GCE Ingress docs update

2016-07-06 13:23:38 -07:00 · 2016-07-06 13:23:38 -07:00 · 94ea4ab247
commit 94ea4ab247
parent 9b762b7d54
8 changed files with 294 additions and 149 deletions
--- a/controllers/gce/examples/https/Makefile
+++ b/controllers/gce/examples/https/Makefile
@ -0,0 +1,32 @@
+# Copyright 2016 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+all:
+
+KEY = /tmp/tls.key
+CERT = /tmp/tls.crt
+SECRET = /tmp/tls.json
+HOST=example.com
+NAME=tls-secret
+
+keys:
+	# The CName used here is specific to the service specified in nginx-app.yaml.
+	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $(KEY) -out $(CERT) -subj "/CN=$(HOST)/O=$(HOST)"
+
+secret:
+	godep go run make_secret.go -crt $(CERT) -key $(KEY) -name $(NAME) > $(SECRET)
+
+clean:
+	rm $(KEY)
+	rm $(CERT)
--- a/controllers/gce/examples/https/README.md
+++ b/controllers/gce/examples/https/README.md
@ -0,0 +1,20 @@
+# Simple TLS example
+
+Create secret
+```console
+$ make keys secret
+$ kubectl create -f /tmp/tls.json
+```
+
+Make sure you have the l7 controller running:
+```console
+$ kubectl --namespace=kube-system get pod -l name=glbc
+NAME
+l7-lb-controller-v0.6.0-1770t ...
+```
+Also make sure you have a [firewall rule](https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/BETA_LIMITATIONS.md#creating-the-fir-glbc-health-checks) for the node port of the Service.
+
+Create Ingress
+```console
+$ kubectl create -f tls-app.yaml
+```
--- a/controllers/gce/examples/https/make_secret.go
+++ b/controllers/gce/examples/https/make_secret.go
@ -0,0 +1,71 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// A small script that converts the given open ssl public/private keys to
+// a secret that it writes to stdout as json. Most common use case is to
+// create a secret from self signed certificates used to authenticate with
+// a devserver. Usage: go run make_secret.go -crt ca.crt -key priv.key > secret.json
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/runtime"
+
+	// This installs the legacy v1 API
+	_ "k8s.io/kubernetes/pkg/api/install"
+)
+
+// TODO:
+// Add a -o flag that writes to the specified destination file.
+// Teach the script to create crt and key if -crt and -key aren't specified.
+var (
+	crt  = flag.String("crt", "", "path to tls certificates.")
+	key  = flag.String("key", "", "path to tls private key.")
+	name = flag.String("name", "tls-secret", "name of the secret.")
+)
+
+func read(file string) []byte {
+	b, err := ioutil.ReadFile(file)
+	if err != nil {
+		log.Fatalf("Cannot read file %v, %v", file, err)
+	}
+	return b
+}
+
+func main() {
+	flag.Parse()
+	if *crt == "" || *key == "" {
+		log.Fatalf("Need to specify -crt -key and -template")
+	}
+	tlsCrt := read(*crt)
+	tlsKey := read(*key)
+	secret := &api.Secret{
+		ObjectMeta: api.ObjectMeta{
+			Name: *name,
+		},
+		Data: map[string][]byte{
+			api.TLSCertKey:       tlsCrt,
+			api.TLSPrivateKeyKey: tlsKey,
+		},
+	}
+	fmt.Printf(runtime.EncodeOrDie(api.Codecs.LegacyCodec(registered.EnabledVersions()...), secret))
+}
--- a/controllers/gce/examples/https/tls-app.yaml
+++ b/controllers/gce/examples/https/tls-app.yaml
@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: echoheaders-https
+  labels:
+    app: echoheaders-https
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: echoheaders-https
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: echoheaders-https
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: echoheaders-https
+    spec:
+      containers:
+      - name: echoheaders-https
+        image: gcr.io/google_containers/echoserver:1.3
+        ports:
+        - containerPort: 8080
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: test
+spec:
+  tls:
+  # This assumes tls-secret exists.
+  # To generate it run the make in this directory.
+  - secretName: tls-secret
+  backend:
+    serviceName: echoheaders-https
+    servicePort: 80
+