nginx-ingress-controller.yaml @@ -19,7 +19,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/customization/custom-template/custom-template.yaml b/examples/customization/custom-template/custom-template.yaml index 39e5267bb..abe519ae5 100644 --- a/examples/customization/custom-template/custom-template.yaml +++ b/examples/customization/custom-template/custom-template.yaml @@ -16,7 +16,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-lb imagePullPolicy: Always readinessProbe: diff --git a/examples/customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml b/examples/customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml index f95c8c51e..e8e5c609e 100644 --- a/examples/customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml +++ b/examples/customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml @@ -22,7 +22,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml b/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml index 29e5f763a..277e661d1 100644 --- a/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml +++ b/examples/customization/ssl-dh-param/nginx/nginx-ingress-controller.yaml @@ -19,7 +19,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/daemonset/haproxy/README.md b/examples/daemonset/haproxy/README.md index 605af7f70..31390913e 100644 --- a/examples/daemonset/haproxy/README.md +++ b/examples/daemonset/haproxy/README.md @@ -41,6 +41,11 @@ NAME READY STATUS RESTARTS AGE default-http-backend-q5sb6 1/1 Running 0 30m ``` +## RBAC Authorization + +Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with +[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/). + ## Ingress DaemonSet Deploy the daemonset as follows: diff --git a/examples/daemonset/nginx/nginx-ingress-daemonset.yaml b/examples/daemonset/nginx/nginx-ingress-daemonset.yaml index e86f47111..8402f49a0 100644 --- a/examples/daemonset/nginx/nginx-ingress-daemonset.yaml +++ b/examples/daemonset/nginx/nginx-ingress-daemonset.yaml @@ -16,7 +16,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-lb readinessProbe: httpGet: diff --git a/examples/deployment/haproxy/README.md b/examples/deployment/haproxy/README.md index 23099aded..de54eae7c 100644 --- a/examples/deployment/haproxy/README.md +++ b/examples/deployment/haproxy/README.md @@ -70,6 +70,11 @@ configmap can be edited or replaced later in order to apply new configuration on a running ingress controller. All supported options are [here](https://github.com/jcmoraisjr/haproxy-ingress#configmap). +## RBAC Authorization + +Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with +[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/). + ## Controller Deploy HAProxy Ingress: diff --git a/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml b/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml index fa7c9d4d2..d2183c94b 100644 --- a/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml +++ b/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml @@ -71,7 +71,7 @@ spec: hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/deployment/nginx/nginx-ingress-controller.yaml b/examples/deployment/nginx/nginx-ingress-controller.yaml index 88ca0e9a3..4d8010939 100644 --- a/examples/deployment/nginx/nginx-ingress-controller.yaml +++ b/examples/deployment/nginx/nginx-ingress-controller.yaml @@ -22,7 +22,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/rbac/haproxy/README.md b/examples/rbac/haproxy/README.md new file mode 100644 index 000000000..d21899a37 --- /dev/null +++ b/examples/rbac/haproxy/README.md @@ -0,0 +1,80 @@ +# Role Based Access Control + +This example demonstrates how to authorize an ingress controller on a cluster +with role based access control. + +## Overview + +This example applies to ingress controllers being deployed in an environment with +[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled. + +## Service Account created in this example + +One ServiceAccount is created in this example, `ingress-controller`. See +[Using cert based authentication](#using-cert-based-authentication) +below if using client cert authentication. + +## Permissions Granted in this example + +There are two sets of permissions defined in this example. Cluster-wide +permissions defined by a `ClusterRole` and namespace specific permissions +defined by a `Role`, both named `ingress-controller`. + +### Cluster Permissions + +These permissions are granted in order for the ingress-controller to be +able to function as an ingress across the cluster. These permissions are +granted to the ClusterRole: + +* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch +* `nodes`: get +* `services`, `ingresses`: get, list, watch +* `events`: create, patch +* `ingresses/status`: update + +### Namespace Permissions + +These permissions are granted specific to the `ingress-controller` namespace. +The Role permissions are: + +* `configmaps`, `pods`, `secrets`: get +* `endpoints`: create, get, update + +Furthermore to support leader-election, the ingress controller needs to +have access to a `configmap` in the `ingress-controller` namespace: + +* `configmaps`: get, update, create + +## Namespace created in this example + +The `Namespace` named `ingress-controller` is defined in this example. The +namespace name can be changed arbitrarily as long as all of the references +change as well. + +## Usage + +1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`, +`ClusterRoleBinding`, and `RoleBinding`: + +```console +$ kubectl create -f ingress-controller-rbac.yml +``` + +2. Deploy the ingress controller. The deployment should be configured to use +the `ingress-controller` service account name if not using kubeconfig and +client cert based authentication. Add the `serviceAccountName` to the pod +template spec: + +```yaml +spec: + template: + spec: + serviceAccountName: ingress-controller +``` + +## Using cert based authentication + +A client certificate based authentication can also be used with the following changes: + +1. No need to add the `serviceAccountName` to the pod template spec. +2. Sign a client certificate using `ingress-controller` as it's common name. diff --git a/examples/rbac/haproxy/ingress-controller-rbac.yml b/examples/rbac/haproxy/ingress-controller-rbac.yml new file mode 100644 index 000000000..57d0de7e0 --- /dev/null +++ b/examples/rbac/haproxy/ingress-controller-rbac.yml @@ -0,0 +1,133 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-controller +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ingress-controller + namespace: ingress-controller +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: ingress-controller +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: ingress-controller + namespace: ingress-controller +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: ingress-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-controller +subjects: + - kind: ServiceAccount + name: ingress-controller + namespace: ingress-controller + - apiGroup: rbac.authorization.k8s.io + kind: User + name: ingress-controller +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: ingress-controller + namespace: ingress-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-controller +subjects: + - kind: ServiceAccount + name: ingress-controller + namespace: ingress-controller + - apiGroup: rbac.authorization.k8s.io + kind: User + name: ingress-controller diff --git a/examples/rbac/nginx/nginx-ingress-controller.yml b/examples/rbac/nginx/nginx-ingress-controller.yml index f908c4469..ad31e6271 100644 --- a/examples/rbac/nginx/nginx-ingress-controller.yml +++ b/examples/rbac/nginx/nginx-ingress-controller.yml @@ -16,7 +16,7 @@ spec: serviceAccountName: nginx-ingress-serviceaccount containers: - name: nginx-ingress-controller - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 args: - /nginx-ingress-controller - --default-backend-service=default/default-http-backend diff --git a/examples/scaling-deployment/haproxy/README.md b/examples/scaling-deployment/haproxy/README.md index 748422ada..31daaea39 100644 --- a/examples/scaling-deployment/haproxy/README.md +++ b/examples/scaling-deployment/haproxy/README.md @@ -41,6 +41,11 @@ NAME READY STATUS RESTARTS AGE default-http-backend-q5sb6 1/1 Running 0 30m ``` +## RBAC Authorization + +Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with +[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/). + ## Ingress Deployment Deploy the Deployment of multi controllers as follows: diff --git a/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml b/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml index d812e7e2b..ce7185137 100644 --- a/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml +++ b/examples/scaling-deployment/nginx/nginx-ingress-deployment.yaml @@ -14,7 +14,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/static-ip/nginx/nginx-ingress-controller.yaml b/examples/static-ip/nginx/nginx-ingress-controller.yaml index 183ec5a55..d9c618fc9 100644 --- a/examples/static-ip/nginx/nginx-ingress-controller.yaml +++ b/examples/static-ip/nginx/nginx-ingress-controller.yaml @@ -18,7 +18,7 @@ spec: # hostNetwork: true terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-ingress-controller readinessProbe: httpGet: diff --git a/examples/tcp/nginx/README.md b/examples/tcp/nginx/README.md index 82885c3d9..8de3c1190 100644 --- a/examples/tcp/nginx/README.md +++ b/examples/tcp/nginx/README.md @@ -47,7 +47,7 @@ nginx-ingress-controller 1 1 1 3m $ kubectl -n kube-system describe rc nginx-ingress-controller Name: nginx-ingress-controller Namespace: kube-system -Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 +Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 Selector: k8s-app=nginx-tcp-ingress-lb Labels: k8s-app=nginx-ingress-lb Annotations: diff --git a/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml b/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml index ba013313a..569176cc1 100644 --- a/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml +++ b/examples/tcp/nginx/nginx-tcp-ingress-controller.yaml @@ -17,7 +17,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-tcp-ingress-lb readinessProbe: httpGet: diff --git a/examples/tls-termination/elb-nginx/nginx-ingress-controller.yaml b/examples/tls-termination/elb-nginx/nginx-ingress-controller.yaml index 8f7d20a80..dc0bb9304 100644 --- a/examples/tls-termination/elb-nginx/nginx-ingress-controller.yaml +++ b/examples/tls-termination/elb-nginx/nginx-ingress-controller.yaml @@ -105,7 +105,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: ingress-nginx imagePullPolicy: Always ports: diff --git a/examples/udp/nginx/README.md b/examples/udp/nginx/README.md index 64ff5bb26..96b186f06 100644 --- a/examples/udp/nginx/README.md +++ b/examples/udp/nginx/README.md @@ -53,7 +53,7 @@ nginx-udp-ingress-controller 1 1 1 13m $ kubectl -n kube-system describe rc nginx-udp-ingress-controller Name: nginx-udp-ingress-controller Namespace: kube-system -Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 +Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 Selector: k8s-app=nginx-udp-ingress-lb Labels: k8s-app=nginx-udp-ingress-lb Annotations: diff --git a/examples/udp/nginx/nginx-udp-ingress-controller.yaml b/examples/udp/nginx/nginx-udp-ingress-controller.yaml index 77b9710b1..5c629dbea 100644 --- a/examples/udp/nginx/nginx-udp-ingress-controller.yaml +++ b/examples/udp/nginx/nginx-udp-ingress-controller.yaml @@ -17,7 +17,7 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12 name: nginx-udp-ingress-lb readinessProbe: httpGet: