Merge branch 'master' into add-sticky-path
This commit is contained in:
commit
a5df624a47
37 changed files with 756 additions and 301 deletions
|
@ -1,5 +1,165 @@
|
|||
Changelog
|
||||
|
||||
Changelog
|
||||
|
||||
### 0.9-beta.12
|
||||
|
||||
**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12`
|
||||
|
||||
*Breaking changes:*
|
||||
|
||||
- SSL passthrough is disabled by default. To enable the feature use `--enable-ssl-passthrough`
|
||||
|
||||
*New Features:*
|
||||
|
||||
- Support for arm64
|
||||
- New flags to customize listen ports
|
||||
- Per minute rate limiting
|
||||
- Rate limit whitelist
|
||||
- Configuration of nginx worker timeout (to avoid zombie nginx workers processes)
|
||||
- Redirects from non-www to www
|
||||
- Custom default backend (per Ingress)
|
||||
- Graceful shutdown for NGINX
|
||||
|
||||
*Changes:*
|
||||
|
||||
- [X] [#977](https://github.com/kubernetes/ingress/pull/977) Add sort-backends command line option
|
||||
- [X] [#981](https://github.com/kubernetes/ingress/pull/981) Add annotation to allow use of service ClusterIP for NGINX upstream.
|
||||
- [X] [#991](https://github.com/kubernetes/ingress/pull/991) Remove secret sync loop
|
||||
- [X] [#992](https://github.com/kubernetes/ingress/pull/992) Check errors generating pem files
|
||||
- [X] [#993](https://github.com/kubernetes/ingress/pull/993) Fix the sed command to work on macOS
|
||||
- [X] [#1013](https://github.com/kubernetes/ingress/pull/1013) The fields of vtsDate are unified in the form of plural
|
||||
- [X] [#1025](https://github.com/kubernetes/ingress/pull/1025) Fix file watch
|
||||
- [X] [#1027](https://github.com/kubernetes/ingress/pull/1027) Lint code
|
||||
- [X] [#1031](https://github.com/kubernetes/ingress/pull/1031) Change missing secret name log level to V(3)
|
||||
- [X] [#1032](https://github.com/kubernetes/ingress/pull/1032) Alternative syncSecret approach #1030
|
||||
- [X] [#1042](https://github.com/kubernetes/ingress/pull/1042) Add function to allow custom values in Ingress status
|
||||
- [X] [#1043](https://github.com/kubernetes/ingress/pull/1043) Return reference to object providing Endpoint
|
||||
- [X] [#1046](https://github.com/kubernetes/ingress/pull/1046) Add field FileSHA in BasicDigest struct
|
||||
- [X] [#1058](https://github.com/kubernetes/ingress/pull/1058) add per minute rate limiting
|
||||
- [X] [#1060](https://github.com/kubernetes/ingress/pull/1060) Update fsnotify dependency to fix arm64 issue
|
||||
- [X] [#1065](https://github.com/kubernetes/ingress/pull/1065) Add more descriptive steps in Dev Documentation
|
||||
- [X] [#1073](https://github.com/kubernetes/ingress/pull/1073) Release nginx-slim 0.22
|
||||
- [X] [#1074](https://github.com/kubernetes/ingress/pull/1074) Remove lua and use fastcgi to render errors
|
||||
- [X] [#1075](https://github.com/kubernetes/ingress/pull/1075) (feat/ #374) support proxy timeout
|
||||
- [X] [#1076](https://github.com/kubernetes/ingress/pull/1076) Add more ssl test cases
|
||||
- [X] [#1078](https://github.com/kubernetes/ingress/pull/1078) fix the same udp port and tcp port, update nginx.conf error
|
||||
- [X] [#1080](https://github.com/kubernetes/ingress/pull/1080) Disable platform s390x
|
||||
- [X] [#1081](https://github.com/kubernetes/ingress/pull/1081) Spit Static check and Coverage in diff Stages of Travis CI
|
||||
- [X] [#1082](https://github.com/kubernetes/ingress/pull/1082) Fix build tasks
|
||||
- [X] [#1087](https://github.com/kubernetes/ingress/pull/1087) Release nginx-slim 0.23
|
||||
- [X] [#1088](https://github.com/kubernetes/ingress/pull/1088) Configure nginx worker timeout
|
||||
- [X] [#1089](https://github.com/kubernetes/ingress/pull/1089) Update nginx to 1.13.4
|
||||
- [X] [#1098](https://github.com/kubernetes/ingress/pull/1098) Exposing the event recorder to allow other controllers to create events
|
||||
- [X] [#1102](https://github.com/kubernetes/ingress/pull/1102) Fix lose SSL Passthrough
|
||||
- [X] [#1104](https://github.com/kubernetes/ingress/pull/1104) Simplify verification of hostname in ssl certificates
|
||||
- [X] [#1109](https://github.com/kubernetes/ingress/pull/1109) Cleanup remote address in nginx template
|
||||
- [X] [#1110](https://github.com/kubernetes/ingress/pull/1110) Fix Endpoint comparison
|
||||
- [X] [#1118](https://github.com/kubernetes/ingress/pull/1118) feat(#733)Support nginx bandwidth control
|
||||
- [X] [#1124](https://github.com/kubernetes/ingress/pull/1124) check fields len in dns.go
|
||||
- [X] [#1130](https://github.com/kubernetes/ingress/pull/1130) Update nginx.go
|
||||
- [X] [#1134](https://github.com/kubernetes/ingress/pull/1134) replace deprecated interface with versioned ones
|
||||
- [X] [#1136](https://github.com/kubernetes/ingress/pull/1136) Fix status update - changed in #1074
|
||||
- [X] [#1138](https://github.com/kubernetes/ingress/pull/1138) update nginx.go: preformance improve
|
||||
- [X] [#1139](https://github.com/kubernetes/ingress/pull/1139) Fix Todo:convert sequence to table
|
||||
- [X] [#1162](https://github.com/kubernetes/ingress/pull/1162) Optimize CI build time
|
||||
- [X] [#1164](https://github.com/kubernetes/ingress/pull/1164) Use variable request_uri as redirect after auth
|
||||
- [X] [#1179](https://github.com/kubernetes/ingress/pull/1179) Fix sticky upstream not used when enable rewrite
|
||||
- [X] [#1184](https://github.com/kubernetes/ingress/pull/1184) Add support for temporal and permanent redirects
|
||||
- [X] [#1185](https://github.com/kubernetes/ingress/pull/1185) Add more info about Server-Alias usage
|
||||
- [X] [#1186](https://github.com/kubernetes/ingress/pull/1186) Add annotation for client-body-buffer-size per location
|
||||
- [X] [#1190](https://github.com/kubernetes/ingress/pull/1190) Add flag to disable SSL passthrough
|
||||
- [X] [#1193](https://github.com/kubernetes/ingress/pull/1193) fix broken link
|
||||
- [X] [#1198](https://github.com/kubernetes/ingress/pull/1198) Add option for specific scheme for base url
|
||||
- [X] [#1202](https://github.com/kubernetes/ingress/pull/1202) formatIP issue
|
||||
- [X] [#1203](https://github.com/kubernetes/ingress/pull/1203) NGINX not reloading correctly
|
||||
- [X] [#1204](https://github.com/kubernetes/ingress/pull/1204) Fix template error
|
||||
- [X] [#1205](https://github.com/kubernetes/ingress/pull/1205) Add initial sync of secrets
|
||||
- [X] [#1206](https://github.com/kubernetes/ingress/pull/1206) Update ssl-passthrough docs
|
||||
- [X] [#1207](https://github.com/kubernetes/ingress/pull/1207) delete broken link
|
||||
- [X] [#1208](https://github.com/kubernetes/ingress/pull/1208) fix some typo
|
||||
- [X] [#1210](https://github.com/kubernetes/ingress/pull/1210) add rate limit whitelist
|
||||
- [X] [#1215](https://github.com/kubernetes/ingress/pull/1215) Replace base64 encoding with random uuid
|
||||
- [X] [#1218](https://github.com/kubernetes/ingress/pull/1218) Trivial fixes in core/pkg/net
|
||||
- [X] [#1219](https://github.com/kubernetes/ingress/pull/1219) keep zones unique per ingress resource
|
||||
- [X] [#1221](https://github.com/kubernetes/ingress/pull/1221) Move certificate authentication from location to server
|
||||
- [X] [#1223](https://github.com/kubernetes/ingress/pull/1223) Add doc for non-www to www annotation
|
||||
- [X] [#1224](https://github.com/kubernetes/ingress/pull/1224) refactor rate limit whitelist
|
||||
- [X] [#1226](https://github.com/kubernetes/ingress/pull/1226) Remove useless variable in nginx.tmpl
|
||||
- [X] [#1227](https://github.com/kubernetes/ingress/pull/1227) Update annotations doc with base-url-scheme
|
||||
- [X] [#1233](https://github.com/kubernetes/ingress/pull/1233) Fix ClientBodyBufferSize annotation
|
||||
- [X] [#1234](https://github.com/kubernetes/ingress/pull/1234) Lint code
|
||||
- [X] [#1235](https://github.com/kubernetes/ingress/pull/1235) Fix Equal comparison
|
||||
- [X] [#1236](https://github.com/kubernetes/ingress/pull/1236) Add Validation for Client Body Buffer Size
|
||||
- [X] [#1238](https://github.com/kubernetes/ingress/pull/1238) Add support for 'client_body_timeout' and 'client_header_timeout'
|
||||
- [X] [#1239](https://github.com/kubernetes/ingress/pull/1239) Add flags to customize listen ports and detect port collisions
|
||||
- [X] [#1243](https://github.com/kubernetes/ingress/pull/1243) Add support for access-log-path and error-log-path
|
||||
- [X] [#1244](https://github.com/kubernetes/ingress/pull/1244) Add custom default backend annotation
|
||||
- [X] [#1246](https://github.com/kubernetes/ingress/pull/1246) Add additional headers when custom default backend is used
|
||||
- [X] [#1247](https://github.com/kubernetes/ingress/pull/1247) Make Ingress annotations available in template
|
||||
- [X] [#1248](https://github.com/kubernetes/ingress/pull/1248) Improve nginx controller performance
|
||||
- [X] [#1254](https://github.com/kubernetes/ingress/pull/1254) fix Type transform panic
|
||||
- [X] [#1257](https://github.com/kubernetes/ingress/pull/1257) Graceful shutdown for Nginx
|
||||
- [X] [#1261](https://github.com/kubernetes/ingress/pull/1261) Add support for 'worker-shutdown-timeout'
|
||||
|
||||
|
||||
*Documentation:*
|
||||
|
||||
- [X] [#976](https://github.com/kubernetes/ingress/pull/976) Update annotations doc
|
||||
- [X] [#979](https://github.com/kubernetes/ingress/pull/979) Missing auth example
|
||||
- [X] [#980](https://github.com/kubernetes/ingress/pull/980) Add nginx basic auth example
|
||||
- [X] [#1001](https://github.com/kubernetes/ingress/pull/1001) examples/nginx/rbac: Give access to own namespace
|
||||
- [X] [#1005](https://github.com/kubernetes/ingress/pull/1005) Update configuration.md
|
||||
- [X] [#1018](https://github.com/kubernetes/ingress/pull/1018) add docs for `proxy-set-headers` and `add-headers`
|
||||
- [X] [#1038](https://github.com/kubernetes/ingress/pull/1038) typo / spelling in README.md
|
||||
- [X] [#1039](https://github.com/kubernetes/ingress/pull/1039) typo in examples/tcp/nginx/README.md
|
||||
- [X] [#1049](https://github.com/kubernetes/ingress/pull/1049) Fix config name in the example.
|
||||
- [X] [#1054](https://github.com/kubernetes/ingress/pull/1054) Fix link to UDP example
|
||||
- [X] [#1084](https://github.com/kubernetes/ingress/pull/1084) (issue #310)Fix some broken link
|
||||
- [X] [#1103](https://github.com/kubernetes/ingress/pull/1103) Add GoDoc Widget
|
||||
- [X] [#1105](https://github.com/kubernetes/ingress/pull/1105) Make Readme file more readable
|
||||
- [X] [#1106](https://github.com/kubernetes/ingress/pull/1106) Update annotations.md
|
||||
- [X] [#1107](https://github.com/kubernetes/ingress/pull/1107) Fix Broken Link
|
||||
- [X] [#1119](https://github.com/kubernetes/ingress/pull/1119) fix typos in controllers/nginx/README.md
|
||||
- [X] [#1122](https://github.com/kubernetes/ingress/pull/1122) Fix broken link
|
||||
- [X] [#1131](https://github.com/kubernetes/ingress/pull/1131) Add short help doc in configuration for nginx limit rate
|
||||
- [X] [#1143](https://github.com/kubernetes/ingress/pull/1143) Minor Typo Fix
|
||||
- [X] [#1144](https://github.com/kubernetes/ingress/pull/1144) Minor Typo fix
|
||||
- [X] [#1145](https://github.com/kubernetes/ingress/pull/1145) Minor Typo fix
|
||||
- [X] [#1146](https://github.com/kubernetes/ingress/pull/1146) Fix Minor Typo in Readme
|
||||
- [X] [#1147](https://github.com/kubernetes/ingress/pull/1147) Minor Typo Fix
|
||||
- [X] [#1148](https://github.com/kubernetes/ingress/pull/1148) Minor Typo Fix in Getting-Started.md
|
||||
- [X] [#1149](https://github.com/kubernetes/ingress/pull/1149) Fix Minor Typo in TLS authentication
|
||||
- [X] [#1150](https://github.com/kubernetes/ingress/pull/1150) Fix Minor Typo in Customize the HAProxy configuration
|
||||
- [X] [#1151](https://github.com/kubernetes/ingress/pull/1151) Fix Minor Typo in customization custom-template
|
||||
- [X] [#1152](https://github.com/kubernetes/ingress/pull/1152) Fix minor typo in HAProxy Multi TLS certificate termination
|
||||
- [X] [#1153](https://github.com/kubernetes/ingress/pull/1153) Fix minor typo in Multi TLS certificate termination
|
||||
- [X] [#1154](https://github.com/kubernetes/ingress/pull/1154) Fix minor typo in Role Based Access Control
|
||||
- [X] [#1155](https://github.com/kubernetes/ingress/pull/1155) Fix minor typo in TCP loadbalancing
|
||||
- [X] [#1156](https://github.com/kubernetes/ingress/pull/1156) Fix minor typo in UDP loadbalancing
|
||||
- [X] [#1157](https://github.com/kubernetes/ingress/pull/1157) Fix minor typos in Prerequisites
|
||||
- [X] [#1158](https://github.com/kubernetes/ingress/pull/1158) Fix minor typo in Ingress examples
|
||||
- [X] [#1159](https://github.com/kubernetes/ingress/pull/1159) Fix minor typos in Ingress admin guide
|
||||
- [X] [#1160](https://github.com/kubernetes/ingress/pull/1160) Fix a broken href and typo in Ingress FAQ
|
||||
- [X] [#1165](https://github.com/kubernetes/ingress/pull/1165) Update CONTRIBUTING.md
|
||||
- [X] [#1168](https://github.com/kubernetes/ingress/pull/1168) finx link to running-locally.md
|
||||
- [X] [#1170](https://github.com/kubernetes/ingress/pull/1170) Update dead link in nginx/HTTPS section
|
||||
- [X] [#1172](https://github.com/kubernetes/ingress/pull/1172) Update README.md
|
||||
- [X] [#1173](https://github.com/kubernetes/ingress/pull/1173) Update admin.md
|
||||
- [X] [#1174](https://github.com/kubernetes/ingress/pull/1174) fix several titles
|
||||
- [X] [#1177](https://github.com/kubernetes/ingress/pull/1177) fix typos
|
||||
- [X] [#1188](https://github.com/kubernetes/ingress/pull/1188) Fix minor typo
|
||||
- [X] [#1189](https://github.com/kubernetes/ingress/pull/1189) Fix sign in URL redirect parameter
|
||||
- [X] [#1192](https://github.com/kubernetes/ingress/pull/1192) Update README.md
|
||||
- [X] [#1195](https://github.com/kubernetes/ingress/pull/1195) Update troubleshooting.md
|
||||
- [X] [#1196](https://github.com/kubernetes/ingress/pull/1196) Update README.md
|
||||
- [X] [#1209](https://github.com/kubernetes/ingress/pull/1209) Update README.md
|
||||
- [X] [#1085](https://github.com/kubernetes/ingress/pull/1085) Fix ConfigMap's namespace in custom configuration example for nginx
|
||||
- [X] [#1142](https://github.com/kubernetes/ingress/pull/1142) Fix typo in multiple docs
|
||||
- [X] [#1228](https://github.com/kubernetes/ingress/pull/1228) Update release doc in getting-started.md
|
||||
- [X] [#1230](https://github.com/kubernetes/ingress/pull/1230) Update godep guide link
|
||||
|
||||
|
||||
### 0.9-beta.11
|
||||
|
||||
**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11`
|
||||
|
|
|
@ -3,7 +3,7 @@ all: push
|
|||
BUILDTAGS=
|
||||
|
||||
# Use the 0.0 tag for testing, it shouldn't clobber any release builds
|
||||
TAG?=0.9.0-beta.11
|
||||
TAG?=0.9.0-beta.12
|
||||
REGISTRY?=gcr.io/google_containers
|
||||
GOOS?=linux
|
||||
DOCKER?=gcloud docker --
|
||||
|
|
|
@ -95,14 +95,14 @@ $ ./rootfs/nginx-ingress-controller --running-in-cluster=false --default-backend
|
|||
|
||||
First create a default backend:
|
||||
```
|
||||
$ kubectl create -f examples/deployment/nginx/default-backend.yaml
|
||||
$ kubectl create -f examples/default-backend.yaml
|
||||
$ kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend
|
||||
```
|
||||
|
||||
Loadbalancers are created via a ReplicationController or Daemonset:
|
||||
|
||||
```
|
||||
$ kubectl create -f examples/default/rc-default.yaml
|
||||
$ kubectl create -f examples/rc-default.yaml
|
||||
```
|
||||
|
||||
## HTTP
|
||||
|
|
51
controllers/nginx/examples/default-backend.yaml
Normal file
51
controllers/nginx/examples/default-backend.yaml
Normal file
|
@ -0,0 +1,51 @@
|
|||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: default-http-backend
|
||||
labels:
|
||||
k8s-app: default-http-backend
|
||||
namespace: kube-system
|
||||
spec:
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: default-http-backend
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: default-http-backend
|
||||
# Any image is permissable as long as:
|
||||
# 1. It serves a 404 page at /
|
||||
# 2. It serves 200 on a /healthz endpoint
|
||||
image: gcr.io/google_containers/defaultbackend:1.0
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 5
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
resources:
|
||||
limits:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: default-http-backend
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: default-http-backend
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
selector:
|
||||
k8s-app: default-http-backend
|
26
controllers/nginx/examples/ingress.yaml
Normal file
26
controllers/nginx/examples/ingress.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
# This is the Ingress resource that creates a HTTP Loadbalancer configured
|
||||
# according to the Ingress rules.
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: echomap
|
||||
spec:
|
||||
rules:
|
||||
- host: foo.bar.com
|
||||
http:
|
||||
paths:
|
||||
- path: /foo
|
||||
backend:
|
||||
serviceName: echoheaders-x
|
||||
servicePort: 80
|
||||
- host: bar.baz.com
|
||||
http:
|
||||
paths:
|
||||
- path: /bar
|
||||
backend:
|
||||
serviceName: echoheaders-y
|
||||
servicePort: 80
|
||||
- path: /foo
|
||||
backend:
|
||||
serviceName: echoheaders-x
|
||||
servicePort: 80
|
|
@ -24,7 +24,7 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
ngxStatusPath = "/internal_nginx_status"
|
||||
ngxStatusPath = "/nginx_status"
|
||||
ngxVtsPath = "/nginx_status/format/json"
|
||||
)
|
||||
|
||||
|
@ -46,7 +46,7 @@ type statsCollector struct {
|
|||
namespace string
|
||||
watchClass string
|
||||
|
||||
healthPort int
|
||||
port int
|
||||
}
|
||||
|
||||
func (s *statsCollector) stop(sm statusModule) {
|
||||
|
@ -63,18 +63,19 @@ func (s *statsCollector) stop(sm statusModule) {
|
|||
func (s *statsCollector) start(sm statusModule) {
|
||||
switch sm {
|
||||
case defaultStatusModule:
|
||||
s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.healthPort, ngxStatusPath)
|
||||
s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.port, ngxStatusPath)
|
||||
prometheus.Register(s.basic)
|
||||
break
|
||||
case vtsStatusModule:
|
||||
s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.healthPort, ngxVtsPath)
|
||||
s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.port, ngxVtsPath)
|
||||
prometheus.Register(s.vts)
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
func newStatsCollector(ns, class, binary string, hz int) *statsCollector {
|
||||
func newStatsCollector(ns, class, binary string, port int) *statsCollector {
|
||||
glog.Infof("starting new nginx stats collector for Ingress controller running in namespace %v (class %v)", ns, class)
|
||||
glog.Infof("collector extracting information from port %v", port)
|
||||
pc, err := collector.NewNamedProcess(true, collector.BinaryNameMatcher{
|
||||
Name: "nginx",
|
||||
Binary: binary,
|
||||
|
@ -91,6 +92,6 @@ func newStatsCollector(ns, class, binary string, hz int) *statsCollector {
|
|||
namespace: ns,
|
||||
watchClass: class,
|
||||
process: pc,
|
||||
healthPort: hz,
|
||||
port: port,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -372,7 +372,11 @@ func (n *NGINXController) OverrideFlags(flags *pflag.FlagSet) {
|
|||
}
|
||||
|
||||
flags.Set("ingress-class", ic)
|
||||
n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Health)
|
||||
|
||||
h, _ := flags.GetInt("healthz-port")
|
||||
n.ports.Health = h
|
||||
|
||||
n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Status)
|
||||
|
||||
if n.isSSLPassthroughEnabled {
|
||||
if !isPortAvailable(n.ports.SSLProxy) {
|
||||
|
|
|
@ -143,8 +143,8 @@ func (bit BoolToFloat64) UnmarshalJSON(data []byte) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func getNginxStatus(ngxHealthPort int, ngxStatusPath string) (*basicStatus, error) {
|
||||
url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxStatusPath)
|
||||
func getNginxStatus(port int, path string) (*basicStatus, error) {
|
||||
url := fmt.Sprintf("http://localhost:%v%v", port, path)
|
||||
glog.V(3).Infof("start scrapping url: %v", url)
|
||||
|
||||
data, err := httpBody(url)
|
||||
|
@ -174,8 +174,8 @@ func httpBody(url string) ([]byte, error) {
|
|||
return data, nil
|
||||
}
|
||||
|
||||
func getNginxVtsMetrics(ngxHealthPort int, ngxVtsPath string) (*vts, error) {
|
||||
url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxVtsPath)
|
||||
func getNginxVtsMetrics(port int, path string) (*vts, error) {
|
||||
url := fmt.Sprintf("http://localhost:%v%v", port, path)
|
||||
glog.V(3).Infof("start scrapping url: %v", url)
|
||||
|
||||
data, err := httpBody(url)
|
||||
|
|
|
@ -28,8 +28,8 @@ const ns = "nginx"
|
|||
type (
|
||||
vtsCollector struct {
|
||||
scrapeChan chan scrapeRequest
|
||||
ngxHealthPort int
|
||||
ngxVtsPath string
|
||||
port int
|
||||
path string
|
||||
data *vtsData
|
||||
watchNamespace string
|
||||
ingressClass string
|
||||
|
@ -57,12 +57,12 @@ type (
|
|||
)
|
||||
|
||||
// NewNGINXVTSCollector returns a new prometheus collector for the VTS module
|
||||
func NewNGINXVTSCollector(watchNamespace, ingressClass string, ngxHealthPort int, ngxVtsPath string) Stopable {
|
||||
func NewNGINXVTSCollector(watchNamespace, ingressClass string, port int, path string) Stopable {
|
||||
|
||||
p := vtsCollector{
|
||||
scrapeChan: make(chan scrapeRequest),
|
||||
ngxHealthPort: ngxHealthPort,
|
||||
ngxVtsPath: ngxVtsPath,
|
||||
port: port,
|
||||
path: path,
|
||||
watchNamespace: watchNamespace,
|
||||
ingressClass: ingressClass,
|
||||
}
|
||||
|
@ -201,7 +201,7 @@ func (p vtsCollector) Stop() {
|
|||
|
||||
// scrapeVts scrape nginx vts metrics
|
||||
func (p vtsCollector) scrapeVts(ch chan<- prometheus.Metric) {
|
||||
nginxMetrics, err := getNginxVtsMetrics(p.ngxHealthPort, p.ngxVtsPath)
|
||||
nginxMetrics, err := getNginxVtsMetrics(p.port, p.path)
|
||||
if err != nil {
|
||||
glog.Warningf("unexpected error obtaining nginx status info: %v", err)
|
||||
return
|
||||
|
|
|
@ -301,7 +301,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
|
|||
return defProxyPass
|
||||
}
|
||||
|
||||
if path != slash && !strings.HasSuffix(path, slash) {
|
||||
if !strings.HasSuffix(path, slash) {
|
||||
path = fmt.Sprintf("%s/", path)
|
||||
}
|
||||
|
||||
|
|
|
@ -387,7 +387,7 @@ http {
|
|||
# Changing this value requires a change in:
|
||||
# https://github.com/kubernetes/ingress/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go
|
||||
listen 127.0.0.1:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};
|
||||
{{ if $IsIPV6Enabled }}listen [::1]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
|
||||
{{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
|
||||
set $proxy_upstream_name "-";
|
||||
|
||||
location {{ $healthzURI }} {
|
||||
|
@ -407,21 +407,6 @@ http {
|
|||
{{ end }}
|
||||
}
|
||||
|
||||
# this location is used to extract nginx metrics
|
||||
# using prometheus.
|
||||
# TODO: enable extraction for vts module.
|
||||
location /internal_nginx_status {
|
||||
set $proxy_upstream_name "internal";
|
||||
|
||||
allow 127.0.0.1;
|
||||
{{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
|
||||
deny all;
|
||||
|
||||
access_log off;
|
||||
stub_status on;
|
||||
}
|
||||
|
||||
|
||||
fastcgi_param HTTP_X_Code 404;
|
||||
fastcgi_param HTTP_X_Format $http_accept;
|
||||
fastcgi_param HTTP_X_Original_URI $request_uri;
|
||||
|
|
|
@ -259,7 +259,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: ingress-nginx
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
|
|
|
@ -101,7 +101,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: ingress-nginx
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -22,7 +22,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -16,7 +16,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-lb
|
||||
imagePullPolicy: Always
|
||||
readinessProbe:
|
||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -16,7 +16,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-lb
|
||||
imagePullPolicy: Always
|
||||
readinessProbe:
|
||||
|
|
|
@ -22,7 +22,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -41,6 +41,11 @@ NAME READY STATUS RESTARTS AGE
|
|||
default-http-backend-q5sb6 1/1 Running 0 30m
|
||||
```
|
||||
|
||||
## RBAC Authorization
|
||||
|
||||
Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
|
||||
[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
|
||||
|
||||
## Ingress DaemonSet
|
||||
|
||||
Deploy the daemonset as follows:
|
||||
|
|
|
@ -16,7 +16,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-lb
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -70,6 +70,11 @@ configmap can be edited or replaced later in order to apply new
|
|||
configuration on a running ingress controller. All supported options
|
||||
are [here](https://github.com/jcmoraisjr/haproxy-ingress#configmap).
|
||||
|
||||
## RBAC Authorization
|
||||
|
||||
Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
|
||||
[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
|
||||
|
||||
## Controller
|
||||
|
||||
Deploy HAProxy Ingress:
|
||||
|
|
|
@ -71,7 +71,7 @@ spec:
|
|||
hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -22,7 +22,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
80
examples/rbac/haproxy/README.md
Normal file
80
examples/rbac/haproxy/README.md
Normal file
|
@ -0,0 +1,80 @@
|
|||
# Role Based Access Control
|
||||
|
||||
This example demonstrates how to authorize an ingress controller on a cluster
|
||||
with role based access control.
|
||||
|
||||
## Overview
|
||||
|
||||
This example applies to ingress controllers being deployed in an environment with
|
||||
[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled.
|
||||
|
||||
## Service Account created in this example
|
||||
|
||||
One ServiceAccount is created in this example, `ingress-controller`. See
|
||||
[Using cert based authentication](#using-cert-based-authentication)
|
||||
below if using client cert authentication.
|
||||
|
||||
## Permissions Granted in this example
|
||||
|
||||
There are two sets of permissions defined in this example. Cluster-wide
|
||||
permissions defined by a `ClusterRole` and namespace specific permissions
|
||||
defined by a `Role`, both named `ingress-controller`.
|
||||
|
||||
### Cluster Permissions
|
||||
|
||||
These permissions are granted in order for the ingress-controller to be
|
||||
able to function as an ingress across the cluster. These permissions are
|
||||
granted to the ClusterRole:
|
||||
|
||||
* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
|
||||
* `nodes`: get
|
||||
* `services`, `ingresses`: get, list, watch
|
||||
* `events`: create, patch
|
||||
* `ingresses/status`: update
|
||||
|
||||
### Namespace Permissions
|
||||
|
||||
These permissions are granted specific to the `ingress-controller` namespace.
|
||||
The Role permissions are:
|
||||
|
||||
* `configmaps`, `pods`, `secrets`: get
|
||||
* `endpoints`: create, get, update
|
||||
|
||||
Furthermore to support leader-election, the ingress controller needs to
|
||||
have access to a `configmap` in the `ingress-controller` namespace:
|
||||
|
||||
* `configmaps`: get, update, create
|
||||
|
||||
## Namespace created in this example
|
||||
|
||||
The `Namespace` named `ingress-controller` is defined in this example. The
|
||||
namespace name can be changed arbitrarily as long as all of the references
|
||||
change as well.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`,
|
||||
`ClusterRoleBinding`, and `RoleBinding`:
|
||||
|
||||
```console
|
||||
$ kubectl create -f ingress-controller-rbac.yml
|
||||
```
|
||||
|
||||
2. Deploy the ingress controller. The deployment should be configured to use
|
||||
the `ingress-controller` service account name if not using kubeconfig and
|
||||
client cert based authentication. Add the `serviceAccountName` to the pod
|
||||
template spec:
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: ingress-controller
|
||||
```
|
||||
|
||||
## Using cert based authentication
|
||||
|
||||
A client certificate based authentication can also be used with the following changes:
|
||||
|
||||
1. No need to add the `serviceAccountName` to the pod template spec.
|
||||
2. Sign a client certificate using `ingress-controller` as it's common name.
|
133
examples/rbac/haproxy/ingress-controller-rbac.yml
Normal file
133
examples/rbac/haproxy/ingress-controller-rbac.yml
Normal file
|
@ -0,0 +1,133 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: ingress-controller
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: ingress-controller
|
||||
namespace: ingress-controller
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: ingress-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
- endpoints
|
||||
- nodes
|
||||
- pods
|
||||
- secrets
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
resources:
|
||||
- ingresses/status
|
||||
verbs:
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: ingress-controller
|
||||
namespace: ingress-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
- pods
|
||||
- secrets
|
||||
- namespaces
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: ingress-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ingress-controller
|
||||
namespace: ingress-controller
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: ingress-controller
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: ingress-controller
|
||||
namespace: ingress-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ingress-controller
|
||||
namespace: ingress-controller
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: ingress-controller
|
|
@ -16,7 +16,7 @@ spec:
|
|||
serviceAccountName: nginx-ingress-serviceaccount
|
||||
containers:
|
||||
- name: nginx-ingress-controller
|
||||
image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
args:
|
||||
- /nginx-ingress-controller
|
||||
- --default-backend-service=default/default-http-backend
|
||||
|
|
|
@ -41,6 +41,11 @@ NAME READY STATUS RESTARTS AGE
|
|||
default-http-backend-q5sb6 1/1 Running 0 30m
|
||||
```
|
||||
|
||||
## RBAC Authorization
|
||||
|
||||
Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
|
||||
[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
|
||||
|
||||
## Ingress Deployment
|
||||
|
||||
Deploy the Deployment of multi controllers as follows:
|
||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
|||
# hostNetwork: true
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-ingress-controller
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -47,7 +47,7 @@ nginx-ingress-controller 1 1 1 3m
|
|||
$ kubectl -n kube-system describe rc nginx-ingress-controller
|
||||
Name: nginx-ingress-controller
|
||||
Namespace: kube-system
|
||||
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
Selector: k8s-app=nginx-tcp-ingress-lb
|
||||
Labels: k8s-app=nginx-ingress-lb
|
||||
Annotations: <none>
|
||||
|
|
|
@ -17,7 +17,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-tcp-ingress-lb
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
|
@ -105,7 +105,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: ingress-nginx
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
|
|
|
@ -53,7 +53,7 @@ nginx-udp-ingress-controller 1 1 1 13m
|
|||
$ kubectl -n kube-system describe rc nginx-udp-ingress-controller
|
||||
Name: nginx-udp-ingress-controller
|
||||
Namespace: kube-system
|
||||
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
Selector: k8s-app=nginx-udp-ingress-lb
|
||||
Labels: k8s-app=nginx-udp-ingress-lb
|
||||
Annotations: <none>
|
||||
|
|
|
@ -17,7 +17,7 @@ spec:
|
|||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
|
||||
name: nginx-udp-ingress-lb
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
|
|
Loading…
Reference in a new issue