GCE Ingress docs update

controllers/gce/examples/health_checks/README.md

@@ -0,0 +1,74 @@
+# Simple HTTP health check example
+
+The GCE Ingress controller adopts the readiness probe from the matching endpoints, provided the readiness probe doesn't require HTTPS or special headers.
+
+Create the following app:
+```console
+$ kubectl create -f health_check_app.yaml
+replicationcontroller "echoheaders" created
+You have exposed your service on an external port on all nodes in your
+cluster.  If you want to expose this service to the external internet, you may
+need to set up firewall rules for the service port(s) (tcp:31165) to serve traffic.
+
+See http://releases.k8s.io/HEAD/docs/user-guide/services-firewalls.md for more details.
+service "echoheadersx" created
+You have exposed your service on an external port on all nodes in your
+cluster.  If you want to expose this service to the external internet, you may
+need to set up firewall rules for the service port(s) (tcp:31020) to serve traffic.
+
+See http://releases.k8s.io/HEAD/docs/user-guide/services-firewalls.md for more details.
+service "echoheadersy" created
+ingress "echomap" created
+```
+
+You should soon find an Ingress that is backed by a GCE Loadbalancer.
+
+```console
+$ kubectl describe ing echomap
+Name:			echomap
+Namespace:		default
+Address:		107.178.255.228
+Default backend:	default-http-backend:80 (10.180.0.9:8080,10.240.0.2:8080)
+Rules:
+  Host		Path	Backends
+  ----		----	--------
+  foo.bar.com
+    		/foo 	echoheadersx:80 (<none>)
+  bar.baz.com
+    		/bar 	echoheadersy:80 (<none>)
+    		/foo 	echoheadersx:80 (<none>)
+Annotations:
+  target-proxy:		k8s-tp-default-echomap--a9d60e8176d933ee
+  url-map:		k8s-um-default-echomap--a9d60e8176d933ee
+  backends:		{"k8s-be-31020--a9d60e8176d933ee":"HEALTHY","k8s-be-31165--a9d60e8176d933ee":"HEALTHY","k8s-be-31686--a9d60e8176d933ee":"HEALTHY"}
+  forwarding-rule:	k8s-fw-default-echomap--a9d60e8176d933ee
+Events:
+  FirstSeen	LastSeen	Count	From				SubobjectPath	Type		Reason	Message
+  ---------	--------	-----	----				-------------	--------	------	-------
+  17m		17m		1	{loadbalancer-controller }			Normal		ADD	default/echomap
+  15m		15m		1	{loadbalancer-controller }			Normal		CREATE	ip: 107.178.255.228
+
+$ curl 107.178.255.228/foo -H 'Host:foo.bar.com'
+CLIENT VALUES:
+client_address=10.240.0.5
+command=GET
+real path=/foo
+query=nil
+request_version=1.1
+request_uri=http://foo.bar.com:8080/foo
+...
+```
+
+You can confirm the health check endpoint point it's using one of 2 ways:
+* Through the cloud console: compute > health checks > lookup your health check. It takes the form k8s-be-nodePort-hash, where nodePort in the example above is 31165 and 31020, as shown by the kubectl output.
+* Through gcloud: Run `gcloud compute http-health-checks list`
+
+## Limitations
+
+A few points to note:
+* The readiness probe must be exposed on the port matching the `servicePort` specified in the Ingress
+* The readiness probe cannot have special requirements, like headers or HTTPS
+* The probe timeouts are translated to GCE health check timeouts
+* You must create the pods backing the endpoints with the given readiness probe. This *will not* work if you update the replication controller with a different readiness probe.
+
+

controllers/gce/examples/health_checks/health_check_app.yaml

@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: echoheaders
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: echoheaders
+    spec:
+      containers:
+      - name: echoheaders
+        image: gcr.io/google_containers/echoserver:1.4
+        ports:
+        - containerPort: 8080
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          periodSeconds: 1
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: echoheadersx
+  labels:
+    app: echoheaders
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: echoheaders
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: echoheadersy
+  labels:
+    app: echoheaders
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: echoheaders
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: echomap
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - path: /foo
+        backend:
+          serviceName: echoheadersx
+          servicePort: 80
+  - host: bar.baz.com
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: echoheadersy
+          servicePort: 80
+      - path: /foo
+        backend:
+          serviceName: echoheadersx
+          servicePort: 80
+

controllers/gce/examples/https/Makefile

@@ -0,0 +1,32 @@
+# Copyright 2016 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+all:
+
+KEY = /tmp/tls.key
+CERT = /tmp/tls.crt
+SECRET = /tmp/tls.json
+HOST=example.com
+NAME=tls-secret
+
+keys:
+	# The CName used here is specific to the service specified in nginx-app.yaml.
+	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $(KEY) -out $(CERT) -subj "/CN=$(HOST)/O=$(HOST)"
+
+secret:
+	godep go run make_secret.go -crt $(CERT) -key $(KEY) -name $(NAME) > $(SECRET)
+
+clean:
+	rm $(KEY)
+	rm $(CERT)

controllers/gce/examples/https/README.md

@@ -0,0 +1,20 @@
+# Simple TLS example
+
+Create secret
+```console
+$ make keys secret
+$ kubectl create -f /tmp/tls.json
+```
+
+Make sure you have the l7 controller running:
+```console
+$ kubectl --namespace=kube-system get pod -l name=glbc
+NAME
+l7-lb-controller-v0.6.0-1770t ...
+```
+Also make sure you have a [firewall rule](https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/BETA_LIMITATIONS.md#creating-the-fir-glbc-health-checks) for the node port of the Service.
+
+Create Ingress
+```console
+$ kubectl create -f tls-app.yaml
+```

controllers/gce/examples/https/make_secret.go

@@ -0,0 +1,71 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// A small script that converts the given open ssl public/private keys to
+// a secret that it writes to stdout as json. Most common use case is to
+// create a secret from self signed certificates used to authenticate with
+// a devserver. Usage: go run make_secret.go -crt ca.crt -key priv.key > secret.json
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/runtime"
+
+	// This installs the legacy v1 API
+	_ "k8s.io/kubernetes/pkg/api/install"
+)
+
+// TODO:
+// Add a -o flag that writes to the specified destination file.
+// Teach the script to create crt and key if -crt and -key aren't specified.
+var (
+	crt  = flag.String("crt", "", "path to tls certificates.")
+	key  = flag.String("key", "", "path to tls private key.")
+	name = flag.String("name", "tls-secret", "name of the secret.")
+)
+
+func read(file string) []byte {
+	b, err := ioutil.ReadFile(file)
+	if err != nil {
+		log.Fatalf("Cannot read file %v, %v", file, err)
+	}
+	return b
+}
+
+func main() {
+	flag.Parse()
+	if *crt == "" || *key == "" {
+		log.Fatalf("Need to specify -crt -key and -template")
+	}
+	tlsCrt := read(*crt)
+	tlsKey := read(*key)
+	secret := &api.Secret{
+		ObjectMeta: api.ObjectMeta{
+			Name: *name,
+		},
+		Data: map[string][]byte{
+			api.TLSCertKey:       tlsCrt,
+			api.TLSPrivateKeyKey: tlsKey,
+		},
+	}
+	fmt.Printf(runtime.EncodeOrDie(api.Codecs.LegacyCodec(registered.EnabledVersions()...), secret))
+}

controllers/gce/examples/https/tls-app.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: echoheaders-https
+  labels:
+    app: echoheaders-https
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: echoheaders-https
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: echoheaders-https
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: echoheaders-https
+    spec:
+      containers:
+      - name: echoheaders-https
+        image: gcr.io/google_containers/echoserver:1.3
+        ports:
+        - containerPort: 8080
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: test
+spec:
+  tls:
+  # This assumes tls-secret exists.
+  # To generate it run the make in this directory.
+  - secretName: tls-secret
+  backend:
+    serviceName: echoheaders-https
+    servicePort: 80
+