Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- apiVersion: extensions/v1beta1
- kind: Deployment
- metadata:
- name: nginx-ingress-controller
- labels:
- k8s-app: nginx-ingress-controller
- namespace: kube-system
- spec:
- replicas: 3
- template:
- metadata:
- labels:
- k8s-app: nginx-ingress-controller
- annotations:
- prometheus.io/port: '10254'
- prometheus.io/scrape: 'true'
- spec:
- # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
- # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
- # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
- # like with kubeadm
- # hostNetwork: true
- terminationGracePeriodSeconds: 60
- containers:
- - image: quay.io/aledbf/nginx-ingress-controller:0.217
- #- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.15
- name: nginx-ingress-controller
- readinessProbe:
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- livenessProbe:
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- timeoutSeconds: 1
- ports:
- - containerPort: 80
- hostPort: 80
- - containerPort: 443
- hostPort: 443
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- args:
- - /nginx-ingress-controller
- - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- =============================================================================================
- $ kubectl -n kube-system get pods
- NAME READY STATUS RESTARTS AGE
- default-http-backend-726995137-wjc3s 1/1 Running 0 1h
- heapster-4285517626-nwl7m 1/1 Running 0 71d
- kube-dns-646531078-th5m8 3/3 Running 0 71d
- kubernetes-dashboard-716739405-2mmdh 1/1 Running 0 71d
- monitoring-grafana-3552275057-l4hvn 1/1 Running 0 71d
- monitoring-influxdb-4110454889-j9d96 1/1 Running 0 71d
- nginx-ingress-controller-2476946843-jkl20 1/1 Running 0 52m
- nginx-ingress-controller-2476946843-tmxbz 1/1 Running 0 52m
- nginx-ingress-controller-2476946843-zm91q 1/1 Running 0 52m
- tiller-deploy-737598192-ntc5j 1/1 Running 0 71d
- =============================================================================================
- $ cat nginx-ingress.yaml
- apiVersion: extensions/v1beta1
- kind: Ingress
- metadata:
- name: gitlab-ingress
- spec:
- tls:
- - secretName: gitlab-key
- rules:
- - host: testgitlab.anyaccess.net
- http:
- paths:
- - path: /
- backend:
- serviceName: gitlab
- servicePort: 80
- =============================================================================================
- $ kubectl create secret tls gitlab-key --namespace default --cert /config/ingress/testgitlab.anyaccess.net.crt --key /config/ingress/testgitlab.anyaccess.net.key
- =============================================================================================
- openssl req -new -x509 -sha256 -nodes -out testgitlab.anyaccess.net.crt -newkey rsa:2048 -keyout testgitlab.anyaccess.net.key -config <(
- cat <<-EOF
- [req]
- default_bits = 2048
- prompt = no
- default_md = sha256
- req_extensions = req_ext
- distinguished_name = dn
- [ dn ]
- C=GD
- ST=Zug
- L=IN
- O=Docker International
- OU=IT
- emailAddress=tom@abc.com
- CN = testgitlab.anyaccess.net
- [ req_ext ]
- subjectAltName = @alt_names
- [ alt_names ]
- DNS.1 = *.testgitlab.anyaccess.net
- EOF
- )
- =============================================================================================
- λ curl -v --resolve testgitlab.anyaccess.net:443:10.224.60.12 https://testgitlab.anyaccess.net -k
- * Added testgitlab.anyaccess.net:443:10.224.60.12 to DNS cache
- * STATE: INIT => CONNECT handle 0x20081fd0; line 1407 (connection #-5000)
- * Rebuilt URL to: https://testgitlab.anyaccess.net/
- * Added connection 0. The cache now contains 1 members
- * Hostname testgitlab.anyaccess.net was found in DNS cache
- * Trying 10.224.60.12...
- * TCP_NODELAY set
- * STATE: CONNECT => WAITCONNECT handle 0x20081fd0; line 1460 (connection #0)
- * Connected to testgitlab.anyaccess.net (10.224.60.12) port 443 (#0)
- * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x20081fd0; line 1567 (connection #0)
- * Marked for [keep alive]: HTTP default
- * ALPN, offering http/1.1
- * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- * successfully set certificate verify locations:
- * CAfile: /usr/ssl/certs/ca-bundle.crt
- CApath: none
- * TLSv1.2 (OUT), TLS header, Certificate Status (22):
- * TLSv1.2 (OUT), TLS handshake, Client hello (1):
- * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x20081fd0; line 1581 (connection #0)
- * TLSv1.2 (IN), TLS handshake, Server hello (2):
- * TLSv1.2 (IN), TLS handshake, Certificate (11):
- * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- * TLSv1.2 (IN), TLS handshake, Server finished (14):
- * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
- * TLSv1.2 (OUT), TLS handshake, Finished (20):
- * TLSv1.2 (IN), TLS change cipher, Client hello (1):
- * TLSv1.2 (IN), TLS handshake, Finished (20):
- * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
- * ALPN, server accepted to use http/1.1
- * Server certificate:
- * subject: C=GD; ST=Zug; L=IN; O=Docker International; OU=IT; emailAddress=tom@abc.com; CN=testgitlab.anyaccess.net
- * start date: Oct 27 07:12:54 2017 GMT
- * expire date: Nov 26 07:12:54 2017 GMT
- * issuer: C=GD; ST=Zug; L=IN; O=Docker International; OU=IT; emailAddress=tom@abc.com; CN=testgitlab.anyaccess.net
- * SSL certificate verify result: self signed certificate (18), continuing anyway.
- * STATE: PROTOCONNECT => DO handle 0x20081fd0; line 1602 (connection #0)
- > GET / HTTP/1.1
- > Host: testgitlab.anyaccess.net
- > User-Agent: curl/7.51.0
- > Accept: */*
- >
- * STATE: DO => DO_DONE handle 0x20081fd0; line 1664 (connection #0)
- * STATE: DO_DONE => WAITPERFORM handle 0x20081fd0; line 1791 (connection #0)
- * STATE: WAITPERFORM => PERFORM handle 0x20081fd0; line 1801 (connection #0)
- * HTTP 1.1 or later with persistent connection, pipelining supported
- < HTTP/1.1 302 Found
- * Server nginx/1.13.5 is not blacklisted
- < Server: nginx/1.13.5
- < Date: Fri, 27 Oct 2017 18:37:07 GMT
- < Content-Type: text/html; charset=utf-8
- < Content-Length: 111
- < Connection: keep-alive
- < Cache-Control: no-cache
- < Location: http://testgitlab.anyaccess.net/users/sign_in
- < X-Content-Type-Options: nosniff
- < X-Frame-Options: DENY
- < X-Request-Id: 659419f2-68a8-486c-bf61-2df11c325f4e
- < X-Runtime: 0.469020
- < X-Ua-Compatible: IE=edge
- < X-Xss-Protection: 1; mode=block
- < Strict-Transport-Security: max-age=15724800; includeSubDomains;
- <
- * STATE: PERFORM => DONE handle 0x20081fd0; line 1965 (connection #0)
- * multi_done
- * Curl_http_done: called premature == 0
- * Connection #0 to host testgitlab.anyaccess.net left intact
- <html><body>You are being <a href="http://testgitlab.anyaccess.net/users/sign_in">redirected</a>.</body></html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement