DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2020-02-09 23:53:05 +00:00
parent ec2af1dbc3
commit 006cda8fee
62 changed files with 1885 additions and 1843 deletions
Download patch file Download diff file Expand all files Collapse all files

59
user-guide/tls/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#tlshttps" tabindex="1" class="md-skip">
<a href="#tlshttps" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1307,30 +1307,30 @@
<h2 id="tls-secrets">TLS Secrets<a class="headerlink" href="#tls-secrets" title="Permanent link"></a></h2>
<p>Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.</p>
<p>You can generate a self-signed certificate and private key with:</p>
<div class="codehilite"><pre><span></span>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span>
</pre></div>
<div class="codehilite"><pre><span></span><code>$ openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> -out <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span> -subj <span class="s2">&quot;/CN=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">&quot;</span>
</code></pre></div>
<p>Then create the secret in the cluster via:</p>
<div class="codehilite"><pre><span></span>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
</pre></div>
<div class="codehilite"><pre><span></span><code>kubectl create secret tls <span class="si">${</span><span class="nv">CERT_NAME</span><span class="si">}</span> --key <span class="si">${</span><span class="nv">KEY_FILE</span><span class="si">}</span> --cert <span class="si">${</span><span class="nv">CERT_FILE</span><span class="si">}</span>
</code></pre></div>
<p>The resulting secret will be of type <code class="codehilite">kubernetes.io/tls</code>.</p>
<p>The resulting secret will be of type <code class="codehilite"><span class="err">kubernetes.io/tls</span></code>.</p>
<h2 id="default-ssl-certificate">Default SSL Certificate<a class="headerlink" href="#default-ssl-certificate" title="Permanent link"></a></h2>
<p>NGINX provides the option to configure a server as a catch-all with
<a href="http://nginx.org/en/docs/http/server_names.html">server_name</a>
for requests that do not match any of the configured server names.
This configuration works without out-of-the-box for HTTP traffic.
For HTTPS, a certificate is naturally required.</p>
<p>For this reason the Ingress controller provides the flag <code class="codehilite">--default-ssl-certificate</code>.
<p>For this reason the Ingress controller provides the flag <code class="codehilite"><span class="err">--default-ssl-certificate</span></code>.
The secret referred to by this flag contains the default certificate to be used when
accessing the catch-all server.
If this flag is not provided NGINX will use a self-signed certificate.</p>
<p>For instance, if you have a TLS secret <code class="codehilite">foo-tls</code> in the <code class="codehilite">default</code> namespace,
add <code class="codehilite">--default-ssl-certificate=default/foo-tls</code> in the <code class="codehilite">nginx-controller</code> deployment.</p>
<p>The default certificate will also be used for ingress <code class="codehilite">tls:</code> sections that do not
have a <code class="codehilite">secretName</code> option.</p>
<p>For instance, if you have a TLS secret <code class="codehilite"><span class="err">foo-tls</span></code> in the <code class="codehilite"><span class="err">default</span></code> namespace,
add <code class="codehilite"><span class="err">--default-ssl-certificate=default/foo-tls</span></code> in the <code class="codehilite"><span class="err">nginx-controller</span></code> deployment.</p>
<p>The default certificate will also be used for ingress <code class="codehilite"><span class="c">tls:</span></code> sections that do not
have a <code class="codehilite"><span class="err">secretName</span></code> option.</p>
<h2 id="ssl-passthrough">SSL Passthrough<a class="headerlink" href="#ssl-passthrough" title="Permanent link"></a></h2>
<p>The <a href="../cli-arguments/"><code class="codehilite">--enable-ssl-passthrough</code></a> flag enables the SSL Passthrough feature, which is disabled by
<p>The <a href="../cli-arguments/"><code class="codehilite"><span class="err">--enable-ssl-passthrough</span></code></a> flag enables the SSL Passthrough feature, which is disabled by
default. This is required to enable passthrough backends in Ingress objects.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
@ -1353,18 +1353,18 @@ through the use of a special response header. Once a supported browser receives
this header that browser will prevent any communications from being sent over
HTTP to the specified domain and will instead send all communications over HTTPS.</p>
<p>HSTS is enabled by default.</p>
<p>To disable this behavior use <code class="codehilite">hsts: &quot;false&quot;</code> in the configuration <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
<p>To disable this behavior use <code class="codehilite"><span class="c">hsts: &quot;false&quot;</span></code> in the configuration <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
<h2 id="server-side-https-enforcement-through-redirect">Server-side HTTPS enforcement through redirect<a class="headerlink" href="#server-side-https-enforcement-through-redirect" title="Permanent link"></a></h2>
<p>By default the controller redirects HTTP clients to the HTTPS port
443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.</p>
<p>This can be disabled globally using <code class="codehilite">ssl-redirect: &quot;false&quot;</code> in the NGINX <a href="../nginx-configuration/configmap/">config map</a>,
or per-Ingress with the <code class="codehilite">nginx.ingress.kubernetes.io/ssl-redirect: &quot;false&quot;</code>
<p>This can be disabled globally using <code class="codehilite"><span class="c">ssl-redirect: &quot;false&quot;</span></code> in the NGINX <a href="../nginx-configuration/configmap/">config map</a>,
or per-Ingress with the <code class="codehilite"><span class="err">nginx.ingress.kubernetes.io/ssl-redirect: &quot;false&quot;</span></code>
annotation in the particular resource.</p>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to enforce a
redirect to HTTPS even when there is no TLS certificate available.
This can be achieved by using the <code class="codehilite">nginx.ingress.kubernetes.io/force-ssl-redirect: &quot;true&quot;</code>
This can be achieved by using the <code class="codehilite"><span class="err">nginx.ingress.kubernetes.io/force-ssl-redirect: &quot;true&quot;</span></code>
annotation in the particular resource.</p>
</div>
<h2 id="automated-certificate-management-with-kube-lego">Automated Certificate Management with Kube-Lego<a class="headerlink" href="#automated-certificate-management-with-kube-lego" title="Permanent link"></a></h2>
@ -1376,8 +1376,8 @@ replaced by <a href="https://github.com/jetstack/cert-manager/">cert-manager</a>
<p><a href="https://github.com/jetstack/kube-lego">Kube-Lego</a> automatically requests missing or expired certificates from <a href="https://letsencrypt.org">Let's Encrypt</a>
by monitoring ingress resources and their referenced secrets.</p>
<p>To enable this for an ingress resource you have to add an annotation:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl annotate ing ingress-demo kubernetes.io/tls-acme=&quot;true&quot;</span>
</code></pre></div>
<p>To setup Kube-Lego you can take a look at this <a href="https://github.com/jetstack/kube-lego/tree/master/examples">full example</a>.
The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p>
@ -1391,17 +1391,18 @@ May 2018, <a href="https://developer.android.com/about/dashboards/#Platform">app
are not compatible with nginx-ingress's default configuration.</p>
<p>To change this default behavior, use a <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
<p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following:</p>
<div class="codehilite"><pre><span></span><span class="n">kind</span><span class="o">:</span> <span class="n">ConfigMap</span>
<div class="codehilite"><pre><span></span><code><span class="n">kind</span><span class="o">:</span> <span class="n">ConfigMap</span>
<span class="n">apiVersion</span><span class="o">:</span> <span class="n">v1</span>
<span class="n">metadata</span><span class="o">:</span>
<span class="n">name</span><span class="o">:</span> <span class="n">nginx</span><span class="o">-</span><span class="n">config</span>
<span class="n">data</span><span class="o">:</span>
<span class="n">ssl</span><span class="o">-</span><span class="n">ciphers</span><span class="o">:</span> <span class="s2">&quot;ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA&quot;</span>
<span class="n">ssl</span><span class="o">-</span><span class="n">protocols</span><span class="o">:</span> <span class="s2">&quot;TLSv1 TLSv1.1 TLSv1.2&quot;</span>
</pre></div>
</code></pre></div>
@ -1456,9 +1457,9 @@ are not compatible with nginx-ingress's default configuration.</p>
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1468,7 +1469,7 @@ are not compatible with nginx-ingress's default configuration.</p>
</div>
<script src="../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>