DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-10-12 01:21:45 +00:00
parent 8125e59d3f
commit c09357b854
51 changed files with 612 additions and 5095 deletions
Download patch file Download diff file Expand all files Collapse all files

133
examples/auth/basic/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -927,18 +927,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1085,33 +1073,18 @@
<h1 id="basic-authentication">Basic Authentication<a class="headerlink" href="#basic-authentication" title="Permanent link">&para;</a></h1>
<p>This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with <code class="codehilite">htpasswd</code>.
It's important the file generated is named <code class="codehilite">auth</code> (actually - that the secret has a key <code class="codehilite">data.auth</code>), otherwise the ingress-controller returns a 503.</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<span class="go">New password: &lt;bar&gt;</span>
<span class="go">New password:</span>
<span class="go">Re-type new password:</span>
<span class="go">Adding password for user foo</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<span class="go">secret &quot;basic-auth&quot; created</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7
8
9</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK</span>
@ -1121,30 +1094,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> namespace: default</span>
<span class="go">type: Opaque</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<span class="go">apiVersion: extensions/v1beta1</span>
<span class="go">kind: Ingress</span>
<span class="go">metadata:</span>
@ -1167,32 +1118,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> servicePort: 80</span>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
* Trying 10.2.29.4...
* Connected to 10.2.29.4 (10.2.29.4) port 80 (#0)
&gt; GET / HTTP/1.1
@ -1217,51 +1144,8 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 10.2.29.4 left intact
</pre></div>
</td></tr></table>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
* Trying <span class="m">10</span>.2.29.4...
* Connected to <span class="m">10</span>.2.29.4 <span class="o">(</span><span class="m">10</span>.2.29.4<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
* Server auth using Basic with user <span class="s1">&#39;foo&#39;</span>
@ -1305,7 +1189,6 @@ BODY:
* Connection <span class="c1">#0 to host 10.2.29.4 left intact</span>
-no body in request-
</pre></div>
</td></tr></table>

35
examples/auth/client-certs/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -838,8 +838,8 @@
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#setup-instructions" title="Setup instructions" class="md-nav__link">
Setup instructions
<a href="#setup-instructions" title="Setup Instructions" class="md-nav__link">
Setup Instructions
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1102,8 +1090,8 @@
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#setup-instructions" title="Setup instructions" class="md-nav__link">
Setup instructions
<a href="#setup-instructions" title="Setup Instructions" class="md-nav__link">
Setup Instructions
</a>
</li>
@ -1128,18 +1116,19 @@
<h1 id="client-certificate-authentication">Client Certificate Authentication<a class="headerlink" href="#client-certificate-authentication" title="Permanent link">&para;</a></h1>
<p>It is possible to enable Client Certificate Authentication using additional annotations in the Ingress.</p>
<h2 id="setup-instructions">Setup instructions<a class="headerlink" href="#setup-instructions" title="Permanent link">&para;</a></h2>
<p>It is possible to enable Client Certificate Authentication using additional annotations in Ingress resources, created by you.</p>
<h2 id="setup-instructions">Setup Instructions<a class="headerlink" href="#setup-instructions" title="Permanent link">&para;</a></h2>
<ol>
<li>
<p>Create a file named <code class="codehilite">ca.crt</code> containing the trusted certificate authority chain (all ca certificates in PEM format) to verify client certificates. </p>
<p>Create a file named <code class="codehilite">ca.crt</code> containing the trusted certificate authority chain to verify client certificates. All of the certificates must be in PEM format.<br />
<em>NB:</em> The file containing the trusted certificates must be named <code class="codehilite">ca.crt</code> exactly - this is expected to be found in the secret.</p>
</li>
<li>
<p>Create a secret from this file:
<p>Create a secret from this file:<br />
<code class="codehilite">kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default</code></p>
</li>
<li>
<p>Add the annotations as provided in the <a href="ingress.yaml">ingress.yaml</a> example to your ingress object.</p>
<p>Add the annotations as provided in the <a href="ingress.yaml">ingress.yaml</a> example to your own ingress resources as required.</p>
</li>
</ol>

1
examples/auth/client-certs/ingress.yaml
View file

@ -5,6 +5,7 @@ metadata:
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates with `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
# NB: The file _must_ be named "ca.crt" and nothing else. This filename is expected to be found in the secret.
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"

158
examples/auth/external-auth/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -956,18 +956,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1130,40 +1118,7 @@
<h1 id="external-basic-authentication">External Basic Authentication<a class="headerlink" href="#external-basic-authentication" title="Permanent link">&para;</a></h1>
<h3 id="example-1">Example 1:<a class="headerlink" href="#example-1" title="Permanent link">&para;</a></h3>
<p>Use an external service (Basic Auth) located in <code class="codehilite">https://httpbin.org</code> </p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
ingress <span class="s2">&quot;external-auth&quot;</span> created
$ kubectl get ing external-auth
@ -1198,34 +1153,9 @@ status:
- ip: <span class="m">172</span>.17.4.99
$
</pre></div>
</td></tr></table>
<p>Test 1: no username/password (expect code 401)</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<span class="go">* Rebuilt URL to: http://172.17.4.99/</span>
<span class="go">* Trying 172.17.4.99...</span>
<span class="go">* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)</span>
@ -1251,52 +1181,9 @@ $
<span class="go">&lt;/html&gt;</span>
<span class="go">* Connection #0 to host 172.17.4.99 left intact</span>
</pre></div>
</td></tr></table>
<p>Test 2: valid username/password (expect code 200)
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
<div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
* Rebuilt URL to: http://172.17.4.99/
* Trying <span class="m">172</span>.17.4.99...
* Connected to <span class="m">172</span>.17.4.99 <span class="o">(</span><span class="m">172</span>.17.4.99<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
@ -1339,37 +1226,9 @@ x-real-ip<span class="o">=</span><span class="m">10</span>.2.60.1
BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div>
</td></tr></table></p>
</pre></div></p>
<p>Test 3: invalid username/password (expect code 401)
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28</pre></div></td><td class="code"><div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
<div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
* Rebuilt URL to: http://172.17.4.99/
* Trying 172.17.4.99...
* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
@ -1397,8 +1256,7 @@ BODY:
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 172.17.4.99 left intact
</pre></div>
</td></tr></table></p>
</pre></div></p>

31
examples/auth/oauth-external-auth/index.html
View file

@ -596,8 +596,8 @@
<li class="md-nav__item">
<a href="../../../user-guide/exposing-tcp-udp-services/" title="Exposing TCP and UDP services" class="md-nav__link">
Exposing TCP and UDP services
<a href="../../../user-guide/ingress-path-matching/" title="Regular expressions in paths" class="md-nav__link">
Regular expressions in paths
</a>
</li>
@ -983,18 +983,6 @@
<li class="md-nav__item">
<a href="../../customization/custom-upstream-check/" title="Custom Upstream server checks" class="md-nav__link">
Custom Upstream server checks
</a>
</li>
<li class="md-nav__item">
<a href="../../customization/external-auth-headers/" title="External authentication" class="md-nav__link">
External authentication
@ -1196,13 +1184,7 @@ One Ingress object has no special annotations and handles authentication.</p>
authenticate against the first Ingress's endpoint, and can redirect <code class="codehilite">401</code>s to the
same endpoint.</p>
<p>Sample:</p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1
2
3
4
5
6
7</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="nn">...</span>
<div class="codehilite"><pre><span></span><span class="nn">...</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">application</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
@ -1210,7 +1192,6 @@ same endpoint.</p>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-signin</span><span class="p p-Indicator">:</span> <span class="s">&quot;https://$host/oauth2/start?rd=$escaped_request_uri&quot;</span>
<span class="nn">...</span>
</pre></div>
</td></tr></table>
<h3 id="example-oauth2-proxy-kubernetes-dashboard">Example: OAuth2 Proxy + Kubernetes-Dashboard<a class="headerlink" href="#example-oauth2-proxy-kubernetes-dashboard" title="Permanent link">&para;</a></h3>
<p>This example will show you how to deploy <a href="https://github.com/bitly/oauth2_proxy"><code class="codehilite">oauth2_proxy</code></a>
@ -1219,9 +1200,8 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Install the kubernetes dashboard</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml</span>
</pre></div>
</td></tr></table>
<ol>
<li>Create a <a href="https://github.com/settings/applications/new">custom Github OAuth application</a></li>
@ -1251,9 +1231,8 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<ol>
<li>Deploy the oauth2 proxy and the ingress rules running:</li>
</ol>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span></span>1</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
</pre></div>
</td></tr></table>
<p>Test the oauth integration accessing the configured URL, like <code class="codehilite">https://foo.bar.com</code></p>
<p><img alt="Register OAuth2 Application" src="images/github-auth.png" /></p>