git mv Ingress ingress

controllers/nginx-third-party/examples/certs.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# This test is for dev purposes.
+
+set -e
+
+SECRET_NAME=${SECRET_NAME:-ssl-secret}
+# Name of the app in the .yaml
+APP=${APP:-nginxsni}
+# SNI hostnames
+HOSTS=${HOSTS:-foo.bar.com}
+# Should the test build and push the container via make push?
+PUSH=${PUSH:-false}
+
+# makeCerts makes certificates applying the given hostnames as CNAMEs
+# $1 Name of the app that will use this secret, applied as a app= label
+# $2... hostnames as described below
+# Eg: makeCerts nginxsni nginx1 nginx2 nginx3
+# Will generate nginx{1,2,3}.crt,.key,.json file in cwd. It's upto the caller
+# to execute kubectl -f on the json file. The secret will have a label of
+# app=nginxsni, so you can delete it via the cleanup function.
+function makeCerts {
+    local label=$1
+    shift
+    for h in ${@}; do
+        if [ ! -f $h.json ] || [ ! -f $h.crt ] || [ ! -f $h.key ]; then
+            printf "\nCreating new secrets for $h, will take ~30s\n\n"
+            local cert=$h.crt key=$h.key host=$h secret=$h.json cname=$h
+            if [ $h == "wildcard" ]; then
+                cname=*.$h.com
+            fi
+
+            # Generate crt and key
+            openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+                    -keyout "${key}" -out "${cert}" -subj "/CN=${cname}/O=${cname}"
+        fi
+
+        cat <<EOF > secret-$SECRET_NAME-$h.json
+{
+    "kind": "Secret",
+    "apiVersion": "v1",
+    "metadata": {
+        "name": "$SECRET_NAME"
+    },
+    "data": {
+        "$h.crt": "$(cat ./$h.crt | base64)",
+        "$h.key": "$(cat ./$h.key | base64)"
+    }
+}
+
+EOF
+
+    done
+}
+
+makeCerts ${APP} ${HOSTS[*]}

controllers/nginx-third-party/examples/default-backend.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: default-http-backend
+spec:
+  replicas: 1
+  selector:
+    app: default-http-backend
+  template:
+    metadata:
+      labels:
+        app: default-http-backend
+    spec:
+      terminationGracePeriodSeconds: 600
+      containers:
+      - name: default-http-backend
+        # Any image is permissable as long as:
+        # 1. It serves a 404 page at /
+        # 2. It serves 200 on a /healthz endpoint
+        image: gcr.io/google_containers/defaultbackend:1.0
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            cpu: 10m
+            memory: 20Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi

controllers/nginx-third-party/examples/dhparam.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# https://www.openssl.org/docs/manmaster/apps/dhparam.html
+# this command generates a key used to get "Perfect Forward Secrecy" in nginx
+# https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
+openssl dhparam -out dhparam.pem 4096
+
+cat <<EOF > dhparam-example.yaml
+{
+    "kind": "Secret",
+    "apiVersion": "v1",
+    "metadata": {
+        "name": "dhparam-example"
+    },
+    "data": {
+        "dhparam.pem": "$(cat ./dhparam.pem | base64)"
+    }
+}
+
+EOF

controllers/nginx-third-party/examples/ingress.yaml

@@ -0,0 +1,25 @@
+# An Ingress with 2 hosts and 3 endpoints
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: echomap
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - path: /foo
+        backend:
+          serviceName: echoheaders-x
+          servicePort: 80
+  - host: bar.baz.com
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: echoheaders-y
+          servicePort: 80
+      - path: /foo
+        backend:
+          serviceName: echoheaders-x
+          servicePort: 80

controllers/nginx-third-party/examples/rc-default.yaml

@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx-ingress-3rdpartycfg
+  labels:
+    k8s-app: nginx-ingress-lb
+spec:
+  replicas: 1
+  selector:
+    k8s-app: nginx-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: nginx-ingress-lb
+        name: nginx-ingress-lb
+    spec:
+      containers:
+      - image: gcr.io/google_containers/nginx-third-party:0.3
+        name: nginx-ingress-lb
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10249
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        # use downward API
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 4444
+        # we expose 8080 to access nginx stats in url /nginx-status
+        # this is optional
+        - containerPort: 8080
+          hostPort: 8081
+        args:
+        - /nginx-third-party-lb
+        - --default-backend-service=default/default-http-backend

controllers/nginx-third-party/examples/rc-full.yaml

@@ -0,0 +1,75 @@
+
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx-ingress-3rdpartycfg
+  labels:
+    k8s-app: nginx-ingress-lb
+spec:
+  replicas: 1
+  selector:
+    k8s-app: nginx-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: nginx-ingress-lb
+        name: nginx-ingress-lb
+    spec:
+      # A secret for each nginx host that requires SSL. These secrets need to
+      # exist before hand, see README.
+      # The secret must contains 2 variables: cert and key.
+      # Follow this https://github.com/bprashanth/Ingress/blob/master/examples/sni/nginx/test.sh
+      # as a guide on how to generate secrets containing SSL certificates.
+      volumes:
+      - name: secret-echoheaders-1
+        secret:
+          secretName: echoheaders
+      - name: dhparam-example
+        secret:
+          secretName: dhparam-example
+      containers:
+      - image: gcr.io/google_containers/nginx-third-party:0.3
+        name: nginx-ingress-lb
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10249
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        # use downward API
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 4444
+        - containerPort: 8080
+          hostPort: 9000
+        volumeMounts:
+        - mountPath: /etc/nginx-ssl/secret-echoheaders-1
+          name: secret-echoheaders-1
+        - mountPath: /etc/nginx-ssl/dhparam
+          name: dhparam-example
+        # the flags tcp-services is required because Ingress do not support TCP rules
+        # if no namespace is specified "default" is used. Example: nodefaultns/example-go:8080
+        # containerPort 8080 is mapped to 9000 in the node.
+        args:
+        - /nginx-third-party-lb
+        - --tcp-services=default/example-go:8080
+        - --default-backend-service=default/default-http-backend
+        - --custom-error-service=default/default-error-backend
+

controllers/nginx-third-party/examples/rc-ssl.yaml

@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx-ingress-3rdpartycfg
+  labels:
+    k8s-app: nginx-ingress-lb
+spec:
+  replicas: 1
+  selector:
+    k8s-app: nginx-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: nginx-ingress-lb
+        name: nginx-ingress-lb
+    spec:
+      # A secret for each nginx host that requires SSL. These secrets need to
+      # exist before hand, see README.
+      # Follow this https://github.com/kubernetes/contrib/Ingress/controllers/nginx-third-party/examples/certs.sh
+      # as a guide on how to generate secrets containing SSL certificates.
+      volumes:
+      - name: secret-echoheaders-1
+        secret:
+          secretName: secret-echoheaders-1
+      containers:
+      - image: gcr.io/google_containers/nginx-third-party:0.3
+        name: nginx-ingress-lb
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10249
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        # use downward API
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 4444
+        - containerPort: 8080
+          hostPort: 9000
+        # the mountpoints for the SSL secrets must be a /etc/nginx-ssl subdirectory
+        volumeMounts:
+        - mountPath: /etc/nginx-ssl/secret-echoheaders-1
+          name: secret-echoheaders-1
+        # to configure ssl_dhparam http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
+        # use the dhparam.sh file to generate and mount a secret that containing the key dhparam.pem or
+        # create a configuration with the content of dhparam.pem in the field sslDHParam.
+        args:
+        - /nginx-third-party-lb
+        - --default-backend-service=default/default-http-backend

controllers/nginx-third-party/examples/rc-tcp.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx-ingress-3rdpartycfg
+  labels:
+    k8s-app: nginx-ingress-lb
+spec:
+  replicas: 1
+  selector:
+    k8s-app: nginx-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: nginx-ingress-lb
+        name: nginx-ingress-lb
+    spec:
+      containers:
+      - image: gcr.io/google_containers/nginx-third-party:0.3
+        name: nginx-ingress-lb
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10249
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        # use downward API
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 4444
+        # we expose 8080 to access nginx stats in url /nginx-status
+        # this is optional
+        - containerPort: 8080
+          hostPort: 8081
+        # service echoheaders as TCP service default/echoheaders:9000
+        # 9000 indicates the port used to expose the service
+        - containerPort: 9000
+          hostPort: 9000
+        args:
+        - /nginx-third-party-lb
+        - --default-backend-service=default/default-http-backend