DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-10-12 01:21:45 +00:00
parent 8125e59d3f
commit c09357b854
51 changed files with 612 additions and 5095 deletions
Download patch file Download diff file Expand all files Collapse all files

140
examples/PREREQUISITES/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -995,18 +995,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1212,15 +1200,7 @@
<h2 id="tls-certificates">TLS certificates<a class="headerlink" href="#tls-certificates" title="Permanent link">&para;</a></h2>
<p>Unless otherwise mentioned, the TLS secret used in examples is a 2048 bit RSA
key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<span class="go">Generating a 2048 bit RSA private key</span>
<span class="go">................+++</span>
<span class="go">................+++</span>
@ -1230,7 +1210,6 @@ key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<span class="gp">$</span> kubectl create secret tls tls-secret --key tls.key --cert tls.crt
<span class="go">secret &quot;tls-secret&quot; created</span>
</pre></div>
</td></tr></table>
<h2 id="ca-authentication">CA Authentication<a class="headerlink" href="#ca-authentication" title="Permanent link">&para;</a></h2>
<p>You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
@ -1239,16 +1218,7 @@ own CA, and also generate a client certificate.</p>
<h3 id="generating-a-ca">Generating a CA<a class="headerlink" href="#generating-a-ca" title="Permanent link">&para;</a></h3>
<p>First of all, you've to generate a CA. This is going to be the one who will sign your client certificates.
In real production world, you may face CAs with intermediate certificates, as the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl s_client -connect www.google.com:443
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl s_client -connect www.google.com:443
<span class="go">[...]</span>
<span class="go">---</span>
<span class="go">Certificate chain</span>
@ -1259,14 +1229,11 @@ In real production world, you may face CAs with intermediate certificates, as th
<span class="go"> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA</span>
<span class="go"> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority</span>
</pre></div>
</td></tr></table>
<p>To generate our CA Certificate, we've to run the following commands:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -x509 -new -nodes -key ca.key -days <span class="m">10000</span> -out ca.crt -subj <span class="s2">&quot;/CN=example-ca&quot;</span>
</pre></div>
</td></tr></table>
<p>This will generate two files: A private key (ca.key) and a public key (ca.crt). This CA is valid for 10000 days.
The ca.crt can be used later in the step of creation of CA authentication secret.</p>
@ -1274,13 +1241,7 @@ The ca.crt can be used later in the step of creation of CA authentication secret
<p>The following steps generate a client certificate signed by the CA generated above. This client can be
used to authenticate in a tls-auth configured ingress.</p>
<p>First, we need to generate an 'openssl.cnf' file that will be used while signing the keys:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">[req]</span>
<div class="codehilite"><pre><span></span><span class="go">[req]</span>
<span class="go">req_extensions = v3_req</span>
<span class="go">distinguished_name = req_distinguished_name</span>
<span class="go">[req_distinguished_name]</span>
@ -1288,68 +1249,47 @@ used to authenticate in a tls-auth configured ingress.</p>
<span class="go">basicConstraints = CA:FALSE</span>
<span class="go">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</span>
</pre></div>
</td></tr></table>
<p>Then, a user generates his very own private key (that he needs to keep secret)
and a CSR (Certificate Signing Request) that will be sent to the CA to sign and generate a certificate.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -new -key client1.key -out client1.csr -subj <span class="s2">&quot;/CN=client1&quot;</span> -config openssl.cnf
</pre></div>
</td></tr></table>
<p>As the CA receives the generated 'client1.csr' file, it signs it and generates a client.crt certificate:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
</pre></div>
</td></tr></table>
<p>Then, you'll have 3 files: the client.key (user's private key), client.crt (user's public key) and client.csr (disposable CSR).</p>
<h3 id="creating-the-ca-authentication-secret">Creating the CA Authentication secret<a class="headerlink" href="#creating-the-ca-authentication-secret" title="Permanent link">&para;</a></h3>
<p>If you're using the CA Authentication feature, you need to generate a secret containing
all the authorized CAs. You must download them from your CA site in PEM format (like the following):</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>-----BEGIN CERTIFICATE-----
<div class="codehilite"><pre><span></span>-----BEGIN CERTIFICATE-----
[....]
-----END CERTIFICATE-----
</pre></div>
</td></tr></table>
<p>You can have as many certificates as you want. If they're in the binary DER format,
you can convert them as the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
</td></tr></table>
<p>Then, you've to concatenate them all in only one file, named 'ca.crt' as the following:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
</td></tr></table>
<p>The final step is to create a secret with the content of this file. This secret is going to be used in
the TLS Auth directive:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
</pre></div>
</td></tr></table>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div>
</td></tr></table></p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div></p>
<h2 id="test-http-service">Test HTTP Service<a class="headerlink" href="#test-http-service" title="Permanent link">&para;</a></h2>
<p>All examples that require a test HTTP Service use the standard http-svc pod,
which you can deploy as follows</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f http-svc.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f http-svc.yaml
<span class="go">service &quot;http-svc&quot; created</span>
<span class="go">replicationcontroller &quot;http-svc&quot; created</span>
@ -1361,56 +1301,9 @@ which you can deploy as follows</p>
<span class="go">NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">http-svc 10.0.122.116 &lt;pending&gt; 80:30301/TCP 1d</span>
</pre></div>
</td></tr></table>
<p>You can test that the HTTP Service works by exposing it temporarily</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;LoadBalancer&quot;}}&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;LoadBalancer&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>
<span class="gp">$</span> kubectl get svc http-svc
@ -1458,7 +1351,6 @@ which you can deploy as follows</p>
<span class="gp">$</span> kubectl patch svc http-svc -p <span class="s1">&#39;{&quot;spec&quot;:{&quot;type&quot;: &quot;NodePort&quot;}}&#39;</span>
<span class="go">&quot;http-svc&quot; patched</span>
</pre></div>
</td></tr></table>

52
examples/affinity/cookie/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -961,18 +961,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1170,43 +1158,12 @@
</tbody>
</table>
<p>You can create the ingress to test this</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f ingress.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f ingress.yaml</span>
</pre></div>
</td></tr></table>
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<p>You can confirm that the Ingress works.</p>
<p><table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<p><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<span class="go">Name: nginx-test</span>
<span class="go">Namespace: default</span>
<span class="go">Address: </span>
@ -1238,7 +1195,6 @@
<span class="go">ETag: &quot;58875e6b-264&quot;</span>
<span class="go">Accept-Ranges: bytes</span>
</pre></div>
</td></tr></table>
In the example above, you can see a line containing the 'Set-Cookie: INGRESSCOOKIE' setting the right defined stickiness cookie.
This cookie is created by NGINX containing the hash of the used upstream in that request.
If the user changes this cookie, NGINX creates a new one and redirect the user to another upstream.</p>

133
examples/auth/basic/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,33 +1073,18 @@
<h1 id="basic-authentication">Basic Authentication<a class="headerlink" href="#basic-authentication" title="Permanent link">&para;</a></h1>
<p>This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with <code class="codehilite">htpasswd</code>.
It's important the file generated is named <code class="codehilite">auth</code> (actually - that the secret has a key <code class="codehilite">data.auth</code>), otherwise the ingress-controller returns a 503.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<span class="go">New password: &lt;bar&gt;</span>
<span class="go">New password:</span>
<span class="go">Re-type new password:</span>
<span class="go">Adding password for user foo</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<span class="go">secret &quot;basic-auth&quot; created</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK</span>
@ -1121,30 +1094,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> namespace: default</span>
<span class="go">type: Opaque</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<span class="go">apiVersion: extensions/v1beta1</span>
<span class="go">kind: Ingress</span>
<span class="go">metadata:</span>
@ -1167,32 +1118,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> servicePort: 80</span>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
* Trying 10.2.29.4...
* Connected to 10.2.29.4 (10.2.29.4) port 80 (#0)
&gt; GET / HTTP/1.1
@ -1217,51 +1144,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 10.2.29.4 left intact
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
* Trying <span class="m">10</span>.2.29.4...
* Connected to <span class="m">10</span>.2.29.4 <span class="o">(</span><span class="m">10</span>.2.29.4<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
* Server auth using Basic with user <span class="s1">&#39;foo&#39;</span>
@ -1305,7 +1189,6 @@ BODY:
* Connection <span class="c1">#0 to host 10.2.29.4 left intact</span>
-no body in request-
</pre></div>
</td></tr></table>

35
examples/auth/client-certs/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -838,8 +838,8 @@
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#setup-instructions" title="Setup instructions" class="md-nav__link">
Setup instructions
<a href="#setup-instructions" title="Setup Instructions" class="md-nav__link">
Setup Instructions
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1102,8 +1090,8 @@
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#setup-instructions" title="Setup instructions" class="md-nav__link">
Setup instructions
<a href="#setup-instructions" title="Setup Instructions" class="md-nav__link">
Setup Instructions
</a>
</li>
@ -1128,18 +1116,19 @@
<h1 id="client-certificate-authentication">Client Certificate Authentication<a class="headerlink" href="#client-certificate-authentication" title="Permanent link">&para;</a></h1>
<p>It is possible to enable Client Certificate Authentication using additional annotations in the Ingress.</p>
<h2 id="setup-instructions">Setup instructions<a class="headerlink" href="#setup-instructions" title="Permanent link">&para;</a></h2>
<p>It is possible to enable Client Certificate Authentication using additional annotations in Ingress resources, created by you.</p>
<h2 id="setup-instructions">Setup Instructions<a class="headerlink" href="#setup-instructions" title="Permanent link">&para;</a></h2>
<ol>
<li>
<p>Create a file named <code class="codehilite">ca.crt</code> containing the trusted certificate authority chain (all ca certificates in PEM format) to verify client certificates. </p>
<p>Create a file named <code class="codehilite">ca.crt</code> containing the trusted certificate authority chain to verify client certificates. All of the certificates must be in PEM format.<br />
<em>NB:</em> The file containing the trusted certificates must be named <code class="codehilite">ca.crt</code> exactly - this is expected to be found in the secret.</p>
</li>
<li>
<p>Create a secret from this file:
<p>Create a secret from this file:<br />
<code class="codehilite">kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default</code></p>
</li>
<li>
<p>Add the annotations as provided in the <a href="ingress.yaml">ingress.yaml</a> example to your ingress object.</p>
<p>Add the annotations as provided in the <a href="ingress.yaml">ingress.yaml</a> example to your own ingress resources as required.</p>
</li>
</ol>

1
examples/auth/client-certs/ingress.yaml
View file

@ -5,6 +5,7 @@ metadata:
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates with `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
# NB: The file _must_ be named "ca.crt" and nothing else. This filename is expected to be found in the secret.
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"

158
examples/auth/external-auth/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1130,40 +1118,7 @@
<h1 id="external-basic-authentication">External Basic Authentication<a class="headerlink" href="#external-basic-authentication" title="Permanent link">&para;</a></h1>
<h3 id="example-1">Example 1:<a class="headerlink" href="#example-1" title="Permanent link">&para;</a></h3>
<p>Use an external service (Basic Auth) located in <code class="codehilite">https://httpbin.org</code> </p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
ingress <span class="s2">&quot;external-auth&quot;</span> created
$ kubectl get ing external-auth
@ -1198,34 +1153,9 @@ status:
- ip: <span class="m">172</span>.17.4.99
$
</pre></div>
</td></tr></table>
<p>Test 1: no username/password (expect code 401)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<span class="go">* Rebuilt URL to: http://172.17.4.99/</span>
<span class="go">* Trying 172.17.4.99...</span>
<span class="go">* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)</span>
@ -1251,52 +1181,9 @@ $
<span class="go">&lt;/html&gt;</span>
<span class="go">* Connection #0 to host 172.17.4.99 left intact</span>
</pre></div>
</td></tr></table>
<p>Test 2: valid username/password (expect code 200)
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
* Rebuilt URL to: http://172.17.4.99/
* Trying <span class="m">172</span>.17.4.99...
* Connected to <span class="m">172</span>.17.4.99 <span class="o">(</span><span class="m">172</span>.17.4.99<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
@ -1339,37 +1226,9 @@ x-real-ip<span class="o">=</span><span class="m">10</span>.2.60.1
BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Test 3: invalid username/password (expect code 401)
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
<div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
* Rebuilt URL to: http://172.17.4.99/
* Trying 172.17.4.99...
* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
@ -1397,8 +1256,7 @@ BODY:
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 172.17.4.99 left intact
</pre></div>
</td></tr></table></p>
</pre></div></p>

31
examples/auth/oauth-external-auth/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -983,18 +983,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1196,13 +1184,7 @@ One Ingress object has no special annotations and handles authentication.</p>
authenticate against the first Ingress's endpoint, and can redirect <code class="codehilite">401</code>s to the
same endpoint.</p>
<p>Sample:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="nn">...</span>
<div class="codehilite"><pre><span></span><span class="nn">...</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">application</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
@ -1210,7 +1192,6 @@ same endpoint.</p>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-signin</span><span class="p p-Indicator">:</span> <span class="s">&quot;https://$host/oauth2/start?rd=$escaped_request_uri&quot;</span>
<span class="nn">...</span>
</pre></div>
</td></tr></table>
<h3 id="example-oauth2-proxy-kubernetes-dashboard">Example: OAuth2 Proxy + Kubernetes-Dashboard<a class="headerlink" href="#example-oauth2-proxy-kubernetes-dashboard" title="Permanent link">&para;</a></h3>
<p>This example will show you how to deploy <a href="https://github.com/bitly/oauth2_proxy"><code class="codehilite">oauth2_proxy</code></a>
@ -1219,9 +1200,8 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Install the kubernetes dashboard</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
</pre></div>
</td></tr></table>
<ol>
<li>Create a <a href="https://github.com/settings/applications/new">custom Github OAuth application</a></li>
@ -1251,9 +1231,8 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Deploy the oauth2 proxy and the ingress rules running:</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
</pre></div>
</td></tr></table>
<p>Test the oauth integration accessing the configured URL, like <code class="codehilite">https://foo.bar.com</code></p>
<p><img alt="Register OAuth2 Application" src="images/github-auth.png" /></p>

19
examples/customization/configuration-snippets/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -963,18 +963,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1144,9 +1132,8 @@
<h1 id="configuration-snippets">Configuration Snippets<a class="headerlink" href="#configuration-snippets" title="Permanent link">&para;</a></h1>
<h2 id="ingress">Ingress<a class="headerlink" href="#ingress" title="Permanent link">&para;</a></h2>
<p>The Ingress in this example adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at <a href="/examples/customization/custom-headers/README">this example</a>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl apply -f ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl apply -f ingress.yaml
</pre></div>
</td></tr></table>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check if the contents of the annotation are present in the nginx.conf file using:

31
examples/customization/custom-configuration/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,15 +1073,7 @@
<h1 id="custom-configuration">Custom Configuration<a class="headerlink" href="#custom-configuration" title="Permanent link">&para;</a></h1>
<p>Using a <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/">ConfigMap</a> is possible to customize the NGINX configuration</p>
<p>For example, if we want to change the timeouts we need to create a ConfigMap:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ cat configmap.yaml
<div class="codehilite"><pre><span></span>$ cat configmap.yaml
apiVersion: v1
data:
proxy-connect-timeout: <span class="s2">&quot;10&quot;</span>
@ -1103,13 +1083,10 @@ kind: ConfigMap
metadata:
name: nginx-configuration
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-configuration/configmap.yaml \
<div class="codehilite"><pre><span></span>curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-configuration/configmap.yaml \
| kubectl apply -f -
</pre></div>
</td></tr></table>
<p>If the Configmap it is updated, NGINX will be reloaded with the new configuration.</p>

59
examples/customization/custom-errors/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -970,18 +970,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1159,28 +1147,19 @@
<p>This example demonstrates how to use a custom backend to render custom error pages.</p>
<h2 id="customized-default-backend">Customized default backend<a class="headerlink" href="#customized-default-backend" title="Permanent link">&para;</a></h2>
<p>First, create the custom <code class="codehilite">default-backend</code>. It will be used by the Ingress controller later on.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f custom-default-backend.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f custom-default-backend.yaml
service <span class="s2">&quot;nginx-errors&quot;</span> created
deployment.apps <span class="s2">&quot;nginx-errors&quot;</span> created
</pre></div>
</td></tr></table>
<p>This should have created a Deployment and a Service with the name <code class="codehilite">nginx-errors</code>.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl get deploy,svc
<div class="codehilite"><pre><span></span>$ kubectl get deploy,svc
NAME DESIRED CURRENT READY AGE
deployment.apps/nginx-errors <span class="m">1</span> <span class="m">1</span> <span class="m">1</span> 10s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE
service/nginx-errors ClusterIP <span class="m">10</span>.0.0.12 &lt;none&gt; <span class="m">80</span>/TCP 10s
</pre></div>
</td></tr></table>
<h2 id="ingress-controller-configuration">Ingress controller configuration<a class="headerlink" href="#ingress-controller-configuration" title="Permanent link">&para;</a></h2>
<p>If you do not already have an instance of the NGINX Ingress controller running, deploy it according to the
@ -1195,13 +1174,10 @@ service/nginx-errors ClusterIP <span class="m">10</span>.0.0.12 &lt;none&g
</li>
<li>
<p>Take note of the IP address assigned to the NGINX Ingress controller Service.
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl get svc ingress-nginx
<div class="codehilite"><pre><span></span>$ kubectl get svc ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE
ingress-nginx ClusterIP <span class="m">10</span>.0.0.13 &lt;none&gt; <span class="m">80</span>/TCP,443/TCP 10m
</pre></div>
</td></tr></table></p>
</pre></div></p>
</li>
</ol>
<div class="admonition note">
@ -1212,15 +1188,7 @@ Make sure you can use the Service to reach NGINX before proceeding with the rest
<h2 id="testing-error-pages">Testing error pages<a class="headerlink" href="#testing-error-pages" title="Permanent link">&para;</a></h2>
<p>Let us send a couple of HTTP requests using cURL and validate everything is working as expected.</p>
<p>A request to the default backend returns a 404 error with a custom message:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -D- http://10.0.0.13/
<div class="codehilite"><pre><span></span>$ curl -D- http://10.0.0.13/
HTTP/1.1 404 Not Found
Server: nginx/1.13.12
Date: Tue, 12 Jun 2018 19:11:24 GMT
@ -1230,19 +1198,9 @@ Connection: keep-alive
<span class="nt">&lt;span&gt;</span>The page you&#39;re looking for could not be found.<span class="nt">&lt;/span&gt;</span>
</pre></div>
</td></tr></table>
<p>A request with a custom <code class="codehilite">Accept</code> header returns the corresponding document type (JSON):</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -D- -H <span class="s1">&#39;Accept: application/json&#39;</span> http://10.0.0.13/
<div class="codehilite"><pre><span></span>$ curl -D- -H <span class="s1">&#39;Accept: application/json&#39;</span> http://10.0.0.13/
HTTP/1.1 <span class="m">404</span> Not Found
Server: nginx/1.13.12
Date: Tue, <span class="m">12</span> Jun <span class="m">2018</span> <span class="m">19</span>:12:36 GMT
@ -1253,7 +1211,6 @@ Vary: Accept-Encoding
<span class="o">{</span> <span class="s2">&quot;message&quot;</span>: <span class="s2">&quot;The page you&#39;re looking for could not be found&quot;</span> <span class="o">}</span>
</pre></div>
</td></tr></table>
<p>To go further with this example, feel free to deploy your own applications and Ingress objects, and validate that the
responses are still in the correct format when a backend returns 503 (eg. if you scale a Deployment down to 0 replica).</p>

27
examples/customization/custom-headers/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1131,17 +1119,12 @@
<p>This example aims to demonstrate the deployment of an nginx ingress controller and
use a ConfigMap to configure a custom list of headers to be passed to the upstream
server</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/configmap.yaml \</span>
<div class="codehilite"><pre><span></span><span class="go">curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/configmap.yaml \</span>
<span class="go"> | kubectl apply -f -</span>
<span class="go">curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/customization/custom-headers/custom-headers.yaml \</span>
<span class="go"> | kubectl apply -f -</span>
</pre></div>
</td></tr></table>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check the contents of the configmap is present in the nginx.conf file using:
@ -1181,13 +1164,13 @@ server</p>
</a>
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<a href="../external-auth-headers/" title="External authentication" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Custom Upstream server checks
External authentication
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">

1229
examples/customization/custom-upstream-check/index.html
View file

File diff suppressed because it is too large Load diff

129
examples/customization/external-auth-headers/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -917,18 +917,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
@ -1097,25 +1085,7 @@ to backend service.</p>
</ul>
<p>You can deploy the controller as
follows:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f deploy/
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f deploy/
<span class="go">deployment &quot;demo-auth-service&quot; created</span>
<span class="go">service &quot;demo-auth-service&quot; created</span>
<span class="go">ingress &quot;demo-auth-service&quot; created</span>
@ -1135,27 +1105,9 @@ follows:</p>
<span class="go">public-demo-echo-service public-demo-echo-service.kube.local 80 1m</span>
<span class="go">secure-demo-echo-service secure-demo-echo-service.kube.local 80 1m</span>
</pre></div>
</td></tr></table>
<p>Test 1: public service with no auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1174,33 +1126,9 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
<span class="go">UserID: , UserRole:</span>
</pre></div>
</td></tr></table>
<p>Test 2: secure service with no auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1225,28 +1153,9 @@ follows:</p>
<span class="go">&lt;/html&gt;</span>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
</pre></div>
</td></tr></table>
<p>Test 3: public service with valid auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: public-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1266,28 +1175,9 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
<span class="go">UserID: 1443635317331776148, UserRole: admin</span>
</pre></div>
</td></tr></table>
<p>Test 4: public service with valid auth header</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -H <span class="s1">&#39;Host: secure-demo-echo-service.kube.local&#39;</span> -H <span class="s1">&#39;User:internal&#39;</span> -v <span class="m">192</span>.168.99.100
<span class="go">* Rebuilt URL to: 192.168.99.100/</span>
<span class="go">* Trying 192.168.99.100...</span>
<span class="go">* Connected to 192.168.99.100 (192.168.99.100) port 80 (#0)</span>
@ -1307,7 +1197,6 @@ follows:</p>
<span class="go">* Connection #0 to host 192.168.99.100 left intact</span>
<span class="go">UserID: 605394647632969758, UserRole: admin</span>
</pre></div>
</td></tr></table>
@ -1328,7 +1217,7 @@ follows:</p>
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<a href="../custom-headers/" title="Custom Headers" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
@ -1337,7 +1226,7 @@ follows:</p>
<span class="md-footer-nav__direction">
Previous
</span>
Custom Upstream server checks
Custom Headers
</span>
</div>
</a>

52
examples/customization/ssl-dh-param/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -918,18 +918,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1160,17 +1148,7 @@
use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
"Perfect Forward Secrecy".</p>
<h2 id="custom-configuration">Custom configuration<a class="headerlink" href="#custom-configuration" title="Permanent link">&para;</a></h2>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> cat configmap.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat configmap.yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> ssl-dh-param: &quot;ingress-nginx/lb-dhparam&quot;</span>
@ -1182,30 +1160,16 @@ use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
<span class="go"> app.kubernetes.io/name: ingress-nginx</span>
<span class="go"> app.kubernetes.io/part-of: ingress-nginx</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f configmap.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f configmap.yaml
</pre></div>
</td></tr></table>
<h2 id="custom-dh-parameters-secret">Custom DH parameters secret<a class="headerlink" href="#custom-dh-parameters-secret" title="Permanent link">&para;</a></h2>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span>&gt; openssl dhparam <span class="m">1024</span> <span class="m">2</span>&gt; /dev/null <span class="p">|</span> base64
<div class="codehilite"><pre><span></span><span class="gp">$</span>&gt; openssl dhparam <span class="m">1024</span> <span class="m">2</span>&gt; /dev/null <span class="p">|</span> base64
<span class="go">LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> cat ssl-dh-param.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat ssl-dh-param.yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> dhparam.pem: &quot;LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...&quot;</span>
@ -1217,11 +1181,9 @@ use a ConfigMap to configure custom Diffie-Hellman parameters file to help with
<span class="go"> app.kubernetes.io/name: ingress-nginx</span>
<span class="go"> app.kubernetes.io/part-of: ingress-nginx</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f ssl-dh-param.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f ssl-dh-param.yaml
</pre></div>
</td></tr></table>
<h2 id="test">Test<a class="headerlink" href="#test" title="Permanent link">&para;</a></h2>
<p>Check the contents of the configmap is present in the nginx.conf file using:

19
examples/customization/sysctl/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -918,18 +918,6 @@
<li class="md-nav__item">
<a href="../custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,9 +1073,8 @@
<h1 id="sysctl-tuning">Sysctl tuning<a class="headerlink" href="#sysctl-tuning" title="Permanent link">&para;</a></h1>
<p>This example aims to demonstrate the use of an Init Container to adjust sysctl default values
using <code class="codehilite">kubectl patch</code></p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl patch deployment -n ingress-nginx nginx-ingress-controller --patch=&quot;$(cat patch.json)&quot;</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl patch deployment -n ingress-nginx nginx-ingress-controller --patch=&quot;$(cat patch.json)&quot;</span>
</pre></div>
</td></tr></table>

30
examples/docker-registry/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1183,9 +1171,8 @@
<p>This example demonstrates how to deploy a <a href="https://github.com/docker/distribution">docker registry</a> in the cluster and configure Ingress enable access from Internet</p>
<h2 id="deployment">Deployment<a class="headerlink" href="#deployment" title="Permanent link">&para;</a></h2>
<p>First we deploy the docker registry in the cluster:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/deployment.yaml</span>
</pre></div>
</td></tr></table>
<div class="admonition important">
<p class="admonition-title">Important</p>
@ -1195,9 +1182,8 @@
<p>The next required step is creation of the ingress rules. To do this we have two options: with and without TLS</p>
<h3 id="without-tls">Without TLS<a class="headerlink" href="#without-tls" title="Permanent link">&para;</a></h3>
<p>Download and edit the yaml deployment replacing <code class="codehilite">registry.&lt;your domain&gt;</code> with a valid DNS name pointing to the ingress controller:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-without-tls.yaml</span>
</pre></div>
</td></tr></table>
<div class="admonition important">
<p class="admonition-title">Important</p>
@ -1206,20 +1192,16 @@
<p>Please check <a href="https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry">deploy a plain http registry</a></p>
<h3 id="with-tls">With TLS<a class="headerlink" href="#with-tls" title="Permanent link">&para;</a></h3>
<p>Download and edit the yaml deployment replacing <code class="codehilite">registry.&lt;your domain&gt;</code> with a valid DNS name pointing to the ingress controller:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/docker-registry/ingress-with-tls.yaml</span>
</pre></div>
</td></tr></table>
<p>Deploy <a href="https://github.com/jetstack/kube-lego">kube lego</a> use <a href="https://letsencrypt.org/">Let's Encrypt</a> certificates or edit the ingress rule to use a secret with an existing SSL certificate.</p>
<h3 id="testing">Testing<a class="headerlink" href="#testing" title="Permanent link">&para;</a></h3>
<p>To test the registry is working correctly we download a known image from <a href="https://hub.docker.com">docker hub</a>, create a tag pointing to the new registry and upload the image:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">docker pull ubuntu:16.04</span>
<div class="codehilite"><pre><span></span><span class="go">docker pull ubuntu:16.04</span>
<span class="go">docker tag ubuntu:16.04 `registry.&lt;your domain&gt;/ubuntu:16.04`</span>
<span class="go">docker push `registry.&lt;your domain&gt;/ubuntu:16.04`</span>
</pre></div>
</td></tr></table>
<p>Please replace <code class="codehilite">registry.&lt;your domain&gt;</code> with your domain.</p>

43
examples/grpc/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1228,51 +1216,42 @@ nginx controller.</p>
application provided here as an example. </li>
</ol>
<h3 id="step-1-kubernetes-deployment">Step 1: kubernetes <code class="codehilite">Deployment</code><a class="headerlink" href="#step-1-kubernetes-deployment" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f app.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f app.yaml
</pre></div>
</td></tr></table>
<p>This is a standard kubernetes deployment object. It is running a grpc service
listening on port <code class="codehilite">50051</code>.</p>
<p>The sample application
<a href="https://github.com/kubernetes/ingress-nginx/images/grpc-fortune-teller">fortune-teller-app</a>
is a grpc server implemented in go. Here's the stripped-down implementation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="kd">func</span> <span class="nx">main</span><span class="p">()</span> <span class="p">{</span>
<div class="codehilite"><pre><span></span><span class="kd">func</span> <span class="nx">main</span><span class="p">()</span> <span class="p">{</span>
<span class="nx">grpcServer</span> <span class="o">:=</span> <span class="nx">grpc</span><span class="p">.</span><span class="nx">NewServer</span><span class="p">()</span>
<span class="nx">fortune</span><span class="p">.</span><span class="nx">RegisterFortuneTellerServer</span><span class="p">(</span><span class="nx">grpcServer</span><span class="p">,</span> <span class="o">&amp;</span><span class="nx">FortuneTeller</span><span class="p">{})</span>
<span class="nx">lis</span><span class="p">,</span> <span class="nx">_</span> <span class="o">:=</span> <span class="nx">net</span><span class="p">.</span><span class="nx">Listen</span><span class="p">(</span><span class="s">&quot;tcp&quot;</span><span class="p">,</span> <span class="s">&quot;:50051&quot;</span><span class="p">)</span>
<span class="nx">grpcServer</span><span class="p">.</span><span class="nx">Serve</span><span class="p">(</span><span class="nx">lis</span><span class="p">)</span>
<span class="p">}</span>
</pre></div>
</td></tr></table>
<p>The takeaway is that we are not doing any TLS configuration on the server (as we
are terminating TLS at the ingress level, grpc traffic will travel unencrypted
inside the cluster and arrive "insecure").</p>
<p>For your own application you may or may not want to do this. If you prefer to
forward encrypted traffic to your POD and terminate TLS at the gRPC server
itself, add the ingress annotation <code class="codehilite">nginx.ingress.kubernetes.io/secure-backends:&quot;true&quot;</code>.</p>
itself, add the ingress annotation <code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPCS&quot;</code>.</p>
<h3 id="step-2-the-kubernetes-service">Step 2: the kubernetes <code class="codehilite">Service</code><a class="headerlink" href="#step-2-the-kubernetes-service" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f svc.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f svc.yaml
</pre></div>
</td></tr></table>
<p>Here we have a typical service. Nothing special, just routing traffic to the
backend application on port <code class="codehilite">50051</code>.</p>
<h3 id="step-3-the-kubernetes-ingress">Step 3: the kubernetes <code class="codehilite">Ingress</code><a class="headerlink" href="#step-3-the-kubernetes-ingress" title="Permanent link">&para;</a></h3>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
</pre></div>
</td></tr></table>
<p>A few things to note:</p>
<ol>
<li>We've tagged the ingress with the annotation
<code class="codehilite">nginx.ingress.kubernetes.io/grpc-backend: &quot;true&quot;</code>. This is the magic
<code class="codehilite">nginx.ingress.kubernetes.io/backend-protocol: &quot;GRPC&quot;</code>. This is the magic
ingredient that sets up the appropriate nginx configuration to route http/2
traffic to our service.</li>
<li>We're terminating TLS at the ingress and have configured an SSL certificate
@ -1284,15 +1263,11 @@ backend application on port <code class="codehilite">50051</code>.</p>
<p>Once we've applied our configuration to kubernetes, it's time to test that we
can actually talk to the backend. To do this, we'll use the
<a href="https://github.com/fullstorydev/grpcurl">grpcurl</a> utility:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ grpcurl fortune-teller.stack.build:443 build.stack.fortune.FortuneTeller/Predict
<div class="codehilite"><pre><span></span>$ grpcurl fortune-teller.stack.build:443 build.stack.fortune.FortuneTeller/Predict
<span class="o">{</span>
<span class="s2">&quot;message&quot;</span>: <span class="s2">&quot;Let us endeavor so to live that when we come to die even the undertaker will be sorry.\n\t\t-- Mark Twain, \&quot;Pudd&#39;nhead Wilson&#39;s Calendar\&quot;&quot;</span>
<span class="o">}</span>
</pre></div>
</td></tr></table>
<h3 id="debugging-hints">Debugging Hints<a class="headerlink" href="#debugging-hints" title="Permanent link">&para;</a></h3>
<ol>

22
examples/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -925,18 +925,6 @@
<li class="md-nav__item">
<a href="customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1155,12 +1143,6 @@ Please review the <a href="PREREQUISITES/">prerequisites</a> before trying them.
</tr>
<tr>
<td>Customization</td>
<td><a href="customization/custom-upstream-check/">Custom upstream check</a></td>
<td>TODO</td>
<td>TODO</td>
</tr>
<tr>
<td>Customization</td>
<td><a href="customization/external-auth-headers/">External authentication with response header propagation</a></td>
<td>TODO</td>
<td>TODO</td>

103
examples/multi-tls/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1088,48 +1076,7 @@
<li>Create <a href="multi-tls.yaml">multi-tls.yaml</a></li>
</ol>
<p>This should generate a segment like:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl <span class="nb">exec</span> -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf <span class="p">|</span> grep <span class="s2">&quot;foo.bar.com&quot;</span> -B <span class="m">7</span> -A <span class="m">35</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl <span class="nb">exec</span> -it nginx-ingress-controller-6vwd1 -- cat /etc/nginx/nginx.conf <span class="p">|</span> grep <span class="s2">&quot;foo.bar.com&quot;</span> -B <span class="m">7</span> -A <span class="m">35</span>
<span class="go"> server {</span>
<span class="go"> listen 80;</span>
<span class="go"> listen 443 ssl http2;</span>
@ -1171,46 +1118,9 @@
<span class="go"> proxy_pass http://default-http-svc-80;</span>
<span class="go"> }</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>And you should be able to reach your nginx service or http-svc service using a hostname switch:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ing
<span class="go">NAME RULE BACKEND ADDRESS AGE</span>
<span class="go">foo-tls - 104.154.30.67 13m</span>
<span class="go"> foo.bar.com</span>
@ -1247,8 +1157,7 @@
<span class="gp">$</span> curl <span class="m">104</span>.154.30.67
<span class="go">default backend - 404</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>

109
examples/rewrite/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1250,24 +1238,7 @@ and that you have an ingress controller <a href="../../deploy">running</a> in yo
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<h3 id="rewrite-target">Rewrite Target<a class="headerlink" href="#rewrite-target" title="Permanent link">&para;</a></h3>
<p>Create an Ingress rule with a rewrite annotation:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">echo</span> <span class="s2">&quot;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">echo</span> <span class="s2">&quot;</span>
<span class="go">apiVersion: extensions/v1beta1</span>
<span class="go">kind: Ingress</span>
<span class="go">metadata:</span>
@ -1286,48 +1257,9 @@ and that you have an ingress controller <a href="../../deploy">running</a> in yo
<span class="go"> path: /something</span>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
</td></tr></table>
<p>Check the rewrite is working</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://172.17.4.99/something -H <span class="s1">&#39;Host: rewrite.bar.com&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -v http://172.17.4.99/something -H <span class="s1">&#39;Host: rewrite.bar.com&#39;</span>
* Trying <span class="m">172</span>.17.4.99...
* Connected to <span class="m">172</span>.17.4.99 <span class="o">(</span><span class="m">172</span>.17.4.99<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
&gt; GET /something HTTP/1.1
@ -1367,28 +1299,10 @@ BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div>
</td></tr></table>
<h3 id="app-root">App Root<a class="headerlink" href="#app-root" title="Permanent link">&para;</a></h3>
<p>Create an Ingress rule with a app-root annotation:
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span>
<div class="codehilite"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">&quot;</span>
<span class="s2">apiVersion: extensions/v1beta1</span>
<span class="s2">kind: Ingress</span>
<span class="s2">metadata:</span>
@ -1406,17 +1320,9 @@ BODY:
<span class="s2"> servicePort: 80</span>
<span class="s2"> path: /</span>
<span class="s2">&quot;</span> <span class="p">|</span> kubectl create -f -
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Check the rewrite is working</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -I -k http://approot.bar.com/
<div class="codehilite"><pre><span></span>$ curl -I -k http://approot.bar.com/
HTTP/1.1 <span class="m">302</span> Moved Temporarily
Server: nginx/1.11.10
Date: Mon, <span class="m">13</span> Mar <span class="m">2017</span> <span class="m">14</span>:57:15 GMT
@ -1425,7 +1331,6 @@ Content-Length: <span class="m">162</span>
Location: http://stickyingress.example.com/app1
Connection: keep-alive
</pre></div>
</td></tr></table>

79
examples/static-ip/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1196,48 +1184,25 @@ nodes get static IPs, the IPs are not retained across upgrade.</p>
<p>To acquire a static IP for the nginx ingress controller, simply put it
behind a Service of <code class="codehilite">Type=LoadBalancer</code>.</p>
<p>First, create a loadbalancer Service and wait for it to acquire an IP</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f static-ip-svc.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f static-ip-svc.yaml
<span class="go">service &quot;nginx-ingress-lb&quot; created</span>
<span class="gp">$</span> kubectl get svc nginx-ingress-lb
<span class="go">NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span>
<span class="go">nginx-ingress-lb 10.0.138.113 104.154.109.191 80:31457/TCP,443:32240/TCP 15m</span>
</pre></div>
</td></tr></table>
<p>then, update the ingress controller so it adopts the static IP of the Service
by passing the <code class="codehilite">--publish-service</code> flag (the example yaml used in the next step
already has it set to "nginx-ingress-lb").</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress-controller.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress-controller.yaml
<span class="go">deployment &quot;nginx-ingress-controller&quot; created</span>
</pre></div>
</td></tr></table>
<h2 id="assigning-the-ip-to-an-ingress">Assigning the IP to an Ingress<a class="headerlink" href="#assigning-the-ip-to-an-ingress" title="Permanent link">&para;</a></h2>
<p>From here on every Ingress created with the <code class="codehilite">ingress.class</code> annotation set to
<code class="codehilite">nginx</code> will get the IP allocated in the previous step</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f nginx-ingress.yaml
<span class="go">ingress &quot;nginx-ingress&quot; created</span>
<span class="gp">$</span> kubectl get ing nginx-ingress
@ -1254,19 +1219,10 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">request_uri=http://104.154.109.191:8080/</span>
<span class="go">...</span>
</pre></div>
</td></tr></table>
<h2 id="retaining-the-ip">Retaining the IP<a class="headerlink" href="#retaining-the-ip" title="Permanent link">&para;</a></h2>
<p>You can test retention by deleting the Ingress</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl delete ing nginx-ingress
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl delete ing nginx-ingress
<span class="go">ingress &quot;nginx-ingress&quot; deleted</span>
<span class="gp">$</span> kubectl create -f nginx-ingress.yaml
@ -1276,7 +1232,6 @@ already has it set to "nginx-ingress-lb").</p>
<span class="go">NAME HOSTS ADDRESS PORTS AGE</span>
<span class="go">nginx-ingress * 104.154.109.191 80, 443 13m</span>
</pre></div>
</td></tr></table>
<blockquote>
<p>Note that unlike the GCE Ingress, the same loadbalancer IP is shared amongst all
@ -1285,29 +1240,14 @@ controllers.</p>
</blockquote>
<h2 id="promote-ephemeral-to-static-ip">Promote ephemeral to static IP<a class="headerlink" href="#promote-ephemeral-to-static-ip" title="Permanent link">&para;</a></h2>
<p>To promote the allocated IP to static, you can update the Service manifest</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc nginx-ingress-lb -p <span class="s1">&#39;{&quot;spec&quot;: {&quot;loadBalancerIP&quot;: &quot;104.154.109.191&quot;}}&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl patch svc nginx-ingress-lb -p <span class="s1">&#39;{&quot;spec&quot;: {&quot;loadBalancerIP&quot;: &quot;104.154.109.191&quot;}}&#39;</span>
<span class="go">&quot;nginx-ingress-lb&quot; patched</span>
</pre></div>
</td></tr></table>
<p>and promote the IP to static (promotion works differently for cloudproviders,
provided example is for GKE/GCE)
`
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> gcloud compute addresses create nginx-ingress-lb --addresses <span class="m">104</span>.154.109.191 --region us-central1
<div class="codehilite"><pre><span></span><span class="gp">$</span> gcloud compute addresses create nginx-ingress-lb --addresses <span class="m">104</span>.154.109.191 --region us-central1
<span class="go">Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/regions/us-central1/addresses/nginx-ingress-lb].</span>
<span class="go">---</span>
<span class="go">address: 104.154.109.191</span>
@ -1321,8 +1261,7 @@ provided example is for GKE/GCE)
<span class="go">status: IN_USE</span>
<span class="go">users:</span>
<span class="go">- us-central1/forwardingRules/a09f6913ae80e11e6a8c542010af0000</span>
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Now even if the Service is deleted, the IP will persist, so you can recreate the
Service with <code class="codehilite">spec.loadBalancerIP</code> set to <code class="codehilite">104.154.109.191</code>.</p>

91
examples/tls-termination/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -916,18 +916,6 @@
<li class="md-nav__item">
<a href="../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1158,61 +1146,37 @@
<h2 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">&para;</a></h2>
<p>You need a <a href="../PREREQUISITES/#tls-certificates">TLS cert</a> and a <a href="../PREREQUISITES/#test-http-service">test HTTP service</a> for this example.</p>
<h2 id="deployment">Deployment<a class="headerlink" href="#deployment" title="Permanent link">&para;</a></h2>
<p>Create a <code class="codehilite">values.yaml</code> file.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-test</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">tls</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">hosts</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="c1"># This assumes tls-secret exists and the SSL </span>
<span class="c1"># certificate contains a CN for foo.bar.com</span>
<span class="l l-Scalar l-Scalar-Plain">secretName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">tls-secret</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="c1"># This assumes http-svc exists and routes to healthy endpoints</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">http-svc</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
<p>The following command instructs the controller to terminate traffic using the provided
TLS cert, and forward un-encrypted HTTP traffic to the test HTTP service.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl apply -f ingress.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f ingress.yaml</span>
</pre></div>
</td></tr></table>
<h2 id="validation">Validation<a class="headerlink" href="#validation" title="Permanent link">&para;</a></h2>
<p>You can confirm that the Ingress works.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl describe ing nginx-test
<span class="go">Name: nginx-test</span>
<span class="go">Namespace: default</span>
<span class="go">Address: 104.198.183.6</span>
@ -1260,7 +1224,6 @@ TLS cert, and forward un-encrypted HTTP traffic to the test HTTP service.</p>
<span class="go">x-forwarded-proto=https</span>
<span class="go">BODY:</span>
</pre></div>
</td></tr></table>