Advertisement
GarbageYard

nginx-ingress-controller

Oct 24th, 2017
204
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
YAML 7.62 KB | None | 0 0
  1. apiVersion: extensions/v1beta1
  2. kind: Deployment
  3. metadata:
  4.   name: nginx-ingress-controller
  5.   labels:
  6.     k8s-app: nginx-ingress-controller
  7.   namespace: kube-system
  8. spec:
  9.   replicas: 3
  10.   template:
  11.     metadata:
  12.       labels:
  13.         k8s-app: nginx-ingress-controller
  14.       annotations:
  15.         prometheus.io/port: '10254'
  16.         prometheus.io/scrape: 'true'
  17.     spec:
  18.      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
  19.       # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
  20.       # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
  21.       # like with kubeadm
  22.       # hostNetwork: true
  23.       terminationGracePeriodSeconds: 60
  24.       containers:
  25.       - image: quay.io/aledbf/nginx-ingress-controller:0.217
  26.       #- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.15
  27.         name: nginx-ingress-controller
  28.         readinessProbe:
  29.           httpGet:
  30.             path: /healthz
  31.             port: 10254
  32.             scheme: HTTP
  33.         livenessProbe:
  34.           httpGet:
  35.             path: /healthz
  36.             port: 10254
  37.             scheme: HTTP
  38.           initialDelaySeconds: 10
  39.           timeoutSeconds: 1
  40.         ports:
  41.         - containerPort: 80
  42.           hostPort: 80
  43.         - containerPort: 443
  44.           hostPort: 443
  45.         env:
  46.           - name: POD_NAME
  47.             valueFrom:
  48.               fieldRef:
  49.                 fieldPath: metadata.name
  50.           - name: POD_NAMESPACE
  51.             valueFrom:
  52.               fieldRef:
  53.                 fieldPath: metadata.namespace
  54.         args:
  55.        - /nginx-ingress-controller
  56.         - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
  57.  
  58. =============================================================================================
  59.  
  60. $ kubectl -n kube-system get pods
  61. NAME                                        READY     STATUS    RESTARTS   AGE
  62. default-http-backend-726995137-wjc3s        1/1       Running   0          1h
  63. heapster-4285517626-nwl7m                   1/1       Running   0          71d
  64. kube-dns-646531078-th5m8                    3/3       Running   0          71d
  65. kubernetes-dashboard-716739405-2mmdh        1/1       Running   0          71d
  66. monitoring-grafana-3552275057-l4hvn         1/1       Running   0          71d
  67. monitoring-influxdb-4110454889-j9d96        1/1       Running   0          71d
  68. nginx-ingress-controller-2476946843-jkl20   1/1       Running   0          52m
  69. nginx-ingress-controller-2476946843-tmxbz   1/1       Running   0          52m
  70. nginx-ingress-controller-2476946843-zm91q   1/1       Running   0          52m
  71. tiller-deploy-737598192-ntc5j               1/1       Running   0          71d
  72.  
  73. =============================================================================================
  74.  
  75. $ cat nginx-ingress.yaml
  76. apiVersion: extensions/v1beta1
  77. kind: Ingress
  78. metadata:
  79.   name: gitlab-ingress
  80. spec:
  81.   tls:
  82.   - secretName: gitlab-key
  83.   rules:
  84.   - host: testgitlab.anyaccess.net
  85.     http:
  86.       paths:
  87.       - path: /
  88.         backend:
  89.           serviceName: gitlab
  90.           servicePort: 80
  91.  
  92. =============================================================================================
  93.  
  94. $ kubectl create secret tls gitlab-key --namespace default --cert /config/ingress/testgitlab.anyaccess.net.crt --key /config/ingress/testgitlab.anyaccess.net.key
  95.  
  96. =============================================================================================
  97.  
  98. openssl req -new -x509 -sha256 -nodes -out testgitlab.anyaccess.net.crt -newkey rsa:2048 -keyout testgitlab.anyaccess.net.key -config <(
  99. cat <<-EOF
  100. [req]
  101. default_bits = 2048
  102. prompt = no
  103. default_md = sha256
  104. req_extensions = req_ext
  105. distinguished_name = dn
  106.  
  107. [ dn ]
  108. C=GD
  109. ST=Zug
  110. L=IN
  111. O=Docker International
  112. OU=IT
  113. emailAddress=tom@abc.com
  114. CN = testgitlab.anyaccess.net
  115.  
  116. [ req_ext ]
  117. subjectAltName = @alt_names
  118.  
  119. [ alt_names ]
  120. DNS.1 = *.testgitlab.anyaccess.net
  121. EOF
  122. )
  123.  
  124. =============================================================================================
  125.  
  126. λ curl -v --resolve testgitlab.anyaccess.net:443:10.224.60.12 https://testgitlab.anyaccess.net -k
  127. * Added testgitlab.anyaccess.net:443:10.224.60.12 to DNS cache
  128. * STATE: INIT => CONNECT handle 0x20081fd0; line 1407 (connection #-5000)
  129. * Rebuilt URL to: https://testgitlab.anyaccess.net/
  130. * Added connection 0. The cache now contains 1 members
  131. * Hostname testgitlab.anyaccess.net was found in DNS cache
  132. *   Trying 10.224.60.12...
  133. * TCP_NODELAY set
  134. * STATE: CONNECT => WAITCONNECT handle 0x20081fd0; line 1460 (connection #0)
  135. * Connected to testgitlab.anyaccess.net (10.224.60.12) port 443 (#0)
  136. * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x20081fd0; line 1567 (connection #0)
  137. * Marked for [keep alive]: HTTP default
  138. * ALPN, offering http/1.1
  139. * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  140. * successfully set certificate verify locations:
  141. *   CAfile: /usr/ssl/certs/ca-bundle.crt
  142.   CApath: none
  143. * TLSv1.2 (OUT), TLS header, Certificate Status (22):
  144. * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  145. * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x20081fd0; line 1581 (connection #0)
  146. * TLSv1.2 (IN), TLS handshake, Server hello (2):
  147. * TLSv1.2 (IN), TLS handshake, Certificate (11):
  148. * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  149. * TLSv1.2 (IN), TLS handshake, Server finished (14):
  150. * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  151. * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  152. * TLSv1.2 (OUT), TLS handshake, Finished (20):
  153. * TLSv1.2 (IN), TLS change cipher, Client hello (1):
  154. * TLSv1.2 (IN), TLS handshake, Finished (20):
  155. * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  156. * ALPN, server accepted to use http/1.1
  157. * Server certificate:
  158. *  subject: C=GD; ST=Zug; L=IN; O=Docker International; OU=IT; emailAddress=tom@abc.com; CN=testgitlab.anyaccess.net
  159. *  start date: Oct 27 07:12:54 2017 GMT
  160. *  expire date: Nov 26 07:12:54 2017 GMT
  161. *  issuer: C=GD; ST=Zug; L=IN; O=Docker International; OU=IT; emailAddress=tom@abc.com; CN=testgitlab.anyaccess.net
  162. *  SSL certificate verify result: self signed certificate (18), continuing anyway.
  163. * STATE: PROTOCONNECT => DO handle 0x20081fd0; line 1602 (connection #0)
  164. > GET / HTTP/1.1
  165. > Host: testgitlab.anyaccess.net
  166. > User-Agent: curl/7.51.0
  167. > Accept: */*
  168. >
  169. * STATE: DO => DO_DONE handle 0x20081fd0; line 1664 (connection #0)
  170. * STATE: DO_DONE => WAITPERFORM handle 0x20081fd0; line 1791 (connection #0)
  171. * STATE: WAITPERFORM => PERFORM handle 0x20081fd0; line 1801 (connection #0)
  172. * HTTP 1.1 or later with persistent connection, pipelining supported
  173. < HTTP/1.1 302 Found
  174. * Server nginx/1.13.5 is not blacklisted
  175. < Server: nginx/1.13.5
  176. < Date: Fri, 27 Oct 2017 18:37:07 GMT
  177. < Content-Type: text/html; charset=utf-8
  178. < Content-Length: 111
  179. < Connection: keep-alive
  180. < Cache-Control: no-cache
  181. < Location: http://testgitlab.anyaccess.net/users/sign_in
  182. < X-Content-Type-Options: nosniff
  183. < X-Frame-Options: DENY
  184. < X-Request-Id: 659419f2-68a8-486c-bf61-2df11c325f4e
  185. < X-Runtime: 0.469020
  186. < X-Ua-Compatible: IE=edge
  187. < X-Xss-Protection: 1; mode=block
  188. < Strict-Transport-Security: max-age=15724800; includeSubDomains;
  189. <
  190. * STATE: PERFORM => DONE handle 0x20081fd0; line 1965 (connection #0)
  191. * multi_done
  192. * Curl_http_done: called premature == 0
  193. * Connection #0 to host testgitlab.anyaccess.net left intact
  194. <html><body>You are being <a href="http://testgitlab.anyaccess.net/users/sign_in">redirected</a>.</body></html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement