DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-10-12 01:21:45 +00:00
parent 8125e59d3f
commit c09357b854
51 changed files with 612 additions and 5095 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
404.html
View file

@ -590,8 +590,8 @@
<li class="md-nav__item">
<a href="/user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="/user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -908,18 +908,6 @@
<li class="md-nav__item">
<a href="/examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="/examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

169
deploy/baremetal/index.html
View file

@ -664,8 +664,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -982,18 +982,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1216,32 +1204,16 @@ by a DHCP server.</p>
<p class="admonition-title">Example</p>
<p>Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal
environments this value is &lt;None>)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</td></tr></table>
<p>After creating the following ConfigMap, MetalLB takes ownership of one of the IP addresses in the pool and updates
the <em>loadBalancer</em> IP field of the <code class="codehilite">ingress-nginx</code> Service accordingly.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">namespace</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">metallb-system</span>
@ -1254,29 +1226,21 @@ the <em>loadBalancer</em> IP field of the <code class="codehilite">ingress-nginx
<span class="no">addresses:</span>
<span class="no">- 203.0.113.2-203.0.113.3</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<span class="go">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)</span>
<span class="go">default-http-backend ClusterIP 10.0.64.249 &lt;none&gt; 80/TCP</span>
<span class="go">ingress-nginx LoadBalancer 10.0.220.217 203.0.113.3 80:30100/TCP,443:30101/TCP</span>
</pre></div>
</td></tr></table>
</div>
<p>As soon as MetalLB sets the external IP address of the <code class="codehilite">ingress-nginx</code> LoadBalancer Service, the corresponding entries
are created in the iptables NAT table and the node with the selected IP address starts responding to HTTP requests on
the ports configured in the LoadBalancer Service:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://203.0.113.3 -H <span class="s1">&#39;Host: myapp.example.com&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://203.0.113.3 -H <span class="s1">&#39;Host: myapp.example.com&#39;</span>
<span class="go">HTTP/1.1 200 OK</span>
<span class="go">Server: nginx/1.15.2</span>
</pre></div>
</td></tr></table>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
@ -1301,29 +1265,20 @@ requests.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Given the NodePort <code class="codehilite">30100</code> allocated to the <code class="codehilite">ingress-nginx</code> Service</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<span class="go">NAME TYPE CLUSTER-IP PORT(S)</span>
<span class="go">default-http-backend ClusterIP 10.0.64.249 80/TCP</span>
<span class="go">ingress-nginx NodePort 10.0.220.217 80:30100/TCP,443:30101/TCP</span>
</pre></div>
</td></tr></table>
<p>and a Kubernetes node with the public IP address <code class="codehilite">203.0.113.2</code> (the external IP is added as an example, in most
bare-metal environments this value is &lt;None>)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</td></tr></table>
<p>a client would reach an Ingress with <code class="codehilite"><span class="n">host</span><span class="o">:</span> <span class="n">myapp</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span></code> at <code class="codehilite">http://myapp.example.com:30100</code>, where the
myapp.example.com subdomain resolves to the 203.0.113.2 IP address.</p>
@ -1355,30 +1310,20 @@ the NGINX Ingress controller should be scheduled or not scheduled.</p>
<p class="admonition-title">Example</p>
<p>In a Kubernetes cluster composed of 3 nodes (the external IP is added as an example, in most bare-metal environments
this value is &lt;None>)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</td></tr></table>
<p>with a <code class="codehilite">nginx-ingress-controller</code> Deployment composed of 2 replicas</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<span class="go">NAME READY STATUS IP NODE</span>
<span class="go">default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2</span>
<span class="go">nginx-ingress-controller-cf9ff8c96-8vvf8 1/1 Running 172.17.0.3 host-3</span>
<span class="go">nginx-ingress-controller-cf9ff8c96-pxsds 1/1 Running 172.17.1.4 host-2</span>
</pre></div>
</td></tr></table>
<p>Requests sent to <code class="codehilite">host-2</code> and <code class="codehilite">host-3</code> would be forwarded to NGINX and original client's IP would be preserved,
while requests to <code class="codehilite">host-1</code> would get dropped because there is no NGINX replica running on that node.</p>
@ -1388,13 +1333,10 @@ while requests to <code class="codehilite">host-1</code> would get dropped becau
</ul>
<p>Because NodePort Services do not get a LoadBalancerIP assigned by definition, the NGINX Ingress controller <strong>does not
update the status of Ingress objects it manages</strong>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 80</span>
</pre></div>
</td></tr></table>
<p>Despite the fact there is no load balancer providing a public IP address to the NGINX Ingress controller, it is possible
to force the status update of all managed Ingress objects by setting the <code class="codehilite">externalIPs</code> field of the <code class="codehilite">ingress-nginx</code>
@ -1409,39 +1351,26 @@ documentation as well as the section about <a href="#external-ips">External IPs<
<p class="admonition-title">Example</p>
<p>Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal
environments this value is &lt;None>)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</td></tr></table>
<p>one could edit the <code class="codehilite">ingress-nginx</code> Service and add the following field to the object spec</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">externalIPs</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.1</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.3</span>
</pre></div>
</td></tr></table>
<p>which would in turn be reflected on Ingress objects as follows:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress -o wide
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress -o wide
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 203.0.113.1,203.0.113.2,203.0.113.3 80</span>
</pre></div>
</td></tr></table>
</div>
<ul>
@ -1453,15 +1382,11 @@ for generating redirect URLs that take into account the URL used by external cli
<p class="admonition-title">Example</p>
<p>Redirects generated by NGINX, for instance HTTP to HTTPS or <code class="codehilite">domain</code> to <code class="codehilite">www.domain</code>, are generated without
NodePort:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://myapp.example.com:30100<span class="sb">`</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://myapp.example.com:30100<span class="sb">`</span>
<span class="go">HTTP/1.1 308 Permanent Redirect</span>
<span class="go">Server: nginx/1.15.2</span>
<span class="go">Location: https://myapp.example.com/ #-&gt; missing NodePort in HTTPS redirect</span>
</pre></div>
</td></tr></table>
</div>
<h2 id="via-the-host-network">Via the host network<a class="headerlink" href="#via-the-host-network" title="Permanent link">&para;</a></h2>
@ -1475,13 +1400,10 @@ interfaces, without the extra network translation imposed by NodePort Services.<
Service exists in the target cluster, it is <strong>recommended to delete it</strong>.</p>
</div>
<p>This can be achieved by enabling the <code class="codehilite">hostNetwork</code> option in the Pods' spec.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">template</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">template</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">hostNetwork</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
</pre></div>
</td></tr></table>
<div class="admonition danger">
<p class="admonition-title">Security considerations</p>
@ -1492,35 +1414,24 @@ including the host's loopback. Please evaluate the impact this may have on the s
<p class="admonition-title">Example</p>
<p>Consider this <code class="codehilite">nginx-ingress-controller</code> Deployment composed of 2 replicas, NGINX Pods inherit from the IP address
of their host instead of an internal Pod IP.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<span class="go">NAME READY STATUS IP NODE</span>
<span class="go">default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-7lg6c 1/1 Running 203.0.113.3 host-3</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-lzrls 1/1 Running 203.0.113.2 host-2</span>
</pre></div>
</td></tr></table>
</div>
<p>One major limitation of this deployment approach is that only <strong>a single NGINX Ingress controller Pod</strong> may be scheduled
on each cluster node, because binding the same port multiple times on the same network interface is technically
impossible. Pods that are unschedulable due to such situation fail with the following event:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx describe pod &lt;unschedulable-nginx-ingress-controller-pod&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx describe pod &lt;unschedulable-nginx-ingress-controller-pod&gt;
<span class="go">...</span>
<span class="go">Events:</span>
<span class="go"> Type Reason From Message</span>
<span class="go"> ---- ------ ---- -------</span>
<span class="go"> Warning FailedScheduling default-scheduler 0/3 nodes are available: 3 node(s) didn&#39;t have free ports for the requested pod ports.</span>
</pre></div>
</td></tr></table>
<p>One way to ensure only schedulable Pods are created is to deploy the NGINX Ingress controller as a <em>DaemonSet</em> instead
of a traditional Deployment.</p>
@ -1545,13 +1456,10 @@ expected to resolve internal names for any reason.</p>
<p>Because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default
<code class="codehilite">--publish-service</code> flag used in standard cloud setups <strong>does not apply</strong> and the status of all Ingress objects remains
blank.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 80</span>
</pre></div>
</td></tr></table>
<p>Instead, and because bare-metal nodes usually don't have an ExternalIP, one has to enable the
<a href="../../user-guide/cli-arguments/"><code class="codehilite">--report-node-internal-ip-address</code></a> flag, which sets the status of all Ingress objects to the internal IP
@ -1559,26 +1467,18 @@ address of all nodes running the NGINX Ingress controller.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Given a <code class="codehilite">nginx-ingress-controller</code> DaemonSet composed of 2 replicas</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<span class="go">NAME READY STATUS IP NODE</span>
<span class="go">default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-7lg6c 1/1 Running 203.0.113.3 host-3</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-lzrls 1/1 Running 203.0.113.2 host-2</span>
</pre></div>
</td></tr></table>
<p>the controller sets the status of all Ingress objects it manages to the following value:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress -o wide
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress -o wide
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 203.0.113.2,203.0.113.3 80</span>
</pre></div>
</td></tr></table>
</div>
<div class="admonition note">
@ -1611,46 +1511,28 @@ Service. These IP addresses <strong>must belong to the target node</strong>.</p>
<p class="admonition-title">Example</p>
<p>Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal
environments this value is &lt;None>)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</td></tr></table>
<p>and the following <code class="codehilite">ingress-nginx</code> NodePort Service</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<span class="go">NAME TYPE CLUSTER-IP PORT(S)</span>
<span class="go">ingress-nginx NodePort 10.0.220.217 80:30100/TCP,443:30101/TCP</span>
</pre></div>
</td></tr></table>
<p>One could set the following external IPs in the Service spec, and NGINX would become available on both the NodePort
and the Service port:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">externalIPs</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.3</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://myapp.example.com:30100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://myapp.example.com:30100
<span class="go">HTTP/1.1 200 OK</span>
<span class="go">Server: nginx/1.15.2</span>
@ -1658,7 +1540,6 @@ and the Service port:</p>
<span class="go">HTTP/1.1 200 OK</span>
<span class="go">Server: nginx/1.15.2</span>
</pre></div>
</td></tr></table>
<p>We assume the myapp.example.com subdomain above resolves to both 203.0.113.2 and 203.0.113.3 IP addresses.</p>
</div>

72
deploy/index.html
View file

@ -759,8 +759,8 @@
<li class="md-nav__item">
<a href="../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -1077,18 +1077,6 @@
<li class="md-nav__item">
<a href="../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1392,9 +1380,8 @@
<h2 id="generic-deployment">Generic Deployment<a class="headerlink" href="#generic-deployment" title="Permanent link">&para;</a></h2>
<p>The following resources are required for a generic deployment.</p>
<h3 id="mandatory-command">Mandatory command<a class="headerlink" href="#mandatory-command" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml</span>
</pre></div>
</td></tr></table>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
@ -1410,37 +1397,30 @@ To change this behavior use the flag <code class="codehilite">--watch-namespace<
<h4 id="docker-for-mac">Docker for Mac<a class="headerlink" href="#docker-for-mac" title="Permanent link">&para;</a></h4>
<p>Kubernetes is available in Docker for Mac (from <a href="https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018">version 18.06.0-ce</a>)</p>
<p>Create a service</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
</pre></div>
</td></tr></table>
<h4 id="minikube">minikube<a class="headerlink" href="#minikube" title="Permanent link">&para;</a></h4>
<p>For standard usage:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">minikube addons enable ingress</span>
<div class="codehilite"><pre><span></span><span class="go">minikube addons enable ingress</span>
</pre></div>
</td></tr></table>
<p>For development:</p>
<ol>
<li>Disable the ingress addon:</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> minikube addons disable ingress
<div class="codehilite"><pre><span></span><span class="gp">$</span> minikube addons disable ingress
</pre></div>
</td></tr></table>
<ol>
<li>Execute <code class="codehilite">make dev-env</code></li>
<li>Confirm the <code class="codehilite">nginx-ingress-controller</code> deployment exists:</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n ingress-nginx
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n ingress-nginx
<span class="go">NAME READY STATUS RESTARTS AGE</span>
<span class="go">default-http-backend-66b447d9cf-rrlf9 1/1 Running 0 12s</span>
<span class="go">nginx-ingress-controller-fdcdcd6dd-vvpgs 1/1 Running 0 11s</span>
</pre></div>
</td></tr></table>
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link">&para;</a></h4>
<p>In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of <code class="codehilite">Type=LoadBalancer</code>.
@ -1455,21 +1435,17 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
<p>For L4:</p>
<p>Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the <a href="#elb-idle-timeouts">ELB Idle Timeouts section</a> for additional information. If a change is required, users will need to update the value of <code class="codehilite">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</code> in <code class="codehilite">provider/aws/service-l4.yaml</code></p>
<p>Then execute:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-l4.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-l4.yaml</span>
<span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/patch-configmap-l4.yaml</span>
</pre></div>
</td></tr></table>
<p>For L7:</p>
<p>Change line of the file <code class="codehilite">provider/aws/service-l7.yaml</code> replacing the dummy id with a valid one <code class="codehilite">&quot;arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX&quot;</code></p>
<p>Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the <a href="#elb-idle-timeouts">ELB Idle Timeouts section</a> for additional information. If a change is required, users will need to update the value of <code class="codehilite">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</code> in <code class="codehilite">provider/aws/service-l7.yaml</code></p>
<p>Then execute:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-l7.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-l7.yaml</span>
<span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/patch-configmap-l7.yaml</span>
</pre></div>
</td></tr></table>
<p>This example creates an ELB with just two listeners, one in port 80 and another in port 443</p>
<p><img alt="Listeners" src="../images/elb-l7-listener.png" /></p>
@ -1480,26 +1456,22 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
<p>More information with regards to idle timeouts for your Load Balancer can be found in the <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html">official AWS documentation</a>.</p>
<h5 id="network-load-balancer-nlb">Network Load Balancer (NLB)<a class="headerlink" href="#network-load-balancer-nlb" title="Permanent link">&para;</a></h5>
<p>This type of load balancer is supported since v1.10.0 as an ALPHA feature.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-nlb.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/aws/service-nlb.yaml</span>
</pre></div>
</td></tr></table>
<h4 id="gce-gke">GCE - GKE<a class="headerlink" href="#gce-gke" title="Permanent link">&para;</a></h4>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
</pre></div>
</td></tr></table>
<p><strong>Important Note:</strong> proxy protocol is not supported in GCE/GKE</p>
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link">&para;</a></h4>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml</span>
</pre></div>
</td></tr></table>
<h4 id="bare-metal">Bare-metal<a class="headerlink" href="#bare-metal" title="Permanent link">&para;</a></h4>
<p>Using <a href="https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport">NodePort</a>:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml</span>
</pre></div>
</td></tr></table>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
@ -1507,40 +1479,32 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
</div>
<h3 id="verify-installation">Verify installation<a class="headerlink" href="#verify-installation" title="Permanent link">&para;</a></h3>
<p>To check if the ingress controller pods have started, run the following command:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch</span>
</pre></div>
</td></tr></table>
<p>Once the operator pods are running, you can cancel the above command by typing <code class="codehilite">Ctrl+C</code>.
Now, you are ready to create your first ingress.</p>
<h3 id="detect-installed-version">Detect installed version<a class="headerlink" href="#detect-installed-version" title="Permanent link">&para;</a></h3>
<p>To detect which version of the ingress controller is running, exec into the pod and run <code class="codehilite">nginx-ingress-controller version</code> command.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">POD_NAMESPACE=ingress-nginx</span>
<div class="codehilite"><pre><span></span><span class="go">POD_NAMESPACE=ingress-nginx</span>
<span class="go">POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<span class="go">kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version</span>
</pre></div>
</td></tr></table>
<h2 id="using-helm">Using Helm<a class="headerlink" href="#using-helm" title="Permanent link">&para;</a></h2>
<p>NGINX Ingress controller can be installed via <a href="https://helm.sh/">Helm</a> using the chart <a href="https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress">stable/nginx-ingress</a> from the official charts repository.
To install the chart with the release name <code class="codehilite">my-nginx</code>:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx</span>
<div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx</span>
</pre></div>
</td></tr></table>
<p>If the kubernetes cluster has RBAC enabled, then run:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx --set rbac.create=true</span>
<div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx --set rbac.create=true</span>
</pre></div>
</td></tr></table>
<p>Detect installed version:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<div class="codehilite"><pre><span></span><span class="go">POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<span class="go">kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version</span>
</pre></div>
</td></tr></table>

16
deploy/rbac/index.html
View file

@ -677,8 +677,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -995,18 +995,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

39
deploy/upgrade/index.html
View file

@ -643,8 +643,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -961,18 +961,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1149,20 +1137,7 @@ make sure your templates are compatible with the new version of ingress-nginx</e
<p>To upgrade your ingress-nginx installation, it should be enough to change the version of the image
in the controller Deployment.</p>
<p>I.e. if your deployment resource looks like (partial example):</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-ingress-controller</span>
<span class="l l-Scalar l-Scalar-Plain">namespace</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-nginx</span>
@ -1177,23 +1152,19 @@ in the controller Deployment.</p>
<span class="l l-Scalar l-Scalar-Plain">image</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0</span>
<span class="l l-Scalar l-Scalar-Plain">args</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">...</span>
</pre></div>
</td></tr></table>
<p>simply change the <code class="codehilite">0.9.0</code> tag to the version you wish to upgrade to.
The easiest way to do this is e.g. (do note you may need to change the name parameter according to your installation):</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>kubectl set image deployment/nginx-ingress-controller \
<div class="codehilite"><pre><span></span>kubectl set image deployment/nginx-ingress-controller \
nginx-ingress-controller=nginx:quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.18.0
</pre></div>
</td></tr></table>
<p>For interactive editing, use <code class="codehilite">kubectl edit deployment nginx-ingress-controller</code>.</p>
<h2 id="with-helm">With Helm<a class="headerlink" href="#with-helm" title="Permanent link">&para;</a></h2>
<p>If you installed ingress-nginx using the Helm command in the deployment docs so its name is <code class="codehilite">ngx-ingress</code>,
you should be able to upgrade using</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>helm upgrade --reuse-values ngx-ingress stable/nginx-ingress
<div class="codehilite"><pre><span></span>helm upgrade --reuse-values ngx-ingress stable/nginx-ingress
</pre></div>
</td></tr></table>

92
development/index.html
View file

@ -711,8 +711,8 @@
<li class="md-nav__item">
<a href="../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -1029,18 +1029,6 @@
<li class="md-nav__item">
<a href="../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1281,17 +1269,12 @@ It includes how to build, test, and release ingress controllers.</p>
<h2 id="quick-start">Quick Start<a class="headerlink" href="#quick-start" title="Permanent link">&para;</a></h2>
<h3 id="getting-the-code">Getting the code<a class="headerlink" href="#getting-the-code" title="Permanent link">&para;</a></h3>
<p>The code must be checked out as a subdirectory of k8s.io, and not github.com.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>mkdir -p $GOPATH/src/k8s.io
<div class="codehilite"><pre><span></span>mkdir -p $GOPATH/src/k8s.io
cd $GOPATH/src/k8s.io
# Replace &quot;$YOUR_GITHUB_USERNAME&quot; below with your github username
git clone https://github.com/$YOUR_GITHUB_USERNAME/ingress-nginx.git
cd ingress-nginx
</pre></div>
</td></tr></table>
<h3 id="initial-developer-environment-build">Initial developer environment build<a class="headerlink" href="#initial-developer-environment-build" title="Permanent link">&para;</a></h3>
<blockquote>
@ -1299,35 +1282,24 @@ cd ingress-nginx
See <a href="https://github.com/kubernetes/minikube/releases">releases</a> for installation instructions. </p>
</blockquote>
<p>If you are using <strong>MacOS</strong> and deploying to <strong>minikube</strong>, the following command will build the local nginx controller container image and deploy the ingress controller onto a minikube cluster with RBAC enabled in the namespace <code class="codehilite">ingress-nginx</code>:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ make dev-env
<div class="codehilite"><pre><span></span>$ make dev-env
</pre></div>
</td></tr></table>
<h3 id="updating-the-deployment">Updating the deployment<a class="headerlink" href="#updating-the-deployment" title="Permanent link">&para;</a></h3>
<p>The nginx controller container image can be rebuilt using:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ <span class="nv">ARCH</span><span class="o">=</span>amd64 <span class="nv">TAG</span><span class="o">=</span>dev <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make build container
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span>$ <span class="nv">ARCH</span><span class="o">=</span>amd64 <span class="nv">TAG</span><span class="o">=</span>dev <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make build container
</pre></div></p>
<p>The image will only be used by pods created after the rebuild. To delete old pods which will cause new ones to spin up:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl get pods -n ingress-nginx
<div class="codehilite"><pre><span></span>$ kubectl get pods -n ingress-nginx
$ kubectl delete pod -n ingress-nginx nginx-ingress-controller-&lt;unique-pod-id&gt;
</pre></div>
</td></tr></table></p>
</pre></div></p>
<h2 id="dependencies">Dependencies<a class="headerlink" href="#dependencies" title="Permanent link">&para;</a></h2>
<p>The build uses dependencies in the <code class="codehilite">vendor</code> directory, which
must be installed before building a binary/image. Occasionally, you
might need to update the dependencies.</p>
<p>This guide requires you to install the <a href="https://github.com/golang/dep">dep</a> dependency tool.</p>
<p>Check the version of <code class="codehilite">dep</code> you are using and make sure it is up to date.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> dep version
<div class="codehilite"><pre><span></span><span class="gp">$</span> dep version
<span class="go">dep:</span>
<span class="go"> version : devel</span>
<span class="go"> build date : </span>
@ -1336,84 +1308,63 @@ might need to update the dependencies.</p>
<span class="go"> go compiler : gc</span>
<span class="go"> platform : linux/amd64</span>
</pre></div>
</td></tr></table>
<p>If you have an older version of <code class="codehilite">dep</code>, you can update it as follows:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> go get -u github.com/golang/dep
<div class="codehilite"><pre><span></span><span class="gp">$</span> go get -u github.com/golang/dep
</pre></div>
</td></tr></table>
<p>This will automatically save the dependencies to the <code class="codehilite">vendor/</code> directory.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> dep ensure
<span class="gp">$</span> dep ensure -update
<span class="gp">$</span> dep prune
</pre></div>
</td></tr></table>
<h2 id="building">Building<a class="headerlink" href="#building" title="Permanent link">&para;</a></h2>
<p>All ingress controllers are built through a Makefile. Depending on your
requirements you can build a raw server binary, a local container image,
or push an image to a remote repository.</p>
<p>In order to use your local Docker, you may need to set the following environment variables:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="s2">&quot;gcloud docker&quot;</span> <span class="o">(</span>default<span class="o">)</span> or <span class="s2">&quot;docker&quot;</span>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="s2">&quot;gcloud docker&quot;</span> <span class="o">(</span>default<span class="o">)</span> or <span class="s2">&quot;docker&quot;</span>
<span class="gp">$</span> <span class="nb">export</span> <span class="nv">DOCKER</span><span class="o">=</span>&lt;docker&gt;
<span class="gp">#</span> <span class="s2">&quot;quay.io/kubernetes-ingress-controller&quot;</span> <span class="o">(</span>default<span class="o">)</span>, <span class="s2">&quot;index.docker.io&quot;</span>, or your own registry
<span class="gp">$</span> <span class="nb">export</span> <span class="nv">REGISTRY</span><span class="o">=</span>&lt;your-docker-registry&gt;
</pre></div>
</td></tr></table>
<p>To find the registry simply run: <code class="codehilite">docker system info | grep Registry</code></p>
<h3 id="nginx-controller">Nginx Controller<a class="headerlink" href="#nginx-controller" title="Permanent link">&para;</a></h3>
<p>Build a raw server binary
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> make build
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> make build
</pre></div></p>
<p><a href="https://github.com/kubernetes/ingress-nginx/issues/387">TODO</a>: add more specific instructions needed for raw server binary.</p>
<p>Build a local container image</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nv">TAG</span><span class="o">=</span>&lt;tag&gt; <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make docker-build
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nv">TAG</span><span class="o">=</span>&lt;tag&gt; <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make docker-build
</pre></div>
</td></tr></table>
<p>Push the container image to a remote repository</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nv">TAG</span><span class="o">=</span>&lt;tag&gt; <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make docker-push
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nv">TAG</span><span class="o">=</span>&lt;tag&gt; <span class="nv">REGISTRY</span><span class="o">=</span><span class="nv">$USER</span>/ingress-controller make docker-push
</pre></div>
</td></tr></table>
<h2 id="deploying">Deploying<a class="headerlink" href="#deploying" title="Permanent link">&para;</a></h2>
<p>There are several ways to deploy the ingress controller onto a cluster.
Please check the <a href="./deploy">deployment guide</a></p>
<h2 id="testing">Testing<a class="headerlink" href="#testing" title="Permanent link">&para;</a></h2>
<p>To run unit-tests, just run</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> make <span class="nb">test</span>
</pre></div>
</td></tr></table>
<p>If you have access to a Kubernetes cluster, you can also run e2e tests using ginkgo.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> make e2e-test
</pre></div>
</td></tr></table>
<p>To run unit-tests for lua code locally, run:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/k8s.io/ingress-nginx
<span class="gp">$</span> ./rootfs/etc/nginx/lua/test/up.sh
<span class="gp">$</span> make lua-test
</pre></div>
</td></tr></table>
<p>Lua tests are located in <code class="codehilite">$GOPATH/src/k8s.io/ingress-nginx/rootfs/etc/nginx/lua/test</code>. When creating a new test file it must follow the naming convention <code class="codehilite">&lt;mytest&gt;_test.lua</code> or it will be ignored. </p>
<h2 id="releasing">Releasing<a class="headerlink" href="#releasing" title="Permanent link">&para;</a></h2>
@ -1422,9 +1373,8 @@ to a wider Kubernetes user base, push the image to a container registry, like
<a href="https://cloud.google.com/container-registry/">gcr.io</a>. All release images are hosted under <code class="codehilite">gcr.io/google_containers</code> and
tagged according to a <a href="http://semver.org/">semver</a> scheme.</p>
<p>An example release might look like:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ make release
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span>$ make release
</pre></div></p>
<p>Please follow these guidelines to cut a release:</p>
<ul>
<li>Update the <a href="https://help.github.com/articles/creating-releases/">release</a>

140
examples/PREREQUISITES/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -995,18 +995,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1212,15 +1200,7 @@
<h2 id="tls-certificates">TLS certificates<a class="headerlink" href="#tls-certificates" title="Permanent link">&para;</a></h2>
<p>Unless otherwise mentioned, the TLS secret used in examples is a 2048 bit RSA
key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<span class="go">Generating a 2048 bit RSA private key</span>
<span class="go">................+++</span>
<span class="go">................+++</span>
@ -1230,7 +1210,6 @@ key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<span class="gp">$</span> kubectl create secret tls tls-secret --key tls.key --cert tls.crt
<span class="go">secret &quot;tls-secret&quot; created</span>
</pre></div>
</td></tr></table>
<h2 id="ca-authentication">CA Authentication<a class="headerlink" href="#ca-authentication" title="Permanent link">&para;</a></h2>
<p>You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
@ -1239,16 +1218,7 @@ own CA, and also generate a client certificate.</p>
<h3 id="generating-a-ca">Generating a CA<a class="headerlink" href="#generating-a-ca" title="Permanent link">&para;</a></h3>
<p>First of all, you've to generate a CA. This is going to be the one who will sign your client certificates.
In real production world, you may face CAs with intermediate certificates, as the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl s_client -connect www.google.com:443
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl s_client -connect www.google.com:443
<span class="go">[...]</span>
<span class="go">---</span>
<span class="go">Certificate chain</span>
@ -1259,14 +1229,11 @@ In real production world, you may face CAs with intermediate certificates, as th
<span class="go"> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA</span>
<span class="go"> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority</span>
</pre></div>
</td></tr></table>
<p>To generate our CA Certificate, we've to run the following commands:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -x509 -new -nodes -key ca.key -days <span class="m">10000</span> -out ca.crt -subj <span class="s2">&quot;/CN=example-ca&quot;</span>
</pre></div>
</td></tr></table>
<p>This will generate two files: A private key (ca.key) and a public key (ca.crt). This CA is valid for 10000 days.
The ca.crt can be used later in the step of creation of CA authentication secret.</p>
@ -1274,13 +1241,7 @@ The ca.crt can be used later in the step of creation of CA authentication secret
<p>The following steps generate a client certificate signed by the CA generated above. This client can be
used to authenticate in a tls-auth configured ingress.</p>
<p>First, we need to generate an 'openssl.cnf' file that will be used while signing the keys:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">[req]</span>
<div class="codehilite"><pre><span></span><span class="go">[req]</span>
<span class="go">req_extensions = v3_req</span>
<span class="go">distinguished_name = req_distinguished_name</span>
<span class="go">[req_distinguished_name]</span>
@ -1288,68 +1249,47 @@ used to authenticate in a tls-auth configured ingress.</p>
<span class="go">basicConstraints = CA:FALSE</span>
<span class="go">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</span>
</pre></div>
</td></tr></table>
<p>Then, a user generates his very own private key (that he needs to keep secret)
and a CSR (Certificate Signing Request) that will be sent to the CA to sign and generate a certificate.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -new -key client1.key -out client1.csr -subj <span class="s2">&quot;/CN=client1&quot;</span> -config openssl.cnf
</pre></div>
</td></tr></table>
<p>As the CA receives the generated 'client1.csr' file, it signs it and generates a client.crt certificate:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
</pre></div>
</td></tr></table>
<p>Then, you'll have 3 files: the client.key (user's private key), client.crt (user's public key) and client.csr (disposable CSR).</p>
<h3 id="creating-the-ca-authentication-secret">Creating the CA Authentication secret<a class="headerlink" href="#creating-the-ca-authentication-secret" title="Permanent link">&para;</a></h3>
<p>If you're using the CA Authentication feature, you need to generate a secret containing
all the authorized CAs. You must download them from your CA site in PEM format (like the following):</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>-----BEGIN CERTIFICATE-----
<div class="codehilite"><pre><span></span>-----BEGIN CERTIFICATE-----
[....]
-----END CERTIFICATE-----
</pre></div>
</td></tr></table>
<p>You can have as many certificates as you want. If they're in the binary DER format,
you can convert them as the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
</td></tr></table>
<p>Then, you've to concatenate them all in only one file, named 'ca.crt' as the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
</td></tr></table>
<p>The final step is to create a secret with the content of this file. This secret is going to be used in
the TLS Auth directive:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
</pre></div>
</td></tr></table>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div></p>
<h2 id="test-http-service">Test HTTP Service<a class="headerlink" href="#test-http-service" title="Permanent link">&para;</a></h2>
<p>All examples that require a test HTTP Service use the standard http-svc pod,
which you can deploy as follows</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f http-svc.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f http-svc.yaml
<span class="go">service &quot;http-svc&quot; created</span>
<span class="go">replicationcontroller &quot;http-svc&quot; created</span>
@ -1361,56 +1301,9 @@ which you can deploy as follows</p>
<span class="go">NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">http-svc 10.0.122.116 &lt;pending&gt; 80:30301/TCP 1d</span>
</pre></div>
</td></tr></table>
<p>You can test that the HTTP Service works by exposing it temporarily</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;LoadBalancer&quot;}}&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;LoadBalancer&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>
<span class="gp">$</span> kubectl get svc http-svc
@ -1458,7 +1351,6 @@ which you can deploy as follows</p>
<span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;NodePort&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>
</pre></div>
</td></tr></table>

52
examples/affinity/cookie/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -961,18 +961,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1170,43 +1158,12 @@
</tbody>
</table>
<p>You can create the ingress to test this</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f ingress.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f ingress.yaml</span>
</pre></div>
</td></tr></table>
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<p>You can confirm that the Ingress works.</p>
<p><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<p><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<span class="go">Name: nginx-test</span>
<span class="go">Namespace: default</span>
<span class="go">Address: </span>
@ -1238,7 +1195,6 @@
<span class="go">ETag: &quot;58875e6b-264&quot;</span>
<span class="go">Accept-Ranges: bytes</span>
</pre></div>
</td></tr></table>
In the example above, you can see a line containing the 'Set-Cookie: INGRESSCOOKIE' setting the right defined stickiness cookie.
This cookie is created by NGINX containing the hash of the used upstream in that request.
If the user changes this cookie, NGINX creates a new one and redirect the user to another upstream.</p>

133
examples/auth/basic/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,33 +1073,18 @@
<h1 id="basic-authentication">Basic Authentication<a class="headerlink" href="#basic-authentication" title="Permanent link">&para;</a></h1>
<p>This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with <code class="codehilite">htpasswd</code>.
It's important the file generated is named <code class="codehilite">auth</code> (actually - that the secret has a key <code class="codehilite">data.auth</code>), otherwise the ingress-controller returns a 503.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<span class="go">New password: &lt;bar&gt;</span>
<span class="go">New password:</span>
<span class="go">Re-type new password:</span>
<span class="go">Adding password for user foo</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<span class="go">secret &quot;basic-auth&quot; created</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK</span>
@ -1121,30 +1094,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> namespace: default</span>
<span class="go">type: Opaque</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<span class="go">apiVersion: extensions/v1beta1</span>
<span class="go">kind: Ingress</span>
<span class="go">metadata:</span>
@ -1167,32 +1118,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> servicePort: 80</span>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
* Trying 10.2.29.4...
* Connected to 10.2.29.4 (10.2.29.4) port 80 (#0)
&gt; GET / HTTP/1.1
@ -1217,51 +1144,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 10.2.29.4 left intact
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
* Trying <span class="m">10</span>.2.29.4...
* Connected to <span class="m">10</span>.2.29.4 <span class="o">(</span><span class="m">10</span>.2.29.4<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
* Server auth using Basic with user <span class="s1">&#39;foo&#39;</span>
@ -1305,7 +1189,6 @@ BODY:
* Connection <span class="c1">#0 to host 10.2.29.4 left intact</span>
-no body in request-
</pre></div>
</td></tr></table>

35
examples/auth/client-certs/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -838,8 +838,8 @@
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#setup-instructions" title="Setup instructions" class="md-nav__link">
Setup instructions
<a href="#setup-instructions" title="Setup Instructions" class="md-nav__link">
Setup Instructions
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1102,8 +1090,8 @@
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#setup-instructions" title="Setup instructions" class="md-nav__link">
Setup instructions
<a href="#setup-instructions" title="Setup Instructions" class="md-nav__link">
Setup Instructions
</a>
</li>
@ -1128,18 +1116,19 @@
<h1 id="client-certificate-authentication">Client Certificate Authentication<a class="headerlink" href="#client-certificate-authentication" title="Permanent link">&para;</a></h1>
<p>It is possible to enable Client Certificate Authentication using additional annotations in the Ingress.</p>
<h2 id="setup-instructions">Setup instructions<a class="headerlink" href="#setup-instructions" title="Permanent link">&para;</a></h2>
<p>It is possible to enable Client Certificate Authentication using additional annotations in Ingress resources, created by you.</p>
<h2 id="setup-instructions">Setup Instructions<a class="headerlink" href="#setup-instructions" title="Permanent link">&para;</a></h2>
<ol>
<li>
<p>Create a file named <code class="codehilite">ca.crt</code> containing the trusted certificate authority chain (all ca certificates in PEM format) to verify client certificates. </p>
<p>Create a file named <code class="codehilite">ca.crt</code> containing the trusted certificate authority chain to verify client certificates. All of the certificates must be in PEM format.<br />
<em>NB:</em> The file containing the trusted certificates must be named <code class="codehilite">ca.crt</code> exactly - this is expected to be found in the secret.</p>
</li>
<li>
<p>Create a secret from this file:
<p>Create a secret from this file:<br />
<code class="codehilite">kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default</code></p>
</li>
<li>
<p>Add the annotations as provided in the <a href="ingress.yaml">ingress.yaml</a> example to your ingress object.</p>
<p>Add the annotations as provided in the <a href="ingress.yaml">ingress.yaml</a> example to your own ingress resources as required.</p>
</li>
</ol>

1
examples/auth/client-certs/ingress.yaml
View file

@ -5,6 +5,7 @@ metadata:
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates with `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
# NB: The file _must_ be named "ca.crt" and nothing else. This filename is expected to be found in the secret.
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"

158
examples/auth/external-auth/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1130,40 +1118,7 @@
<h1 id="external-basic-authentication">External Basic Authentication<a class="headerlink" href="#external-basic-authentication" title="Permanent link">&para;</a></h1>
<h3 id="example-1">Example 1:<a class="headerlink" href="#example-1" title="Permanent link">&para;</a></h3>
<p>Use an external service (Basic Auth) located in <code class="codehilite">https://httpbin.org</code> </p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
ingress <span class="s2">&quot;external-auth&quot;</span> created
$ kubectl get ing external-auth
@ -1198,34 +1153,9 @@ status:
- ip: <span class="m">172</span>.17.4.99
$
</pre></div>
</td></tr></table>
<p>Test 1: no username/password (expect code 401)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<span class="go">* Rebuilt URL to: http://172.17.4.99/</span>
<span class="go">* Trying 172.17.4.99...</span>
<span class="go">* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)</span>
@ -1251,52 +1181,9 @@ $
<span class="go">&lt;/html&gt;</span>
<span class="go">* Connection #0 to host 172.17.4.99 left intact</span>
</pre></div>
</td></tr></table>
<p>Test 2: valid username/password (expect code 200)
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
* Rebuilt URL to: http://172.17.4.99/
* Trying <span class="m">172</span>.17.4.99...
* Connected to <span class="m">172</span>.17.4.99 <span class="o">(</span><span class="m">172</span>.17.4.99<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
@ -1339,37 +1226,9 @@ x-real-ip<span class="o">=</span><span class="m">10</span>.2.60.1
BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Test 3: invalid username/password (expect code 401)
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
<div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
* Rebuilt URL to: http://172.17.4.99/
* Trying 172.17.4.99...
* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
@ -1397,8 +1256,7 @@ BODY:
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 172.17.4.99 left intact
</pre></div>
</td></tr></table></p>
</pre></div></p>

31
examples/auth/oauth-external-auth/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -983,18 +983,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1196,13 +1184,7 @@ One Ingress object has no special annotations and handles authentication.</p>
authenticate against the first Ingress's endpoint, and can redirect <code class="codehilite">401</code>s to the
same endpoint.</p>
<p>Sample:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="nn">...</span>
<div class="codehilite"><pre><span></span><span class="nn">...</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">application</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
@ -1210,7 +1192,6 @@ same endpoint.</p>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-signin</span><span class="p p-Indicator">:</span> <span class="s">&quot;https://$host/oauth2/start?rd=$escaped_request_uri&quot;</span>
<span class="nn">...</span>
</pre></div>
</td></tr></table>
<h3 id="example-oauth2-proxy-kubernetes-dashboard">Example: OAuth2 Proxy + Kubernetes-Dashboard<a class="headerlink" href="#example-oauth2-proxy-kubernetes-dashboard" title="Permanent link">&para;</a></h3>
<p>This example will show you how to deploy <a href="https://github.com/bitly/oauth2_proxy"><code class="codehilite">oauth2_proxy</code></a>
@ -1219,9 +1200,8 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Install the kubernetes dashboard</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
</pre></div>
</td></tr></table>
<ol>
<li>Create a <a href="https://github.com/settings/applications/new">custom Github OAuth application</a></li>
@ -1251,9 +1231,8 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Deploy the oauth2 proxy and the ingress rules running:</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
</pre></div>
</td></tr></table>
<p>Test the oauth integration accessing the configured URL, like <code class="codehilite">https://foo.bar.com</code></p>
<p><img alt="Register OAuth2 Application" src="images/github-auth.png" /></p>

19
examples/customization/configuration-snippets/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -963,18 +963,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1144,9 +1132,8 @@
<h1 id="configuration-snippets">Configuration Snippets<a class="headerlink" href="#configuration-snippets" title="Permanent link">&para;</a></h1>
<h2 id="ingress">Ingress<a class="headerlink" href="#ingress" title="Permanent link">&para;</a></h2>
<p>The Ingress in this example adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at <a href="/examples/customization/custom-headers/README">this example</a>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl apply -f ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl apply -f ingress.yaml
</pre></div>
</td></tr></table>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check if the contents of the annotation are present in the nginx.conf file using:

31
examples/customization/custom-configuration/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,15 +1073,7 @@
<h1 id="custom-configuration">Custom Configuration<a class="headerlink" href="#custom-configuration" title="Permanent link">&para;</a></h1>
<p>Using a <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/">ConfigMap</a> is possible to customize the NGINX configuration</p>
<p>For example, if we want to change the timeouts we need to create a ConfigMap:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ cat configmap.yaml
<div class="codehilite"><pre><span></span>$ cat configmap.yaml
apiVersion: v1
data:
proxy-connect-timeout: <span class="s2">&quot;10&quot;</span>
@ -1103,13 +1083,10 @@ kind: ConfigMap
metadata:
name: nginx-configuration
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-configuration/configmap.yaml \
<div class="codehilite"><pre><span></span>curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-configuration/configmap.yaml \
| kubectl apply -f -
</pre></div>
</td></tr></table>
<p>If the Configmap it is updated, NGINX will be reloaded with the new configuration.</p>

59
examples/customization/custom-errors/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -970,18 +970,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1159,28 +1147,19 @@
<p>This example demonstrates how to use a custom backend to render custom error pages.</p>
<h2 id="customized-default-backend">Customized default backend<a class="headerlink" href="#customized-default-backend" title="Permanent link">&para;</a></h2>
<p>First, create the custom <code class="codehilite">default-backend</code>. It will be used by the Ingress controller later on.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f custom-default-backend.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f custom-default-backend.yaml
service <span class="s2">&quot;nginx-errors&quot;</span> created
deployment.apps <span class="s2">&quot;nginx-errors&quot;</span> created
</pre></div>
</td></tr></table>
<p>This should have created a Deployment and a Service with the name <code class="codehilite">nginx-errors</code>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl get deploy,svc
<div class="codehilite"><pre><span></span>$ kubectl get deploy,svc
NAME DESIRED CURRENT READY AGE
deployment.apps/nginx-errors <span class="m">1</span> <span class="m">1</span> <span class="m">1</span> 10s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE
service/nginx-errors ClusterIP <span class="m">10</span>.0.0.12 &lt;none&gt; <span class="m">80</span>/TCP 10s
</pre></div>
</td></tr></table>
<h2 id="ingress-controller-configuration">Ingress controller configuration<a class="headerlink" href="#ingress-controller-configuration" title="Permanent link">&para;</a></h2>
<p>If you do not already have an instance of the NGINX Ingress controller running, deploy it according to the
@ -1195,13 +1174,10 @@ service/nginx-errors ClusterIP <span class="m">10</span>.0.0.12 &lt;none&g
</li>
<li>
<p>Take note of the IP address assigned to the NGINX Ingress controller Service.
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl get svc ingress-nginx
<div class="codehilite"><pre><span></span>$ kubectl get svc ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE
ingress-nginx ClusterIP <span class="m">10</span>.0.0.13 &lt;none&gt; <span class="m">80</span>/TCP,443/TCP 10m
</pre></div>
</td></tr></table></p>
</pre></div></p>
</li>
</ol>
<div class="admonition note">
@ -1212,15 +1188,7 @@ Make sure you can use the Service to reach NGINX before proceeding with the rest
<h2 id="testing-error-pages">Testing error pages<a class="headerlink" href="#testing-error-pages" title="Permanent link">&para;</a></h2>
<p>Let us send a couple of HTTP requests using cURL and validate everything is working as expected.</p>
<p>A request to the default backend returns a 404 error with a custom message:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -D- http://10.0.0.13/
<div class="codehilite"><pre><span></span>$ curl -D- http://10.0.0.13/
HTTP/1.1 404 Not Found
Server: nginx/1.13.12
Date: Tue, 12 Jun 2018 19:11:24 GMT
@ -1230,19 +1198,9 @@ Connection: keep-alive
<span class="nt">&lt;span&gt;</span>The page you&#39;re looking for could not be found.<span class="nt">&lt;/span&gt;</span>
</pre></div>
</td></tr></table>
<p>A request with a custom <code class="codehilite">Accept</code> header returns the corresponding document type (JSON):</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -D- -H <span class="s1">&#39;Accept: application/json&#39;</span> http://10.0.0.13/
<div class="codehilite"><pre><span></span>$ curl -D- -H <span class="s1">&#39;Accept: application/json&#39;</span> http://10.0.0.13/
HTTP/1.1 <span class="m">404</span> Not Found
Server: nginx/1.13.12
Date: Tue, <span class="m">12</span> Jun <span class="m">2018</span> <span class="m">19</span>:12:36 GMT
@ -1253,7 +1211,6 @@ Vary: Accept-Encoding
<span class="o">{</span> <span class="s2">&quot;message&quot;</span>: <span class="s2">&quot;The page you&#39;re looking for could not be found&quot;</span> <span class="o">}</span>
</pre></div>
</td></tr></table>
<p>To go further with this example, feel free to deploy your own applications and Ingress objects, and validate that the
responses are still in the correct format when a backend returns 503 (eg. if you scale a Deployment down to 0 replica).</p>

27
examples/customization/custom-headers/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1131,17 +1119,12 @@
<p>This example aims to demonstrate the deployment of an nginx ingress controller and
use a ConfigMap to configure a custom list of headers to be passed to the upstream
server</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/configmap.yaml \</span>
<div class="codehilite"><pre><span></span><span class="go">curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/configmap.yaml \</span>
<span class="go"> | kubectl apply -f -</span>
<span class="go">curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/custom-headers.yaml \</span>
<span class="go"> | kubectl apply -f -</span>
</pre></div>
</td></tr></table>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check the contents of the configmap is present in the nginx.conf file using:
@ -1181,13 +1164,13 @@ server</p>
</a>
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<a href="../external-auth-headers/" title="External authentication" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Custom Upstream server checks
External authentication
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">

1229
examples/customization/custom-upstream-check/index.html
View file

File diff suppressed because it is too large Load diff

129
examples/customization/external-auth-headers/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -917,18 +917,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
@ -1097,25 +1085,7 @@ to backend service.</p>
</ul>
<p>You can deploy the controller as
follows:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f deploy/
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f deploy/
<span class="go">deployment &quot;demo-auth-service&quot; created</span>
<span class="go">service &quot;demo-auth-service&quot; created</span>
<span class="go">ingress &quot;demo-auth-service&quot; created</span>
@ -1135,27 +1105,9 @@ follows:</p>
<span class="go">public-demo-echo-service public-demo-echo-service.kube.local 80 1m</span>
<span class="go">secure-demo-echo-service secure-demo-echo-service.kube.local 80 1m</span>
</pre></div>
</td></tr></table>
<p>Test 1: public service with no auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1174,33 +1126,9 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
<span class="go">UserID: , UserRole:</span>
</pre></div>
</td></tr></table>
<p>Test 2: secure service with no auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1225,28 +1153,9 @@ follows:</p>
<span class="go">&lt;/html&gt;</span>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
</pre></div>
</td></tr></table>
<p>Test 3: public service with valid auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1266,28 +1175,9 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
<span class="go">UserID: 1443635317331776148, UserRole: admin</span>
</pre></div>
</td></tr></table>
<p>Test 4: public service with valid auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1307,7 +1197,6 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
<span class="go">UserID: 605394647632969758, UserRole: admin</span>
</pre></div>
</td></tr></table>
@ -1328,7 +1217,7 @@ follows:</p>
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<a href="../custom-headers/" title="Custom Headers" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
@ -1337,7 +1226,7 @@ follows:</p>
<span class="md-footer-nav__direction">
Previous
</span>
Custom Upstream server checks
Custom Headers
</span>
</div>
</a>

52
examples/customization/ssl-dh-param/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -918,18 +918,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1160,17 +1148,7 @@
use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
"Perfect Forward Secrecy".</p>
<h2 id="custom-configuration">Custom configuration<a class="headerlink" href="#custom-configuration" title="Permanent link">&para;</a></h2>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> cat configmap.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat configmap.yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> ssl-dh-param: &quot;ingress-nginx/lb-dhparam&quot;</span>
@ -1182,30 +1160,16 @@ use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
<span class="go"> app.kubernetes.io/name: ingress-nginx</span>
<span class="go"> app.kubernetes.io/part-of: ingress-nginx</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f configmap.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f configmap.yaml
</pre></div>
</td></tr></table>
<h2 id="custom-dh-parameters-secret">Custom DH parameters secret<a class="headerlink" href="#custom-dh-parameters-secret" title="Permanent link">&para;</a></h2>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span>&gt; openssl dhparam <span class="m">1024</span> <span class="m">2</span>&gt; /dev/null <span class="p">|</span> base64
<div class="codehilite"><pre><span></span><span class="gp">$</span>&gt; openssl dhparam <span class="m">1024</span> <span class="m">2</span>&gt; /dev/null <span class="p">|</span> base64
<span class="go">LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> cat ssl-dh-param.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat ssl-dh-param.yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> dhparam.pem: &quot;LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...&quot;</span>
@ -1217,11 +1181,9 @@ use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
<span class="go"> app.kubernetes.io/name: ingress-nginx</span>
<span class="go"> app.kubernetes.io/part-of: ingress-nginx</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f ssl-dh-param.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f ssl-dh-param.yaml
</pre></div>
</td></tr></table>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check the contents of the configmap is present in the nginx.conf file using:

19
examples/customization/sysctl/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -918,18 +918,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,9 +1073,8 @@
<h1 id="sysctl-tuning">Sysctl tuning<a class="headerlink" href="#sysctl-tuning" title="Permanent link">&para;</a></h1>
<p>This example aims to demonstrate the use of an Init Container to adjust sysctl default values
using <code class="codehilite">kubectl patch</code></p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl patch deployment -n ingress-nginx nginx-ingress-controller --patch=&quot;$(cat patch.json)&quot;</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl patch deployment -n ingress-nginx nginx-ingress-controller --patch=&quot;$(cat patch.json)&quot;</span>
</pre></div>
</td></tr></table>

30
examples/docker-registry/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1183,9 +1171,8 @@
<p>This example demonstrates how to deploy a <a href="https://github.com/docker/distribution">docker registry</a> in the cluster and configure Ingress enable access from Internet</p>
<h2 id="deployment">Deployment<a class="headerlink" href="#deployment" title="Permanent link">&para;</a></h2>
<p>First we deploy the docker registry in the cluster:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml</span>
</pre></div>
</td></tr></table>
<div class="admonition important">
<p class="admonition-title">Important</p>
@ -1195,9 +1182,8 @@
<p>The next required step is creation of the ingress rules. To do this we have two options: with and without TLS</p>
<h3 id="without-tls">Without TLS<a class="headerlink" href="#without-tls" title="Permanent link">&para;</a></h3>
<p>Download and edit the yaml deployment replacing <code class="codehilite">registry.&lt;your domain&gt;</code> with a valid DNS name pointing to the ingress controller:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml</span>
</pre></div>
</td></tr></table>
<div class="admonition important">
<p class="admonition-title">Important</p>
@ -1206,20 +1192,16 @@
<p>Please check <a href="https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry">deploy a plain http registry</a></p>
<h3 id="with-tls">With TLS<a class="headerlink" href="#with-tls" title="Permanent link">&para;</a></h3>
<p>Download and edit the yaml deployment replacing <code class="codehilite">registry.&lt;your domain&gt;</code> with a valid DNS name pointing to the ingress controller:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml</span>
</pre></div>
</td></tr></table>
<p>Deploy <a href="https://github.com/jetstack/kube-lego">kube lego</a> use <a href="https://letsencrypt.org/">Let's Encrypt</a> certificates or edit the ingress rule to use a secret with an existing SSL certificate.</p>
<h3 id="testing">Testing<a class="headerlink" href="#testing" title="Permanent link">&para;</a></h3>
<p>To test the registry is working correctly we download a known image from <a href="https://hub.docker.com">docker hub</a>, create a tag pointing to the new registry and upload the image:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">docker pull ubuntu:16.04</span>
<div class="codehilite"><pre><span></span><span class="go">docker pull ubuntu:16.04</span>
<span class="go">docker tag ubuntu:16.04 `registry.&lt;your domain&gt;/ubuntu:16.04`</span>
<span class="go">docker push `registry.&lt;your domain&gt;/ubuntu:16.04`</span>
</pre></div>
</td></tr></table>
<p>Please replace <code class="codehilite">registry.&lt;your domain&gt;</code> with your domain.</p>

43
examples/grpc/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1228,51 +1216,42 @@ nginx controller.</p>
application provided here as an example. </li>
</ol>
<h3 id="step-1-kubernetes-deployment">Step 1: kubernetes <code class="codehilite">Deployment</code><a class="headerlink" href="#step-1-kubernetes-deployment" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f app.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f app.yaml
</pre></div>
</td></tr></table>
<p>This is a standard kubernetes deployment object. It is running a grpc service
listening on port <code class="codehilite">50051</code>.</p>
<p>The sample application
<a href="https://github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller">fortune-teller-app</a>
is a grpc server implemented in go. Here's the stripped-down implementation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="kd">func</span> <span class="nx">main</span><span class="p">()</span> <span class="p">{</span>
<div class="codehilite"><pre><span></span><span class="kd">func</span> <span class="nx">main</span><span class="p">()</span> <span class="p">{</span>
<span class="nx">grpcServer</span> <span class="o">:=</span> <span class="nx">grpc</span><span class="p">.</span><span class="nx">NewServer</span><span class="p">()</span>
<span class="nx">fortune</span><span class="p">.</span><span class="nx">RegisterFortuneTellerServer</span><span class="p">(</span><span class="nx">grpcServer</span><span class="p">,</span> <span class="o">&amp;</span><span class="nx">FortuneTeller</span><span class="p">{})</span>
<span class="nx">lis</span><span class="p">,</span> <span class="nx">_</span> <span class="o">:=</span> <span class="nx">net</span><span class="p">.</span><span class="nx">Listen</span><span class="p">(</span><span class="s">&quot;tcp&quot;</span><span class="p">,</span> <span class="s">&quot;:50051&quot;</span><span class="p">)</span>
<span class="nx">grpcServer</span><span class="p">.</span><span class="nx">Serve</span><span class="p">(</span><span class="nx">lis</span><span class="p">)</span>
<span class="p">}</span>
</pre></div>
</td></tr></table>
<p>The takeaway is that we are not doing any TLS configuration on the server (as we
are terminating TLS at the ingress level, grpc traffic will travel unencrypted
inside the cluster and arrive "insecure").</p>
<p>For your own application you may or may not want to do this. If you prefer to
forward encrypted traffic to your POD and terminate TLS at the gRPC server
itself, add the ingress annotation <code class="codehilite">nginx.ingress.kubernetes.io/secure-backends:&quot;true&quot;</code>.</p>
itself, add the ingress annotation <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPCS&quot;</code>.</p>
<h3 id="step-2-the-kubernetes-service">Step 2: the kubernetes <code class="codehilite">Service</code><a class="headerlink" href="#step-2-the-kubernetes-service" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f svc.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f svc.yaml
</pre></div>
</td></tr></table>
<p>Here we have a typical service. Nothing special, just routing traffic to the
backend application on port <code class="codehilite">50051</code>.</p>
<h3 id="step-3-the-kubernetes-ingress">Step 3: the kubernetes <code class="codehilite">Ingress</code><a class="headerlink" href="#step-3-the-kubernetes-ingress" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
</pre></div>
</td></tr></table>
<p>A few things to note:</p>
<ol>
<li>We've tagged the ingress with the annotation
<code class="codehilite">nginx.ingress.kubernetes.io/grpc-backend: &quot;true&quot;</code>. This is the magic
<code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPC&quot;</code>. This is the magic
ingredient that sets up the appropriate nginx configuration to route http/2
traffic to our service.</li>
<li>We're terminating TLS at the ingress and have configured an SSL certificate
@ -1284,15 +1263,11 @@ backend application on port <code class="codehilite">50051</code>.</p>
<p>Once we've applied our configuration to kubernetes, it's time to test that we
can actually talk to the backend. To do this, we'll use the
<a href="https://github.com/fullstorydev/grpcurl">grpcurl</a> utility:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ grpcurl fortune-teller.stack.build:443 build.stack.fortune.FortuneTeller/Predict
<div class="codehilite"><pre><span></span>$ grpcurl fortune-teller.stack.build:443 build.stack.fortune.FortuneTeller/Predict
<span class="o">{</span>
<span class="s2">&quot;message&quot;</span>: <span class="s2">&quot;Let us endeavor so to live that when we come to die even the undertaker will be sorry.\n\t\t-- Mark Twain, \&quot;Pudd&#39;nhead Wilson&#39;s Calendar\&quot;&quot;</span>
<span class="o">}</span>
</pre></div>
</td></tr></table>
<h3 id="debugging-hints">Debugging Hints<a class="headerlink" href="#debugging-hints" title="Permanent link">&para;</a></h3>
<ol>

22
examples/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -925,18 +925,6 @@
<li class="md-nav__item">
<a href="customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1155,12 +1143,6 @@ Please review the <a href="PREREQUISITES/">prerequisites</a> before trying them.
</tr>
<tr>
<td>Customization</td>
<td><a href="customization/custom-upstream-check/">Custom upstream check</a></td>
<td>TODO</td>
<td>TODO</td>
</tr>
<tr>
<td>Customization</td>
<td><a href="customization/external-auth-headers/">External authentication with response header propagation</a></td>
<td>TODO</td>
<td>TODO</td>

103
examples/multi-tls/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1088,48 +1076,7 @@
<li>Create <a href="multi-tls.yaml">multi-tls.yaml</a></li>
</ol>
<p>This should generate a segment like:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl <span class="nb">exec</span> -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf <span class="p">|</span> grep <span class="s2">&quot;foo.bar.com&quot;</span> -B <span class="m">7</span> -A <span class="m">35</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl <span class="nb">exec</span> -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf <span class="p">|</span> grep <span class="s2">&quot;foo.bar.com&quot;</span> -B <span class="m">7</span> -A <span class="m">35</span>
<span class="go"> server {</span>
<span class="go"> listen 80;</span>
<span class="go"> listen 443 ssl http2;</span>
@ -1171,46 +1118,9 @@
<span class="go"> proxy_pass http://default-http-svc-80;</span>
<span class="go"> }</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>And you should be able to reach your nginx service or http-svc service using a hostname switch:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing
<span class="go">NAME RULE BACKEND ADDRESS AGE</span>
<span class="go">foo-tls - 104.154.30.67 13m</span>
<span class="go"> foo.bar.com</span>
@ -1247,8 +1157,7 @@
<span class="gp">$</span> curl <span class="m">104</span>.154.30.67
<span class="go">default backend - 404</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>

109
examples/rewrite/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1250,24 +1238,7 @@ and that you have an ingress controller <a href="../../deploy">running</a> in yo
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<h3 id="rewrite-target">Rewrite Target<a class="headerlink" href="#rewrite-target" title="Permanent link">&para;</a></h3>
<p>Create an Ingress rule with a rewrite annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">echo</span> <span class="s2">&quot;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">echo</span> <span class="s2">&quot;</span>
<span class="go">apiVersion: extensions/v1beta1</span>
<span class="go">kind: Ingress</span>
<span class="go">metadata:</span>
@ -1286,48 +1257,9 @@ and that you have an ingress controller <a href="../../deploy">running</a> in yo
<span class="go"> path: /something</span>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
</td></tr></table>
<p>Check the rewrite is working</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://172.17.4.99/something -H <span class="s1">&#39;Host: rewrite.bar.com&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -v http://172.17.4.99/something -H <span class="s1">&#39;Host: rewrite.bar.com&#39;</span>
* Trying <span class="m">172</span>.17.4.99...
* Connected to <span class="m">172</span>.17.4.99 <span class="o">(</span><span class="m">172</span>.17.4.99<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
&gt; GET /something HTTP/1.1
@ -1367,28 +1299,10 @@ BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div>
</td></tr></table>
<h3 id="app-root">App Root<a class="headerlink" href="#app-root" title="Permanent link">&para;</a></h3>
<p>Create an Ingress rule with a app-root annotation:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span>
<span class="s2">apiVersion: extensions/v1beta1</span>
<span class="s2">kind: Ingress</span>
<span class="s2">metadata:</span>
@ -1406,17 +1320,9 @@ BODY:
<span class="s2"> servicePort: 80</span>
<span class="s2"> path: /</span>
<span class="s2">&quot;</span> <span class="p">|</span> kubectl create -f -
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Check the rewrite is working</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -I -k http://approot.bar.com/
<div class="codehilite"><pre><span></span>$ curl -I -k http://approot.bar.com/
HTTP/1.1 <span class="m">302</span> Moved Temporarily
Server: nginx/1.11.10
Date: Mon, <span class="m">13</span> Mar <span class="m">2017</span> <span class="m">14</span>:57:15 GMT
@ -1425,7 +1331,6 @@ Content-Length: <span class="m">162</span>
Location: http://stickyingress.example.com/app1
Connection: keep-alive
</pre></div>
</td></tr></table>

79
examples/static-ip/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1196,48 +1184,25 @@ nodes get static IPs, the IPs are not retained across upgrade.</p>
<p>To acquire a static IP for the nginx ingress controller, simply put it
behind a Service of <code class="codehilite">Type=LoadBalancer</code>.</p>
<p>First, create a loadbalancer Service and wait for it to acquire an IP</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f static-ip-svc.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f static-ip-svc.yaml
<span class="go">service &quot;nginx-ingress-lb&quot; created</span>
<span class="gp">$</span> kubectl get svc nginx-ingress-lb
<span class="go">NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">nginx-ingress-lb 10.0.138.113 104.154.109.191 80:31457/TCP,443:32240/TCP 15m</span>
</pre></div>
</td></tr></table>
<p>then, update the ingress controller so it adopts the static IP of the Service
by passing the <code class="codehilite">--publish-service</code> flag (the example yaml used in the next step
already has it set to "nginx-ingress-lb").</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress-controller.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress-controller.yaml
<span class="go">deployment &quot;nginx-ingress-controller&quot; created</span>
</pre></div>
</td></tr></table>
<h2 id="assigning-the-ip-to-an-ingress">Assigning the IP to an Ingress<a class="headerlink" href="#assigning-the-ip-to-an-ingress" title="Permanent link">&para;</a></h2>
<p>From here on every Ingress created with the <code class="codehilite">ingress.class</code> annotation set to
<code class="codehilite">nginx</code> will get the IP allocated in the previous step</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress.yaml
<span class="go">ingress &quot;nginx-ingress&quot; created</span>
<span class="gp">$</span> kubectl get ing nginx-ingress
@ -1254,19 +1219,10 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">request_uri=http://104.154.109.191:8080/</span>
<span class="go">...</span>
</pre></div>
</td></tr></table>
<h2 id="retaining-the-ip">Retaining the IP<a class="headerlink" href="#retaining-the-ip" title="Permanent link">&para;</a></h2>
<p>You can test retention by deleting the Ingress</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl delete ing nginx-ingress
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl delete ing nginx-ingress
<span class="go">ingress &quot;nginx-ingress&quot; deleted</span>
<span class="gp">$</span> kubectl create -f nginx-ingress.yaml
@ -1276,7 +1232,6 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">NAME HOSTS ADDRESS PORTS AGE</span>
<span class="go">nginx-ingress * 104.154.109.191 80, 443 13m</span>
</pre></div>
</td></tr></table>
<blockquote>
<p>Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all
@ -1285,29 +1240,14 @@ controllers.</p>
</blockquote>
<h2 id="promote-ephemeral-to-static-ip">Promote ephemeral to static IP<a class="headerlink" href="#promote-ephemeral-to-static-ip" title="Permanent link">&para;</a></h2>
<p>To promote the allocated IP to static, you can update the Service manifest</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc nginx-ingress-lb -p <span class="s1">&#39;{&quot;spec&quot;: {&quot;loadBalancerIP&quot;: &quot;104.154.109.191&quot;}}&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc nginx-ingress-lb -p <span class="s1">&#39;{&quot;spec&quot;: {&quot;loadBalancerIP&quot;: &quot;104.154.109.191&quot;}}&#39;</span>
<span class="go">&quot;nginx-ingress-lb&quot; patched</span>
</pre></div>
</td></tr></table>
<p>and promote the IP to static (promotion works differently for cloudproviders,
provided example is for GKE/GCE)
`
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> gcloud compute addresses create nginx-ingress-lb --addresses <span class="m">104</span>.154.109.191 --region us-central1
<div class="codehilite"><pre><span></span><span class="gp">$</span> gcloud compute addresses create nginx-ingress-lb --addresses <span class="m">104</span>.154.109.191 --region us-central1
<span class="go">Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/nginx-ingress-lb].</span>
<span class="go">---</span>
<span class="go">address: 104.154.109.191</span>
@ -1321,8 +1261,7 @@ provided example is for GKE/GCE)
<span class="go">status: IN_USE</span>
<span class="go">users:</span>
<span class="go">- us-central1/forwardingRules/a09f6913ae80e11e6a8c542010af0000</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Now even if the Service is deleted, the IP will persist, so you can recreate the
Service with <code class="codehilite">spec.loadBalancerIP</code> set to <code class="codehilite">104.154.109.191</code>.</p>

91
examples/tls-termination/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1158,61 +1146,37 @@
<h2 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">&para;</a></h2>
<p>You need a <a href="../PREREQUISITES/#tls-certificates">TLS cert</a> and a <a href="../PREREQUISITES/#test-http-service">test HTTP service</a> for this example.</p>
<h2 id="deployment">Deployment<a class="headerlink" href="#deployment" title="Permanent link">&para;</a></h2>
<p>Create a <code class="codehilite">values.yaml</code> file.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-test</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">tls</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">hosts</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="c1"># This assumes tls-secret exists and the SSL </span>
<span class="c1"># certificate contains a CN for foo.bar.com</span>
<span class="l l-Scalar l-Scalar-Plain">secretName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">tls-secret</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="c1"># This assumes http-svc exists and routes to healthy endpoints</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">http-svc</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
<p>The following command instructs the controller to terminate traffic using the provided
TLS cert, and forward un-encrypted HTTP traffic to the test HTTP service.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f ingress.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f ingress.yaml</span>
</pre></div>
</td></tr></table>
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<p>You can confirm that the Ingress works.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<span class="go">Name: nginx-test</span>
<span class="go">Namespace: default</span>
<span class="go">Address: 104.198.183.6</span>
@ -1260,7 +1224,6 @@ TLS cert, and forward un-encrypted HTTP traffic to the test HTTP service.</p>
<span class="go">x-forwarded-proto=https</span>
<span class="go">BODY:</span>
</pre></div>
</td></tr></table>

16
how-it-works/index.html
View file

@ -677,8 +677,8 @@
<li class="md-nav__item">
<a href="../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -995,18 +995,6 @@
<li class="md-nav__item">
<a href="../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

16
index.html
View file

@ -636,8 +636,8 @@
<li class="md-nav__item">
<a href="user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -954,18 +954,6 @@
<li class="md-nav__item">
<a href="examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

2
search/search_index.json
View file

File diff suppressed because one or more lines are too long

93
sitemap.xml
View file

@ -2,227 +2,222 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2018-10-07</lastmod>
<lastmod>2018-10-12</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

BIN
sitemap.xml.gz
View file

Binary file not shown.

230
troubleshooting/index.html
View file

@ -677,8 +677,8 @@
<li class="md-nav__item">
<a href="../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -995,18 +995,6 @@
<li class="md-nav__item">
<a href="../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1220,29 +1208,7 @@ Do not move it without providing redirects.
<p>There are many ways to troubleshoot the ingress-controller. The following are basic troubleshooting
methods to obtain more information.</p>
<p>Check the Ingress Resource Events</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing -n &lt;namespace-of-ingress-resource&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing -n &lt;namespace-of-ingress-resource&gt;
<span class="go">NAME HOSTS ADDRESS PORTS AGE</span>
<span class="go">cafe-ingress cafe.com 10.0.2.15 80 25s</span>
@ -1266,21 +1232,9 @@ methods to obtain more information.</p>
<span class="go"> Normal CREATE 1m nginx-ingress-controller Ingress default/cafe-ingress</span>
<span class="go"> Normal UPDATE 58s nginx-ingress-controller Ingress default/cafe-ingress</span>
</pre></div>
</td></tr></table>
<p>Check the Ingress Controller Logs</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n &lt;namespace-of-ingress-controller&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n &lt;namespace-of-ingress-controller&gt;
<span class="go">NAME READY STATUS RESTARTS AGE</span>
<span class="go">nginx-ingress-controller-67956bf89d-fv58j 1/1 Running 0 1m</span>
@ -1293,26 +1247,9 @@ methods to obtain more information.</p>
<span class="go">-------------------------------------------------------------------------------</span>
<span class="go">....</span>
</pre></div>
</td></tr></table>
<p>Check the Nginx Configuration</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n &lt;namespace-of-ingress-controller&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n &lt;namespace-of-ingress-controller&gt;
<span class="go">NAME READY STATUS RESTARTS AGE</span>
<span class="go">nginx-ingress-controller-67956bf89d-fv58j 1/1 Running 0 1m</span>
@ -1330,17 +1267,9 @@ methods to obtain more information.</p>
<span class="go">http {</span>
<span class="go">....</span>
</pre></div>
</td></tr></table>
<p>Check if used Services Exist</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get svc --all-namespaces
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get svc --all-namespaces
<span class="go">NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">default coffee-svc ClusterIP 10.106.154.35 &lt;none&gt; 80/TCP 18m</span>
<span class="go">default kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 30m</span>
@ -1349,18 +1278,11 @@ methods to obtain more information.</p>
<span class="go">kube-system kube-dns ClusterIP 10.96.0.10 &lt;none&gt; 53/UDP,53/TCP 30m</span>
<span class="go">kube-system kubernetes-dashboard NodePort 10.103.128.17 &lt;none&gt; 80:30000/TCP 30m</span>
</pre></div>
</td></tr></table>
<h2 id="debug-logging">Debug Logging<a class="headerlink" href="#debug-logging" title="Permanent link">&para;</a></h2>
<p>Using the flag <code class="codehilite">--v=XX</code> it is possible to increase the level of logging. This is performed by editing
the deployment.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get deploy -n &lt;namespace-of-ingress-controller&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get deploy -n &lt;namespace-of-ingress-controller&gt;
<span class="go">NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE</span>
<span class="go">default-http-backend 1 1 1 1 35m</span>
<span class="go">nginx-ingress-controller 1 1 1 1 35m</span>
@ -1368,7 +1290,6 @@ the deployment.</p>
<span class="gp">$</span> kubectl edit deploy -n &lt;namespace-of-ingress-controller&gt; nginx-ingress-controller
<span class="gp">#</span> Add --v<span class="o">=</span>X to <span class="s2">&quot;- args&quot;</span>, where X is an integer
</pre></div>
</td></tr></table>
<ul>
<li><code class="codehilite">--v=2</code> shows details using <code class="codehilite">diff</code> about the changes in the configuration in nginx</li>
@ -1380,17 +1301,12 @@ the deployment.</p>
down the source of the problem, namely whether it is a problem with service authentication or
with the kubeconfig file.</p>
<p>Both authentications must work:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>+-------------+ service +------------+
<div class="codehilite"><pre><span></span>+-------------+ service +------------+
| | authentication | |
+ apiserver +&lt;-------------------+ ingress |
| | | controller |
+-------------+ +------------+
</pre></div>
</td></tr></table>
<p><strong>Service authentication</strong></p>
<p>The Ingress controller needs information from apiserver. Therefore, authentication is required, which can be achieved in two different ways:</p>
@ -1409,23 +1325,7 @@ with the kubeconfig file.</p>
</ol>
<p>In the diagram below you can see the full authentication flow with all options, starting with the browser
on the lower left hand side.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>Kubernetes Workstation
<div class="codehilite"><pre><span></span>Kubernetes Workstation
+---------------------------------------------------+ +------------------+
| | | |
| +-----------+ apiserver +------------+ | | +------------+ |
@ -1443,76 +1343,13 @@ on the lower left hand side.</p>
| | | |
+---------------------------------------------------+ +------------------+
</pre></div>
</td></tr></table>
<h3 id="service-account">Service Account<a class="headerlink" href="#service-account" title="Permanent link">&para;</a></h3>
<p>If using a service account to connect to the API server, Dashboard expects the file
<code class="codehilite">/var/run/secrets/kubernetes.io/serviceaccount/token</code> to be present. It provides a secret
token that is required to authenticate with the API server.</p>
<p>Verify with the following commands:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">#</span> start a container that contains curl
<div class="codehilite"><pre><span></span><span class="gp">#</span> start a container that contains curl
<span class="gp">$</span> kubectl run <span class="nb">test</span> --image<span class="o">=</span>tutum/curl -- sleep <span class="m">10000</span>
<span class="gp">#</span> check that container is running
@ -1576,7 +1413,6 @@ token that is required to authenticate with the API server.</p>
<span class="go"> ]</span>
<span class="go">}</span>
</pre></div>
</td></tr></table>
<p>If it is not working, there are two possible reasons:</p>
<ol>
@ -1610,46 +1446,33 @@ dump. This allows us to see which configuration is being used, as well as older
<ol>
<li>SSH into the worker</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> ssh user@workerIP
<div class="codehilite"><pre><span></span><span class="gp">$</span> ssh user@workerIP
</pre></div>
</td></tr></table>
<ol>
<li>Obtain the Docker Container Running nginx</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> docker ps <span class="p">|</span> grep nginx-ingress-controller
<div class="codehilite"><pre><span></span><span class="gp">$</span> docker ps <span class="p">|</span> grep nginx-ingress-controller
<span class="go">CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES</span>
<span class="go">d9e1d243156a quay.io/kubernetes-ingress-controller/nginx-ingress-controller &quot;/usr/bin/dumb-init …&quot; 19 minutes ago Up 19 minutes k8s_nginx-ingress-controller_nginx-ingress-controller-67956bf89d-mqxzt_kube-system_079f31ec-aa37-11e8-ad39-080027a227db_0</span>
</pre></div>
</td></tr></table>
<ol>
<li>Exec into the container</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> docker <span class="nb">exec</span> -it --user<span class="o">=</span><span class="m">0</span> --privileged d9e1d243156a bash
<div class="codehilite"><pre><span></span><span class="gp">$</span> docker <span class="nb">exec</span> -it --user<span class="o">=</span><span class="m">0</span> --privileged d9e1d243156a bash
</pre></div>
</td></tr></table>
<ol>
<li>Make sure nginx is running in <code class="codehilite">--with-debug</code></li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> nginx -V <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">|</span> grep -- <span class="s1">&#39;--with-debug&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> nginx -V <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">|</span> grep -- <span class="s1">&#39;--with-debug&#39;</span>
</pre></div>
</td></tr></table>
<ol>
<li>Get list of processes running on container</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> ps -ef
<div class="codehilite"><pre><span></span><span class="gp">$</span> ps -ef
<span class="go">UID PID PPID C STIME TTY TIME CMD</span>
<span class="go">root 1 0 0 20:23 ? 00:00:00 /usr/bin/dumb-init /nginx-ingres</span>
<span class="go">root 5 1 0 20:23 ? 00:00:05 /nginx-ingress-controller --defa</span>
@ -1658,37 +1481,22 @@ dump. This allows us to see which configuration is being used, as well as older
<span class="go">nobody 107 21 0 20:23 ? 00:00:00 nginx: worker process</span>
<span class="go">root 172 0 0 20:43 pts/0 00:00:00 bash</span>
</pre></div>
</td></tr></table>
<ol>
<li>Attach gdb to the nginx master process</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> gdb -p <span class="m">21</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> gdb -p <span class="m">21</span>
<span class="go">....</span>
<span class="go">Attaching to process 21</span>
<span class="go">Reading symbols from /usr/sbin/nginx...done.</span>
<span class="go">....</span>
<span class="go">(gdb)</span>
</pre></div>
</td></tr></table>
<ol>
<li>Copy and paste the following:</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">set $cd = ngx_cycle-&gt;config_dump</span>
<div class="codehilite"><pre><span></span><span class="go">set $cd = ngx_cycle-&gt;config_dump</span>
<span class="go">set $nelts = $cd.nelts</span>
<span class="go">set $elts = (ngx_conf_dump_t*)($cd.elts)</span>
<span class="go">while ($nelts-- &gt; 0)</span>
@ -1698,7 +1506,6 @@ dump. This allows us to see which configuration is being used, as well as older
<span class="gp"> $</span>elts<span class="o">[</span><span class="nv">$nelts</span><span class="o">]</span>-&gt;buffer.start <span class="nv">$elts</span><span class="o">[</span><span class="nv">$nelts</span><span class="o">]</span>-&gt;buffer.end
<span class="go">end</span>
</pre></div>
</td></tr></table>
<ol>
<li>
@ -1708,9 +1515,8 @@ dump. This allows us to see which configuration is being used, as well as older
<p>Open nginx_conf.txt</p>
</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">cat nginx_conf.txt</span>
<div class="codehilite"><pre><span></span><span class="go">cat nginx_conf.txt</span>
</pre></div>
</td></tr></table>

16
user-guide/cli-arguments/index.html
View file

@ -607,8 +607,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -925,18 +925,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

16
user-guide/custom-errors/index.html
View file

@ -607,8 +607,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -925,18 +925,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

20
user-guide/default-backend/index.html
View file

@ -607,8 +607,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -925,18 +925,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1133,13 +1121,13 @@ provides an additional service for the purpose of customizing the error pages se
</a>
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Exposing TCP and UDP services
Regular expressions in paths
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">

1259
user-guide/exposing-tcp-udp-services/index.html
View file

File diff suppressed because it is too large Load diff

20
user-guide/external-articles/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -925,18 +925,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1107,7 +1095,7 @@
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
@ -1116,7 +1104,7 @@
<span class="md-footer-nav__direction">
Previous
</span>
Exposing TCP and UDP services
Regular expressions in paths
</span>
</div>
</a>

401
user-guide/ingress-path-matching/index.html
View file

@ -36,7 +36,7 @@
<title>Ingress Path Matching - NGINX Ingress Controller</title>
<title>Regular expressions in paths - NGINX Ingress Controller</title>
@ -126,7 +126,7 @@
NGINX Ingress Controller
</span>
<span class="md-header-nav__topic">
Ingress Path Matching
Regular expressions in paths
</span>
@ -198,7 +198,9 @@
<nav class="md-tabs" data-md-component="tabs">
<nav class="md-tabs md-tabs--active" data-md-component="tabs">
<div class="md-tabs__inner md-grid">
<ul class="md-tabs__list">
@ -453,10 +455,12 @@
<li class="md-nav__item md-nav__item--nested">
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-3" type="checkbox" id="nav-3" checked>
<label class="md-nav__link" for="nav-3">
User guide
@ -592,11 +596,89 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<li class="md-nav__item md-nav__item--active">
<input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Regular expressions in paths
</label>
<a href="./" title="Regular expressions in paths" class="md-nav__link md-nav__link--active">
Regular expressions in paths
</a>
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#regular-expression-support" title="Regular Expression Support" class="md-nav__link">
Regular Expression Support
</a>
</li>
<li class="md-nav__item">
<a href="#path-priority" title="Path Priority" class="md-nav__link">
Path Priority
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example" title="Example" class="md-nav__link">
Example
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#warning" title="Warning" class="md-nav__link">
Warning
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example_1" title="Example" class="md-nav__link">
Example
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
@ -912,18 +994,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1126,133 +1196,73 @@
<h1 id="ingress-path-matching">Ingress Path Matching<a class="headerlink" href="#ingress-path-matching" title="Permanent link">&para;</a></h1>
<h2 id="regular-expression-support">Regular Expression Support<a class="headerlink" href="#regular-expression-support" title="Permanent link">&para;</a></h2>
<p>The ingress controller supports <strong>case insensitive</strong> regular expressions in the <code class="codehilite">spec.rules.http.paths.path</code> field.</p>
<p>See the <a href="../nginx-configuration/annotations/#use-regex">description</a> of the <code class="codehilite">use-regex</code> annotation for more details. </p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="n">apiVersion</span><span class="o">:</span> <span class="n">extensions</span><span class="o">/</span><span class="n">v1beta1</span>
<span class="n">kind</span><span class="o">:</span> <span class="n">Ingress</span>
<span class="n">metadata</span><span class="o">:</span>
<span class="n">name</span><span class="o">:</span> <span class="n">test</span><span class="o">-</span><span class="n">ingress</span>
<span class="n">annotations</span><span class="o">:</span>
<span class="n">nginx</span><span class="o">.</span><span class="na">ingress</span><span class="o">.</span><span class="na">kubernetes</span><span class="o">.</span><span class="na">io</span><span class="o">/</span><span class="n">use</span><span class="o">-</span><span class="n">regex</span><span class="o">:</span> <span class="kc">true</span>
<span class="n">spec</span><span class="o">:</span>
<span class="n">host</span><span class="o">:</span> <span class="n">test</span><span class="o">.</span><span class="na">com</span>
<span class="n">rules</span><span class="o">:</span>
<span class="o">-</span> <span class="n">http</span><span class="o">:</span>
<span class="n">paths</span><span class="o">:</span>
<span class="o">-</span> <span class="n">path</span><span class="o">:</span> <span class="sr">/foo/</span><span class="o">.*</span>
<span class="n">backend</span><span class="o">:</span>
<span class="n">serviceName</span><span class="o">:</span> <span class="n">test</span>
<span class="n">servicePort</span><span class="o">:</span> <span class="mi">80</span>
<p>See the <a href="../nginx-configuration/annotations/#use-regex">description</a> of the <code class="codehilite">use-regex</code> annotation for more details.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test-ingress</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/use-regex</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test.com</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/foo/.*</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
</td></tr></table>
<p>The preceding ingress definition would translate to the following location block within the NGINX configuration for the <code class="codehilite">test.com</code> server:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>location ~* ^/foo/.* {
<div class="codehilite"><pre><span></span>location ~* ^/foo/.* {
...
}
</pre></div>
</td></tr></table>
<h2 id="path-priority">Path Priority<a class="headerlink" href="#path-priority" title="Permanent link">&para;</a></h2>
<p>In NGINX, regular expressions follow a <strong>first match</strong> policy. In order to enable more acurate path matching, ingress-nginx first orders the paths by descending length before writing them to the NGINX template as location blocks. </p>
<p>In NGINX, regular expressions follow a <strong>first match</strong> policy. In order to enable more acurate path matching, ingress-nginx first orders the paths by descending length before writing them to the NGINX template as location blocks.</p>
<p><strong>Please read the <a href="#warning">warning</a> before using regular expressions in your ingress definitions.</strong></p>
<h3 id="example">Example<a class="headerlink" href="#example" title="Permanent link">&para;</a></h3>
<p>Let the following two ingress definitions be created:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="n">apiVersion</span><span class="o">:</span> <span class="n">extensions</span><span class="o">/</span><span class="n">v1beta1</span>
<span class="n">kind</span><span class="o">:</span> <span class="n">Ingress</span>
<span class="n">metadata</span><span class="o">:</span>
<span class="n">name</span><span class="o">:</span> <span class="n">test</span><span class="o">-</span><span class="n">ingress</span><span class="o">-</span><span class="mi">1</span>
<span class="n">spec</span><span class="o">:</span>
<span class="n">host</span><span class="o">:</span> <span class="n">test</span><span class="o">.</span><span class="na">com</span>
<span class="n">rules</span><span class="o">:</span>
<span class="o">-</span> <span class="n">http</span><span class="o">:</span>
<span class="n">paths</span><span class="o">:</span>
<span class="o">-</span> <span class="n">path</span><span class="o">:</span> <span class="sr">/foo/</span><span class="n">bar</span>
<span class="n">backend</span><span class="o">:</span>
<span class="n">serviceName</span><span class="o">:</span> <span class="n">test</span>
<span class="n">servicePort</span><span class="o">:</span> <span class="mi">80</span>
<span class="o">-</span> <span class="n">path</span><span class="o">:</span> <span class="sr">/foo/bar/</span>
<span class="n">backend</span><span class="o">:</span>
<span class="n">serviceName</span><span class="o">:</span> <span class="n">test</span>
<span class="n">servicePort</span><span class="o">:</span> <span class="mi">80</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test-ingress-1</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test.com</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/foo/bar</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/foo/bar/</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="n">apiVersion</span><span class="o">:</span> <span class="n">extensions</span><span class="o">/</span><span class="n">v1beta1</span>
<span class="n">kind</span><span class="o">:</span> <span class="n">Ingress</span>
<span class="n">metadata</span><span class="o">:</span>
<span class="n">name</span><span class="o">:</span> <span class="n">test</span><span class="o">-</span><span class="n">ingress</span><span class="o">-</span><span class="mi">2</span>
<span class="n">annotations</span><span class="o">:</span>
<span class="n">nginx</span><span class="o">.</span><span class="na">ingress</span><span class="o">.</span><span class="na">kubernetes</span><span class="o">.</span><span class="na">io</span><span class="sr">/rewrite-target: /</span>
<span class="n">spec</span><span class="o">:</span>
<span class="n">host</span><span class="o">:</span> <span class="n">test</span><span class="o">.</span><span class="na">com</span>
<span class="n">rules</span><span class="o">:</span>
<span class="o">-</span> <span class="n">http</span><span class="o">:</span>
<span class="n">paths</span><span class="o">:</span>
<span class="o">-</span> <span class="n">path</span><span class="o">:</span> <span class="sr">/foo/bar/</span><span class="o">.+</span>
<span class="n">backend</span><span class="o">:</span>
<span class="n">serviceName</span><span class="o">:</span> <span class="n">test</span>
<span class="n">servicePort</span><span class="o">:</span> <span class="mi">80</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test-ingress-2</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/rewrite-target</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test.com</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/foo/bar/.+</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
</td></tr></table>
<p>The ingress controller would define the following location blocks, in order of descending length, within the NGINX template for the <code class="codehilite">test.com</code> server: </p>
<p><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>location ~* ^/foo/bar/.+\/?(?&lt;baseuri&gt;.*) {
<p>The ingress controller would define the following location blocks, in order of descending length, within the NGINX template for the <code class="codehilite">test.com</code> server:</p>
<div class="codehilite"><pre><span></span>location ~* ^/foo/bar/.+\/?(?&lt;baseuri&gt;.*) {
...
}
@ -1264,67 +1274,46 @@ location ~* ^/foo/bar {
...
}
</pre></div>
</td></tr></table>
The following request URI's would match the corresponding location blocks:
- <code class="codehilite">test.com/foo/bar/1</code> matches <code class="codehilite">~* ^/foo/bar/.+\/?(?&lt;baseuri&gt;.*)</code>
- <code class="codehilite">test.com/foo/bar/</code> matches <code class="codehilite">~* ^/foo/bar/</code>
- <code class="codehilite">test.com/foo/bar</code> matches <code class="codehilite">~* ^/foo/bar</code></p>
<p><strong>IMPORTANT NOTES</strong>:
- paths created under the <code class="codehilite">rewrite-ingress</code> are sorted before <code class="codehilite">\/?(?&lt;baseuri&gt;.*)</code> is appended. For example if the path defined within <code class="codehilite">test-ingress-2</code> was <code class="codehilite">/foo/.+</code> then the location block for <code class="codehilite">^/foo/.+\/?(?&lt;baseuri&gt;.*)</code> would be the LAST block listed.
- If the <code class="codehilite">use-regex</code> OR <code class="codehilite">rewrite-target</code> annotation is used on any Ingress for a given host, then the case insensitive regular expression <a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#location">location modifier</a> will be enforced on ALL paths for a given host regardless of what Ingress they are defined on. </p>
<p>The following request URI's would match the corresponding location blocks:</p>
<ul>
<li><code class="codehilite">test.com/foo/bar/1</code> matches <code class="codehilite">~* ^/foo/bar/.+\/?(?&lt;baseuri&gt;.*)</code></li>
<li><code class="codehilite">test.com/foo/bar/</code> matches <code class="codehilite">~* ^/foo/bar/</code></li>
<li><code class="codehilite">test.com/foo/bar</code> matches <code class="codehilite">~* ^/foo/bar</code></li>
</ul>
<p><strong>IMPORTANT NOTES</strong>:</p>
<ul>
<li>paths created under the <code class="codehilite">rewrite-ingress</code> are sorted before <code class="codehilite">\/?(?&lt;baseuri&gt;.*)</code> is appended. For example if the path defined within <code class="codehilite">test-ingress-2</code> was <code class="codehilite">/foo/.+</code> then the location block for <code class="codehilite">^/foo/.+\/?(?&lt;baseuri&gt;.*)</code> would be the LAST block listed.</li>
<li>If the <code class="codehilite">use-regex</code> OR <code class="codehilite">rewrite-target</code> annotation is used on any Ingress for a given host, then the case insensitive regular expression <a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#location">location modifier</a> will be enforced on ALL paths for a given host regardless of what Ingress they are defined on.</li>
</ul>
<h2 id="warning">Warning<a class="headerlink" href="#warning" title="Permanent link">&para;</a></h2>
<p>The following example describes a case that may inflict unwanted path matching behaviour. </p>
<p>This case is expected and a result of NGINX's a first match policy for paths that use the regular expression <a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#location">location modifier</a>. For more information about how a path is chosen, please read the following article: <a href="https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms">"Understanding Nginx Server and Location Block Selection Algorithms"</a>. </p>
<p>The following example describes a case that may inflict unwanted path matching behaviour.</p>
<p>This case is expected and a result of NGINX's a first match policy for paths that use the regular expression <a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#location">location modifier</a>. For more information about how a path is chosen, please read the following article: <a href="https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms">"Understanding Nginx Server and Location Block Selection Algorithms"</a>.</p>
<h3 id="example_1">Example<a class="headerlink" href="#example_1" title="Permanent link">&para;</a></h3>
<p>Let the following ingress be defined:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="n">apiVersion</span><span class="o">:</span> <span class="n">extensions</span><span class="o">/</span><span class="n">v1beta1</span>
<span class="n">kind</span><span class="o">:</span> <span class="n">Ingress</span>
<span class="n">metadata</span><span class="o">:</span>
<span class="n">name</span><span class="o">:</span> <span class="n">test</span><span class="o">-</span><span class="n">ingress</span><span class="o">-</span><span class="mi">1</span>
<span class="n">annotations</span><span class="o">:</span>
<span class="n">nginx</span><span class="o">.</span><span class="na">ingress</span><span class="o">.</span><span class="na">kubernetes</span><span class="o">.</span><span class="na">io</span><span class="o">/</span><span class="n">use</span><span class="o">-</span><span class="n">regex</span><span class="o">:</span> <span class="kc">true</span>
<span class="n">spec</span><span class="o">:</span>
<span class="n">host</span><span class="o">:</span> <span class="n">test</span><span class="o">.</span><span class="na">com</span>
<span class="n">rules</span><span class="o">:</span>
<span class="o">-</span> <span class="n">http</span><span class="o">:</span>
<span class="n">paths</span><span class="o">:</span>
<span class="o">-</span> <span class="n">path</span><span class="o">:</span> <span class="sr">/foo/bar/</span><span class="n">bar</span>
<span class="n">backend</span><span class="o">:</span>
<span class="n">serviceName</span><span class="o">:</span> <span class="n">test</span>
<span class="n">servicePort</span><span class="o">:</span> <span class="mi">80</span>
<span class="o">-</span> <span class="n">path</span><span class="o">:</span> <span class="sr">/foo/bar/</span><span class="o">[</span><span class="n">A</span><span class="o">-</span><span class="n">Z0</span><span class="o">-</span><span class="mi">9</span><span class="o">]{</span><span class="mi">3</span><span class="o">}</span>
<span class="n">backend</span><span class="o">:</span>
<span class="n">serviceName</span><span class="o">:</span> <span class="n">test</span>
<span class="n">servicePort</span><span class="o">:</span> <span class="mi">80</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test-ingress-1</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/use-regex</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test.com</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/foo/bar/bar</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/foo/bar/[A-Z0-9]{3}</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">test</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
</td></tr></table>
<p>The ingress controller would define the following location blocks (in this order) within the NGINX template for the <code class="codehilite">test.com</code> server: </p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>location ~* ^/foo/bar/[A-Z0-9]{3} {
<p>The ingress controller would define the following location blocks (in this order) within the NGINX template for the <code class="codehilite">test.com</code> server:</p>
<div class="codehilite"><pre><span></span>location ~* ^/foo/bar/[A-Z0-9]{3} {
...
}
@ -1332,7 +1321,6 @@ location ~* ^/foo/bar/bar {
...
}
</pre></div>
</td></tr></table>
<p>A request to <code class="codehilite">test.com/foo/bar/bar</code> would match the <code class="codehilite">^/foo/[A-Z0-9]{3}</code> location block instead of the longest EXACT matching path.</p>
@ -1352,6 +1340,41 @@ location ~* ^/foo/bar/bar {
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../default-backend/" title="Default backend" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Default backend
</span>
</div>
</a>
<a href="../external-articles/" title="External Articles" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
External Articles
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-forward md-footer-nav__button"></i>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">

16
user-guide/miscellaneous/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -996,18 +996,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

53
user-guide/monitoring/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -981,18 +981,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1192,74 +1180,51 @@
<p>The Prometheus server must be configured so that it can discover endpoints of services. If a Prometheus server is already running in the cluster and if it is configured in a way that it can find the ingress controller pods, no extra configuration is needed.</p>
<p>If there is no existing Prometheus server running, the rest of this tutorial will guide you through the steps needed to deploy a properly configured Prometheus server.</p>
<p>Running the following command deploys the prometheus configuration in Kubernetes:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/configuration.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/configuration.yaml</span>
<span class="go">configmap &quot;prometheus-configuration&quot; created</span>
</pre></div>
</td></tr></table>
<p>Running the following command deploys prometheus in Kubernetes:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/prometheus.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/prometheus.yaml</span>
<span class="go">clusterrole &quot;prometheus-server&quot; created</span>
<span class="go">serviceaccount &quot;prometheus-server&quot; created</span>
<span class="go">clusterrolebinding &quot;prometheus-server&quot; created</span>
<span class="go">deployment &quot;prometheus-server&quot; created</span>
<span class="go">service &quot;prometheus-server&quot; created</span>
</pre></div>
</td></tr></table>
<h3 id="prometheus-dashboard">Prometheus Dashboard<a class="headerlink" href="#prometheus-dashboard" title="Permanent link">&para;</a></h3>
<p>Open Prometheus dashboard in a web browser:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
<span class="go">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">default-http-backend ClusterIP 10.103.59.201 &lt;none&gt; 80/TCP 3d</span>
<span class="go">ingress-nginx NodePort 10.97.44.72 &lt;none&gt; 80:30100/TCP,443:30154/TCP,10254:32049/TCP 5h</span>
<span class="go">prometheus-server NodePort 10.98.233.86 &lt;none&gt; 9090:32630/TCP 1m</span>
</pre></div>
</td></tr></table>
<p>Obtain the IP address of the nodes in the running cluster:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl get nodes -o wide</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl get nodes -o wide</span>
</pre></div>
</td></tr></table>
<p>In some cases where the node only have internal IP addresses we need to execute:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[*].status.addresses[?\(@.type==\&quot;InternalIP\&quot;\)].address}</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[*].status.addresses[?\(@.type==\&quot;InternalIP\&quot;\)].address}</span>
<span class="go">10.192.0.2 10.192.0.3 10.192.0.4</span>
</pre></div>
</td></tr></table>
<p>Open your browser and visit the following URL: <em>http://{node IP address}:{prometheus-svc-nodeport}</em> to load the Prometheus Dashboard.</p>
<p>According to the above example, this URL will be http://10.192.0.3:32630</p>
<p><img alt="Dashboard" src="../../images/prometheus-dashboard.png" /></p>
<h3 id="grafana">Grafana<a class="headerlink" href="#grafana" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/grafana.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/monitoring/grafana.yaml</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl get svc -n ingress-nginx</span>
<span class="go">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">default-http-backend ClusterIP 10.103.59.201 &lt;none&gt; 80/TCP 3d</span>
<span class="go">ingress-nginx NodePort 10.97.44.72 &lt;none&gt; 80:30100/TCP,443:30154/TCP,10254:32049/TCP 5h</span>
<span class="go">prometheus-server NodePort 10.98.233.86 &lt;none&gt; 9090:32630/TCP 10m</span>
<span class="go">grafana NodePort 10.98.233.87 &lt;none&gt; 3000:31086/TCP 10m</span>
</pre></div>
</td></tr></table>
<p>Open your browser and visit the following URL: <em>http://{node IP address}:{grafana-svc-nodeport}</em> to load the Grafana Dashboard.
According to the above example, this URL will be http://10.192.0.3:31086</p>

40
user-guide/multiple-ingress/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -954,18 +954,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1129,26 +1117,18 @@
<p>If you're running multiple ingress controllers, or running on a cloud provider that natively handles ingress such as GKE,
you need to specify the annotation <code class="codehilite">kubernetes.io/ingress.class: &quot;nginx&quot;</code> in all ingresses that you would like the ingress-nginx controller to claim.</p>
<p>For instance,</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ingress.class</span><span class="p p-Indicator">:</span> <span class="s">&quot;gce&quot;</span>
</pre></div>
</td></tr></table>
<p>will target the GCE controller, forcing the nginx controller to ignore it, while an annotation like</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">kubernetes.io/ingress.class</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx&quot;</span>
</pre></div>
</td></tr></table>
<p>will target the nginx controller, forcing the GCE controller to ignore it.</p>
<p>To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress.
@ -1158,16 +1138,7 @@ If you are only running a single NGINX ingress controller, this can be achieved
<p>This mechanism also provides users the ability to run <em>multiple</em> NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic).
To do this, the option <code class="codehilite">--ingress-class</code> must be changed to a value unique for the cluster within the definition of the replication controller.
Here is a partial example:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">template</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">containers</span><span class="p p-Indicator">:</span>
@ -1178,7 +1149,6 @@ Here is a partial example:</p>
<span class="p p-Indicator">-</span> <span class="s">&#39;--ingress-class=nginx-internal&#39;</span>
<span class="p p-Indicator">-</span> <span class="s">&#39;--configmap=ingress/nginx-ingress-internal-controller&#39;</span>
</pre></div>
</td></tr></table>
<div class="admonition important">
<p class="admonition-title">Important</p>

199
user-guide/nginx-configuration/annotations/index.html
View file

@ -569,13 +569,6 @@
Authentication
</a>
</li>
<li class="md-nav__item">
<a href="#custom-nginx-upstream-checks" title="Custom NGINX upstream checks" class="md-nav__link">
Custom NGINX upstream checks
</a>
</li>
<li class="md-nav__item">
@ -681,13 +674,6 @@
SSL Passthrough
</a>
</li>
<li class="md-nav__item">
<a href="#secure-backends-deprecated-since-0180" title="Secure backends DEPRECATED (since 0.18.0)" class="md-nav__link">
Secure backends DEPRECATED (since 0.18.0)
</a>
</li>
<li class="md-nav__item">
@ -813,13 +799,6 @@
Lua Resty WAF
</a>
</li>
<li class="md-nav__item">
<a href="#grpc-backend-deprecated-since-0180" title="gRPC backend DEPRECATED (since 0.18.0)" class="md-nav__link">
gRPC backend DEPRECATED (since 0.18.0)
</a>
</li>
<li class="md-nav__item">
@ -937,8 +916,8 @@
<li class="md-nav__item">
<a href="../../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -1255,18 +1234,6 @@
<li class="md-nav__item">
<a href="../../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1432,13 +1399,6 @@
Authentication
</a>
</li>
<li class="md-nav__item">
<a href="#custom-nginx-upstream-checks" title="Custom NGINX upstream checks" class="md-nav__link">
Custom NGINX upstream checks
</a>
</li>
<li class="md-nav__item">
@ -1544,13 +1504,6 @@
SSL Passthrough
</a>
</li>
<li class="md-nav__item">
<a href="#secure-backends-deprecated-since-0180" title="Secure backends DEPRECATED (since 0.18.0)" class="md-nav__link">
Secure backends DEPRECATED (since 0.18.0)
</a>
</li>
<li class="md-nav__item">
@ -1676,13 +1629,6 @@
Lua Resty WAF
</a>
</li>
<li class="md-nav__item">
<a href="#grpc-backend-deprecated-since-0180" title="gRPC backend DEPRECATED (since 0.18.0)" class="md-nav__link">
gRPC backend DEPRECATED (since 0.18.0)
</a>
</li>
<li class="md-nav__item">
@ -1849,10 +1795,6 @@ table below.</p>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#grpc-backend">nginx.ingress.kubernetes.io/grpc-backend</a></td>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#rate-limiting">nginx.ingress.kubernetes.io/limit-connections</a></td>
<td>number</td>
</tr>
@ -1921,10 +1863,6 @@ table below.</p>
<td>URI</td>
</tr>
<tr>
<td><a href="#secure-backends">nginx.ingress.kubernetes.io/secure-backends</a></td>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#secure-backends">nginx.ingress.kubernetes.io/secure-verify-ca-secret</a></td>
<td>string</td>
</tr>
@ -1957,14 +1895,6 @@ table below.</p>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#custom-nginx-upstream-checks">nginx.ingress.kubernetes.io/upstream-max-fails</a></td>
<td>number</td>
</tr>
<tr>
<td><a href="#custom-nginx-upstream-checks">nginx.ingress.kubernetes.io/upstream-fail-timeout</a></td>
<td>number</td>
</tr>
<tr>
<td><a href="#custom-nginx-upstream-hashing">nginx.ingress.kubernetes.io/upstream-hash-by</a></td>
<td>string</td>
</tr>
@ -2073,43 +2003,21 @@ So, at reload, if upstream servers have changed, index values are not guaranteed
<h3 id="authentication">Authentication<a class="headerlink" href="#authentication" title="Permanent link">&para;</a></h3>
<p>Is possible to add authentication adding additional annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords inside the key <code class="codehilite">auth</code>.</p>
<p>The annotations are:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-type: [basic|digest]
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-type: [basic|digest]
</pre></div></p>
<p>Indicates the <a href="https://tools.ietf.org/html/rfc2617">HTTP Authentication Type: Basic or Digest Access Authentication</a>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-secret: secretName
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-secret: secretName
</pre></div>
</td></tr></table>
<p>The name of the Secret that contains the usernames and passwords which are granted access to the <code class="codehilite">path</code>s defined in the Ingress rules.
This annotation also accepts the alternative form "namespace/secretName", in which case the Secret lookup is performed in the referenced namespace instead of the Ingress namespace.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-realm: &quot;realm string&quot;
<div class="codehilite"><pre><span></span>nginx.ingress.kubernetes.io/auth-realm: &quot;realm string&quot;
</pre></div>
</td></tr></table>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Please check the <a href="../../../examples/auth/basic/">auth</a> example.</p>
</div>
<h3 id="custom-nginx-upstream-checks">Custom NGINX upstream checks<a class="headerlink" href="#custom-nginx-upstream-checks" title="Permanent link">&para;</a></h3>
<p>NGINX exposes some flags in the <a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream">upstream configuration</a> that enable the configuration of each server in the upstream. The Ingress controller allows custom <code class="codehilite">max_fails</code> and <code class="codehilite">fail_timeout</code> parameters in a global context using <code class="codehilite">upstream-max-fails</code> and <code class="codehilite">upstream-fail-timeout</code> in the NGINX ConfigMap or in a particular Ingress rule. <code class="codehilite">upstream-max-fails</code> defaults to 0. This means NGINX will respect the container's <code class="codehilite">readinessProbe</code> if it is defined. If there is no probe and no values for <code class="codehilite">upstream-max-fails</code> NGINX will continue to send traffic to the container.</p>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>With the default configuration NGINX will not health check your backends. Whenever the endpoints controller notices a readiness probe failure, that pod's IP will be removed from the list of endpoints. This will trigger the NGINX controller to also remove it from the upstreams.**</p>
</div>
<p>To use custom values in an Ingress rule define these annotations:</p>
<p><code class="codehilite">nginx.ingress.kubernetes.io/upstream-max-fails</code>: number of unsuccessful attempts to communicate with the server that should occur in the duration set by the <code class="codehilite">upstream-fail-timeout</code> parameter to consider the server unavailable.</p>
<p><code class="codehilite">nginx.ingress.kubernetes.io/upstream-fail-timeout</code>: time in seconds during which the specified number of unsuccessful attempts to communicate with the server should occur to consider the server unavailable. This is also the period of time the server will be considered unavailable.</p>
<p>In NGINX, backend server pools are called "<a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html">upstreams</a>". Each upstream contains the endpoints for a service. An upstream is created for each service that has Ingress rules defined.</p>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>All Ingress rules using the same service will use the same upstream.<br />
Only one of the Ingress rules should define annotations to configure the upstream servers.</p>
</div>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Please check the <a href="../../../examples/customization/custom-upstream-check/">custom upstream check</a> example.</p>
</div>
<h3 id="custom-nginx-upstream-hashing">Custom NGINX upstream hashing<a class="headerlink" href="#custom-nginx-upstream-hashing" title="Permanent link">&para;</a></h3>
<p>NGINX supports load balancing by client-server mapping based on <a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash">consistent hashing</a> for a given key. The key can contain text, variables or any combination thereof. This feature allows for request stickiness other than client IP or cookies. The <a href="http://www.last.fm/user/RJ/journal/2007/04/10/392555/">ketama</a> consistent hashing method will be used which ensures only a few keys would be remapped to different servers on upstream group changes.</p>
<p>To enable consistent hashing for a backend:</p>
@ -2149,11 +2057,9 @@ Only one of the Ingress rules should define annotations to configure the upstrea
</div>
<h3 id="configuration-snippet">Configuration snippet<a class="headerlink" href="#configuration-snippet" title="Permanent link">&para;</a></h3>
<p>Using this annotation you can add additional configuration to the NGINX location. For example:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="p p-Indicator">:</span> <span class="p p-Indicator">|</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/configuration-snippet</span><span class="p p-Indicator">:</span> <span class="p p-Indicator">|</span>
<span class="no">more_set_headers &quot;Request-Id: $req_id&quot;;</span>
</pre></div>
</td></tr></table>
<h3 id="default-backend">Default Backend<a class="headerlink" href="#default-backend" title="Permanent link">&para;</a></h3>
<p>The ingress controller requires a <a href="../../default-backend/">default backend</a>.
@ -2221,20 +2127,7 @@ the new server configuration will take place over the alias configuration.</p>
<p>For more information please see <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name">the <code class="codehilite">server_name</code> documentation</a>.</p>
<h3 id="server-snippet">Server snippet<a class="headerlink" href="#server-snippet" title="Permanent link">&para;</a></h3>
<p>Using the annotation <code class="codehilite">nginx.ingress.kubernetes.io/server-snippet</code> it is possible to add custom configuration in the server configuration block.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
@ -2249,7 +2142,6 @@ the new server configuration will take place over the alias configuration.</p>
<span class="no">return 301 https://m.example.com;</span>
<span class="no">}</span>
</pre></div>
</td></tr></table>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
@ -2277,9 +2169,8 @@ applied to each location provided in the ingress rule.</p>
<p>For more information please see <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size">http://nginx.org</a></p>
<h3 id="external-authentication">External Authentication<a class="headerlink" href="#external-authentication" title="Permanent link">&para;</a></h3>
<p>To use an existing service that provides authentication the Ingress rule can be annotated with <code class="codehilite">nginx.ingress.kubernetes.io/auth-url</code> to indicate the URL where the HTTP request should be sent.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-url</span><span class="p p-Indicator">:</span> <span class="s">&quot;URL</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">authentication</span><span class="nv"> </span><span class="s">service&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-url</span><span class="p p-Indicator">:</span> <span class="s">&quot;URL</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">authentication</span><span class="nv"> </span><span class="s">service&quot;</span>
</pre></div>
</td></tr></table>
<p>Additionally it is possible to set:</p>
<ul>
@ -2328,16 +2219,6 @@ the User guide.</p>
<p>Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough
invalidates all the other annotations set on an Ingress object.</p>
</div>
<h3 id="secure-backends-deprecated-since-0180">Secure backends DEPRECATED (since 0.18.0)<a class="headerlink" href="#secure-backends-deprecated-since-0180" title="Permanent link">&para;</a></h3>
<p>Please use <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;HTTPS&quot;</code></p>
<p>By default NGINX uses plain HTTP to reach the services.
Adding the annotation <code class="codehilite">nginx.ingress.kubernetes.io/secure-backends: &quot;true&quot;</code> in the Ingress rule changes the protocol to HTTPS.
If you want to validate the upstream against a specific certificate, you can create a secret with it and reference the secret with the annotation <code class="codehilite">nginx.ingress.kubernetes.io/secure-verify-ca-secret</code>.</p>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Note that if an invalid or non-existent secret is given,
the ingress controller will ignore the <code class="codehilite">secure-backends</code> annotation.</p>
</div>
<h3 id="service-upstream">Service Upstream<a class="headerlink" href="#service-upstream" title="Permanent link">&para;</a></h3>
<p>By default the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration.</p>
<p>The <code class="codehilite">nginx.ingress.kubernetes.io/service-upstream</code> annotation disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port.</p>
@ -2392,9 +2273,8 @@ otherwise, both annotations must be used in unison. Note that each annotation mu
<p>For NGINX, an 413 error will be returned to the client when the size in a request exceeds the maximum allowed size of the client request body. This size can be configured by the parameter <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size"><code class="codehilite">client_max_body_size</code></a>.</p>
<p>To configure this setting globally for all Ingress rules, the <code class="codehilite">proxy-body-size</code> value may be set in the <a href="../configmap/">NGINX ConfigMap</a>.
To use custom values in an Ingress rule define these annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">8m</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">8m</span>
</pre></div>
</td></tr></table>
<h3 id="proxy-cookie-domain">Proxy cookie domain<a class="headerlink" href="#proxy-cookie-domain" title="Permanent link">&para;</a></h3>
<p>Sets a text that <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain">should be changed in the domain attribute</a> of the "Set-Cookie" header fields of a proxied server response.</p>
@ -2407,93 +2287,69 @@ To use custom values in an Ingress rule define these annotation:</p>
By default proxy buffering is disabled in the NGINX config.</p>
<p>To configure this setting globally for all Ingress rules, the <code class="codehilite">proxy-buffering</code> value may be set in the <a href="../configmap/">NGINX ConfigMap</a>.
To use custom values in an Ingress rule define these annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffering</span><span class="p p-Indicator">:</span> <span class="s">&quot;on&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffering</span><span class="p p-Indicator">:</span> <span class="s">&quot;on&quot;</span>
</pre></div>
</td></tr></table>
<h3 id="proxy-buffer-size">Proxy buffer size<a class="headerlink" href="#proxy-buffer-size" title="Permanent link">&para;</a></h3>
<p>Sets the size of the buffer <a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size"><code class="codehilite">proxy_buffer_size</code></a> used for reading the first part of the response received from the proxied server.
By default proxy buffer size is set as "4k"</p>
<p>To configure this setting globally, set <code class="codehilite">proxy-buffer-size</code> in <a href="../configmap/">NGINX ConfigMap</a>. To use custom values in an Ingress rule, define this annotation:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffer-size</span><span class="p p-Indicator">:</span> <span class="s">&quot;8k&quot;</span>
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/proxy-buffer-size</span><span class="p p-Indicator">:</span> <span class="s">&quot;8k&quot;</span>
</pre></div></p>
<h3 id="ssl-ciphers">SSL ciphers<a class="headerlink" href="#ssl-ciphers" title="Permanent link">&para;</a></h3>
<p>Specifies the <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers">enabled ciphers</a>.</p>
<p>Using this annotation will set the <code class="codehilite">ssl_ciphers</code> directive at the server level. This configuration is active for all the paths in the host.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/ssl-ciphers</span><span class="p p-Indicator">:</span> <span class="s">&quot;ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/ssl-ciphers</span><span class="p p-Indicator">:</span> <span class="s">&quot;ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP&quot;</span>
</pre></div>
</td></tr></table>
<h3 id="connection-proxy-header">Connection proxy header<a class="headerlink" href="#connection-proxy-header" title="Permanent link">&para;</a></h3>
<p>Using this annotation will override the default connection header set by NGINX.
To use custom values in an Ingress rule, define the annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/connection-proxy-header</span><span class="p p-Indicator">:</span> <span class="s">&quot;keep-alive&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/connection-proxy-header</span><span class="p p-Indicator">:</span> <span class="s">&quot;keep-alive&quot;</span>
</pre></div>
</td></tr></table>
<h3 id="enable-access-log">Enable Access Log<a class="headerlink" href="#enable-access-log" title="Permanent link">&para;</a></h3>
<p>Access logs are enabled by default, but in some scenarios access logs might be required to be disabled for a given
ingress. To do this, use the annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-access-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;false&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-access-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;false&quot;</span>
</pre></div>
</td></tr></table>
<h3 id="enable-rewrite-log">Enable Rewrite Log<a class="headerlink" href="#enable-rewrite-log" title="Permanent link">&para;</a></h3>
<p>Rewrite logs are not enabled by default. In some scenarios it could be required to enable NGINX rewrite logs.
Note that rewrite logs are sent to the error_log file at the notice level. To enable this feature use the annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-rewrite-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-rewrite-log</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
</pre></div>
</td></tr></table>
<h3 id="lua-resty-waf">Lua Resty WAF<a class="headerlink" href="#lua-resty-waf" title="Permanent link">&para;</a></h3>
<p>Using <code class="codehilite">lua-resty-waf-*</code> annotations we can enable and control the <a href="https://github.com/p0pr0ck5/lua-resty-waf">lua-resty-waf</a>
Web Application Firewall per location.</p>
<p>Following configuration will enable the WAF for the paths defined in the corresponding ingress:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf</span><span class="p p-Indicator">:</span> <span class="s">&quot;active&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf</span><span class="p p-Indicator">:</span> <span class="s">&quot;active&quot;</span>
</pre></div>
</td></tr></table>
<p>In order to run it in debugging mode you can set <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-debug</code> to <code class="codehilite">&quot;true&quot;</code> in addition to the above configuration.
The other possible values for <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf</code> are <code class="codehilite">inactive</code> and <code class="codehilite">simulate</code>.
In <code class="codehilite">inactive</code> mode WAF won't do anything, whereas in <code class="codehilite">simulate</code> mode it will log a warning message if there's a matching WAF rule for given request. This is useful to debug a rule and eliminate possible false positives before fully deploying it.</p>
<p><code class="codehilite">lua-resty-waf</code> comes with predefined set of rules <a href="https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules">https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules</a> that covers ModSecurity CRS.
You can use <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</code> to ignore a subset of those rulesets. For an example:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</span><span class="p p-Indicator">:</span> <span class="s">&quot;41000_sqli,</span><span class="nv"> </span><span class="s">42000_xss&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</span><span class="p p-Indicator">:</span> <span class="s">&quot;41000_sqli,</span><span class="nv"> </span><span class="s">42000_xss&quot;</span>
</pre></div>
</td></tr></table>
<p>will ignore the two mentioned rulesets.</p>
<p>It is also possible to configure custom WAF rules per ingress using the <code class="codehilite">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</code> annotation. For an example the following snippet will configure a WAF rule to deny requests with query string value that contains word <code class="codehilite">foo</code>:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</span><span class="p p-Indicator">:</span> <span class="s">&#39;[=[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;access&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;actions&quot;:</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;disrupt&quot;</span><span class="nv"> </span><span class="s">:</span><span class="nv"> </span><span class="s">&quot;DENY&quot;</span><span class="nv"> </span><span class="s">},</span><span class="nv"> </span><span class="s">&quot;id&quot;:</span><span class="nv"> </span><span class="s">10001,</span><span class="nv"> </span><span class="s">&quot;msg&quot;:</span><span class="nv"> </span><span class="s">&quot;my</span><span class="nv"> </span><span class="s">custom</span><span class="nv"> </span><span class="s">rule&quot;,</span><span class="nv"> </span><span class="s">&quot;operator&quot;:</span><span class="nv"> </span><span class="s">&quot;STR_CONTAINS&quot;,</span><span class="nv"> </span><span class="s">&quot;pattern&quot;:</span><span class="nv"> </span><span class="s">&quot;foo&quot;,</span><span class="nv"> </span><span class="s">&quot;vars&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;parse&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">&quot;values&quot;,</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;type&quot;:</span><span class="nv"> </span><span class="s">&quot;REQUEST_ARGS&quot;</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;body_filter&quot;:</span><span class="nv"> </span><span class="s">[],</span><span class="nv"> </span><span class="s">&quot;header_filter&quot;:[]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]=]&#39;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</span><span class="p p-Indicator">:</span> <span class="s">&#39;[=[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;access&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;actions&quot;:</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;disrupt&quot;</span><span class="nv"> </span><span class="s">:</span><span class="nv"> </span><span class="s">&quot;DENY&quot;</span><span class="nv"> </span><span class="s">},</span><span class="nv"> </span><span class="s">&quot;id&quot;:</span><span class="nv"> </span><span class="s">10001,</span><span class="nv"> </span><span class="s">&quot;msg&quot;:</span><span class="nv"> </span><span class="s">&quot;my</span><span class="nv"> </span><span class="s">custom</span><span class="nv"> </span><span class="s">rule&quot;,</span><span class="nv"> </span><span class="s">&quot;operator&quot;:</span><span class="nv"> </span><span class="s">&quot;STR_CONTAINS&quot;,</span><span class="nv"> </span><span class="s">&quot;pattern&quot;:</span><span class="nv"> </span><span class="s">&quot;foo&quot;,</span><span class="nv"> </span><span class="s">&quot;vars&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;parse&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">&quot;values&quot;,</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;type&quot;:</span><span class="nv"> </span><span class="s">&quot;REQUEST_ARGS&quot;</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;body_filter&quot;:</span><span class="nv"> </span><span class="s">[],</span><span class="nv"> </span><span class="s">&quot;header_filter&quot;:[]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]=]&#39;</span>
</pre></div>
</td></tr></table>
<p>For details on how to write WAF rules, please refer to <a href="https://github.com/p0pr0ck5/lua-resty-waf">https://github.com/p0pr0ck5/lua-resty-waf</a>.</p>
<h3 id="grpc-backend-deprecated-since-0180">gRPC backend DEPRECATED (since 0.18.0)<a class="headerlink" href="#grpc-backend-deprecated-since-0180" title="Permanent link">&para;</a></h3>
<p>Please use <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPC&quot;</code> or <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPCS&quot;</code></p>
<p>Since NGINX 1.13.10 it is possible to expose <a href="http://nginx.org/en/docs/http/ngx_http_grpc_module.html">gRPC services natively</a></p>
<p>You only need to add the annotation <code class="codehilite">nginx.ingress.kubernetes.io/grpc-backend: &quot;true&quot;</code> to enable this feature.
Additionally, if the gRPC service requires TLS, add <code class="codehilite">nginx.ingress.kubernetes.io/secure-backends: &quot;true&quot;</code>.</p>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This feature requires HTTP2 to work which means we need to expose this service using HTTPS.
Exposing a gRPC service using HTTP is not supported.</p>
</div>
<h3 id="influxdb">InfluxDB<a class="headerlink" href="#influxdb" title="Permanent link">&para;</a></h3>
<p>Using <code class="codehilite">influxdb-*</code> annotations we can monitor requests passing through a Location by sending them to an InfluxDB backend exposing the UDP socket
using the <a href="https://github.com/influxdata/nginx-influxdb-module/">nginx-influxdb-module</a>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-influxdb</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/enable-influxdb</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/influxdb-measurement</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx-reqs&quot;</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/influxdb-port</span><span class="p p-Indicator">:</span> <span class="s">&quot;8089&quot;</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/influxdb-host</span><span class="p p-Indicator">:</span> <span class="s">&quot;127.0.0.1&quot;</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/influxdb-server-name</span><span class="p p-Indicator">:</span> <span class="s">&quot;nginx-ingress&quot;</span>
</pre></div>
</td></tr></table>
<p>For the <code class="codehilite">influxdb-host</code> parameter you have two options:</p>
<ul>
@ -2509,20 +2365,17 @@ an ip address to <code class="codehilite">nginx.ingress.kubernetes.io/influxdb-h
Valid Values: HTTP, HTTPS, GRPC, GRPCS and AJP</p>
<p>By default NGINX uses <code class="codehilite">HTTP</code>.</p>
<p>Example:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/backend-protocol</span><span class="p p-Indicator">:</span> <span class="s">&quot;HTTPS&quot;</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/backend-protocol</span><span class="p p-Indicator">:</span> <span class="s">&quot;HTTPS&quot;</span>
</pre></div>
</td></tr></table>
<h3 id="use-regex">Use Regex<a class="headerlink" href="#use-regex" title="Permanent link">&para;</a></h3>
<p>Using the <code class="codehilite">nginx.ingress.kubernetes.io/use-regex</code> annotation will indicate whether or not the paths defined on an Ingress use regular expressions. The default value is <code class="codehilite">false</code>.</p>
<p>The following will indicate that regular expression paths are being used:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/use-regex</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/use-regex</span><span class="p p-Indicator">:</span> <span class="s">&quot;true&quot;</span>
</pre></div></p>
<p>The following will indicate that regular expression paths are <strong>not</strong> being used:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/use-regex</span><span class="p p-Indicator">:</span> <span class="s">&quot;false&quot;</span>
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/use-regex</span><span class="p p-Indicator">:</span> <span class="s">&quot;false&quot;</span>
</pre></div></p>
<p>When this annotation is set to <code class="codehilite">true</code>, the case insensitive regular expression <a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#location">location modifier</a> will be enforced on ALL paths for a given host regardless of what Ingress they are defined on.</p>
<p>Additionally, if the <a href="#rewrite"><code class="codehilite">rewrite-target</code> annotation</a> is used on any Ingress for a given host, then the case insensitive regular expression <a href="https://nginx.org/en/docs/http/ngx_http_core_module.html#location">location modifier</a> will be enforced on ALL paths for a given host regardless of what Ingress they are defined on. </p>
<p>Please read about <a href="../../ingress-path-matching/">ingress path matching</a> before using this modifier. </p>

21
user-guide/nginx-configuration/configmap/index.html
View file

@ -1464,8 +1464,8 @@
<li class="md-nav__item">
<a href="../../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -1782,18 +1782,6 @@
<li class="md-nav__item">
<a href="../../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -2785,13 +2773,10 @@
components for the nginx-controller.</p>
<p>In order to overwrite nginx-controller configuration values as seen in <a href="https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go">config.go</a>,
you can add key-value pairs to the data section of the config-map. For Example:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">data</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">map-hash-bucket-size</span><span class="p p-Indicator">:</span> <span class="s">&quot;128&quot;</span>
<span class="l l-Scalar l-Scalar-Plain">ssl-protocols</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">SSLv2</span>
</pre></div>
</td></tr></table>
<div class="admonition important">
<p class="admonition-title">Important</p>

29
user-guide/nginx-configuration/custom-template/index.html
View file

@ -609,8 +609,8 @@
<li class="md-nav__item">
<a href="../../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1086,17 +1074,7 @@
<p>The NGINX template is located in the file <code class="codehilite">/etc/nginx/template/nginx.tmpl</code>.</p>
<p>Using a <a href="https://kubernetes.io/docs/concepts/storage/volumes/">Volume</a> it is possible to use a custom template.
This includes using a <a href="https://kubernetes.io/docs/concepts/storage/volumes/#example-pod-with-a-secret-a-downward-api-and-a-configmap">Configmap</a> as source of the template</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">volumeMounts</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span> <span class="l l-Scalar l-Scalar-Plain">volumeMounts</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">mountPath</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/etc/nginx/template</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-template-volume</span>
<span class="l l-Scalar l-Scalar-Plain">readOnly</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
@ -1108,7 +1086,6 @@ This includes using a <a href="https://kubernetes.io/docs/concepts/storage/volum
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">key</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx.tmpl</span>
<span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx.tmpl</span>
</pre></div>
</td></tr></table>
<p><strong>Please note the template is tied to the Go code. Do not change names in the variable <code class="codehilite">$cfg</code>.</strong></p>
<p>For more information about the template syntax please check the <a href="https://golang.org/pkg/text/template/">Go template package</a>.

16
user-guide/nginx-configuration/index.html
View file

@ -609,8 +609,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

24
user-guide/nginx-configuration/log-format/index.html
View file

@ -609,8 +609,8 @@
<li class="md-nav__item">
<a href="../../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1084,19 +1072,13 @@
<h1 id="log-format">Log format<a class="headerlink" href="#log-format" title="Permanent link">&para;</a></h1>
<p>The default configuration uses a custom logging format to add additional information about upstreams, response time and status.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="x">log_format upstreaminfo</span>
<div class="codehilite"><pre><span></span><span class="x">log_format upstreaminfo</span>
<span class="x"> &#39;</span><span class="cp">{{</span> <span class="k">if</span> <span class="err">$</span><span class="nv">cfg.useProxyProtocol</span> <span class="cp">}}</span><span class="x">$proxy_protocol_addr</span><span class="cp">{{</span> <span class="k">else</span> <span class="cp">}}</span><span class="x">$remote_addr</span><span class="cp">{{</span> <span class="nv">end</span> <span class="cp">}}</span><span class="x"> - &#39;</span>
<span class="x"> &#39;[$the_real_ip] - $remote_user [$time_local] &quot;$request&quot; &#39;</span>
<span class="x"> &#39;$status $body_bytes_sent &quot;$http_referer&quot; &quot;$http_user_agent&quot; &#39;</span>
<span class="x"> &#39;$request_length $request_time [$proxy_upstream_name] $upstream_addr &#39;</span>
<span class="x"> &#39;$upstream_response_length $upstream_response_time $upstream_status&#39;;</span>
</pre></div>
</td></tr></table>
<table>
<thead>

16
user-guide/third-party-addons/modsecurity/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication

174
user-guide/third-party-addons/opentracing/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -983,18 +983,6 @@
<li class="md-nav__item">
<a href="../../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1187,51 +1175,27 @@
By default this feature is disabled.</p>
<h2 id="usage">Usage<a class="headerlink" href="#usage" title="Permanent link">&para;</a></h2>
<p>To enable the instrumentation we must enable opentracing in the configuration configmap:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="n">data</span><span class="o">:</span>
<div class="codehilite"><pre><span></span><span class="n">data</span><span class="o">:</span>
<span class="n">enable</span><span class="o">-</span><span class="n">opentracing</span><span class="o">:</span> <span class="s2">&quot;true&quot;</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>We must also set the host to use when uploading traces:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>zipkin-collector-host: zipkin.default.svc.cluster.local
<div class="codehilite"><pre><span></span>zipkin-collector-host: zipkin.default.svc.cluster.local
jaeger-collector-host: jaeger-collector.default.svc.cluster.local
</pre></div>
</td></tr></table>
<p>Next you will need to deploy a distributed tracing system which uses OpenTracing. Both <a href="https://github.com/openzipkin/zipkin">Zipkin</a> and
<a href="https://github.com/jaegertracing/jaeger">Jaeger</a> have been tested.</p>
<p>Other optional configuration options:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21</pre></div></td><td class="code"><div class="codehilite"><pre><span></span># specifies the port to use when uploading traces
<div class="codehilite"><pre><span></span># specifies the port to use when uploading traces, Default: 9411
zipkin-collector-port
# specifies the service name to use for any traces created, Default: nginx
zipkin-service-name
# specifies sample rate for any traces created. Default: 1.0
# specifies sample rate for any traces created, Default: 1.0
zipkin-sample-rate
# specifies the port to use when uploading traces
# specifies the port to use when uploading traces, Default: 6831
jaeger-collector-port
# specifies the service name to use for any traces created, Default: nginx
@ -1243,42 +1207,29 @@ jaeger-sampler-type
# specifies the argument to be passed to the sampler constructor, Default: 1
jaeger-sampler-param
</pre></div>
</td></tr></table></p>
</pre></div></p>
<h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent link">&para;</a></h2>
<p>The following examples show how to deploy and test different distributed tracing systems. These example can be performed
using Minikube.</p>
<h3 id="zipkin">Zipkin<a class="headerlink" href="#zipkin" title="Permanent link">&para;</a></h3>
<p>In the <a href="https://github.com/rnburn/zipkin-date-server">rnburn/zipkin-date-server</a>
github repository is an example of a dockerized date service. To install the example and zipkin collector run:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/zipkin.yaml
<div class="codehilite"><pre><span></span>kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/zipkin.yaml
kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/master/kubernetes/deployment.yaml
</pre></div>
</td></tr></table>
<p>Also we need to configure the NGINX controller configmap with the required values:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<span class="s1">apiVersion: v1</span>
<span class="s1">kind: ConfigMap</span>
<span class="s1">data:</span>
<span class="s1"> enable-opentracing: &quot;true&quot;</span>
<span class="s1"> zipkin-collector-host: zipkin.default.svc.cluster.local</span>
<span class="s1">metadata:</span>
<span class="s1"> name: nginx-load-balancer-conf</span>
<span class="s1"> name: nginx-configuration</span>
<span class="s1"> namespace: kube-system</span>
<span class="s1">&#39;</span> <span class="p">|</span> kubectl replace -f -
</pre></div>
</td></tr></table>
<p>In the zipkin interface we can see the details:
<img alt="zipkin screenshot" src="../../../images/zipkin-demo.png" title="zipkin collector screenshot" /></p>
@ -1286,40 +1237,17 @@ kubectl create -f https://raw.githubusercontent.com/rnburn/zipkin-date-server/ma
<ol>
<li>
<p>Enable Ingress addon in minikube:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ minikube addons <span class="nb">enable</span> ingress
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span>$ minikube addons <span class="nb">enable</span> ingress
</pre></div></p>
</li>
<li>
<p>Add minikube IP to /etc/hosts:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span><span class="k">$(</span>minikube ip<span class="k">)</span><span class="s2"> example.com&quot;</span> <span class="p">|</span> sudo tee -a /etc/hosts
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span><span class="k">$(</span>minikube ip<span class="k">)</span><span class="s2"> example.com&quot;</span> <span class="p">|</span> sudo tee -a /etc/hosts
</pre></div></p>
</li>
<li>
<p>Apply a Basic Service and Ingress Resource:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22</pre></div></td><td class="code"><div class="codehilite"><pre><span></span># Create Echoheaders Deployment
<div class="codehilite"><pre><span></span># Create Echoheaders Deployment
$ kubectl run echoheaders --image=k8s.gcr.io/echoserver:1.4 --replicas=1 --port=8080
# Expose as a Cluster-IP
@ -1341,72 +1269,30 @@ $ echo &#39;
servicePort: 80
path: /echo
&#39; | kubectl apply -f -
</pre></div>
</td></tr></table></p>
</pre></div></p>
</li>
<li>
<p>Enable OpenTracing and set the zipkin-collector-host:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<p>Enable OpenTracing and set the jaeger-collector-host:
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s1">&#39;</span>
<span class="s1"> apiVersion: v1</span>
<span class="s1"> kind: ConfigMap</span>
<span class="s1"> data:</span>
<span class="s1"> enable-opentracing: &quot;true&quot;</span>
<span class="s1"> zipkin-collector-host: zipkin.default.svc.cluster.local</span>
<span class="s1"> jaeger-collector-host: jaeger-collector.default.svc.cluster.local</span>
<span class="s1"> metadata:</span>
<span class="s1"> name: nginx-load-balancer-conf</span>
<span class="s1"> name: nginx-configuration</span>
<span class="s1"> namespace: kube-system</span>
<span class="s1"> &#39;</span> <span class="p">|</span> kubectl replace -f -
</pre></div>
</td></tr></table></p>
</pre></div></p>
</li>
<li>
<p>Apply the Jaeger All-In-One Template:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span>$ kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
</pre></div></p>
</li>
<li>
<p>Make a few requests to the Service:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl example.com/echo -d <span class="s2">&quot;meow&quot;</span>
<div class="codehilite"><pre><span></span>$ curl example.com/echo -d <span class="s2">&quot;meow&quot;</span>
CLIENT VALUES:
<span class="nv">client_address</span><span class="o">=</span><span class="m">172</span>.17.0.5
@ -1435,18 +1321,14 @@ x-real-ip<span class="o">=</span><span class="m">192</span>.168.99.1
x-scheme<span class="o">=</span>http
BODY:
meow
</pre></div>
</td></tr></table></p>
</pre></div></p>
</li>
<li>
<p>View the Jaeger UI:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ minikube service jaeger-query --url
<div class="codehilite"><pre><span></span>$ minikube service jaeger-query --url
http://192.168.99.100:30183
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>In the jaeger interface we can see the details:
<img alt="jaeger screenshot" src="../../../images/jaeger-demo.png" title="jaeger collector screenshot" /></p>
</li>

34
user-guide/tls/index.html
View file

@ -598,8 +598,8 @@
<li class="md-nav__item">
<a href="../exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -1009,18 +1009,6 @@
<li class="md-nav__item">
<a href="../../examples/customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../examples/customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1239,14 +1227,12 @@
<h2 id="tls-secrets">TLS Secrets<a class="headerlink" href="#tls-secrets" title="Permanent link">&para;</a></h2>
<p>Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.</p>
<p>You can generate a self-signed certificate and private key with with:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span><span class="sb">`</span>
<div class="codehilite"><pre><span></span>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span><span class="sb">`</span>
</pre></div>
</td></tr></table>
<p>Then create the secret in the cluster via:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
<div class="codehilite"><pre><span></span>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
</pre></div>
</td></tr></table>
<p>The resulting secret will be of type <code class="codehilite">kubernetes.io/tls</code>.</p>
<h2 id="default-ssl-certificate">Default SSL Certificate<a class="headerlink" href="#default-ssl-certificate" title="Permanent link">&para;</a></h2>
@ -1308,9 +1294,8 @@ replaced by <a href="https://github.com/jetstack/cert-manager/">cert-manager</a>
<p><a href="https://github.com/jetstack/kube-lego">Kube-Lego</a> automatically requests missing or expired certificates from <a href="https://letsencrypt.org">Let's Encrypt</a>
by monitoring ingress resources and their referenced secrets.</p>
<p>To enable this for an ingress resource you have to add an annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
</pre></div>
</td></tr></table>
<p>To setup Kube-Lego you can take a look at this <a href="https://github.com/jetstack/kube-lego/tree/master/examples">full example</a>.
The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p>
@ -1324,13 +1309,7 @@ May 2018, <a href="https://developer.android.com/about/dashboards/#Platform">app
are not compatible with nginx-ingress's default configuration.</p>
<p>To change this default behavior, use a <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
<p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="n">kind</span><span class="o">:</span> <span class="n">ConfigMap</span>
<div class="codehilite"><pre><span></span><span class="n">kind</span><span class="o">:</span> <span class="n">ConfigMap</span>
<span class="n">apiVersion</span><span class="o">:</span> <span class="n">v1</span>
<span class="n">metadata</span><span class="o">:</span>
<span class="n">name</span><span class="o">:</span> <span class="n">nginx</span><span class="o">-</span><span class="n">config</span>
@ -1338,7 +1317,6 @@ are not compatible with nginx-ingress's default configuration.</p>
<span class="n">ssl</span><span class="o">-</span><span class="n">ciphers</span><span class="o">:</span> <span class="s2">&quot;ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA&quot;</span>
<span class="n">ssl</span><span class="o">-</span><span class="n">protocols</span><span class="o">:</span> <span class="s2">&quot;TLSv1 TLSv1.1 TLSv1.2&quot;</span>
</pre></div>
</td></tr></table>