Deploy GitHub Pages
This commit is contained in:
Travis Bot
parent
bc6e898a19
commit
cf75938808
56 changed files with 483 additions and 475 deletions
|
|
@ -1249,7 +1249,7 @@
|
|||
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/baremetal.md" title="Edit this page" class="md-icon md-content__icon"></a>
|
||||
|
||||
|
||||
<h1 id="bare-metal-considerations">Bare-metal considerations<a class="headerlink" href="#bare-metal-considerations" title="Permanent link">¶</a></h1>
|
||||
<h1 id="bare-metal-considerations">Bare-metal considerations<a class="headerlink" href="#bare-metal-considerations" title="Permanent link"> ¶</a></h1>
|
||||
<p>In traditional <em>cloud</em> environments, where network load balancers are available on-demand, a single Kubernetes manifest
|
||||
suffices to provide a single point of contact to the NGINX Ingress controller to external clients and, indirectly, to
|
||||
any application running inside the cluster. <em>Bare-metal</em> environments lack this commodity, requiring a slightly
|
||||
|
|
@ -1258,7 +1258,7 @@ different setup to offer the same kind of access to external consumers.</p>
|
|||
<img alt="Bare-metal environment" src="../../images/baremetal/baremetal_overview.jpg" /></p>
|
||||
<p>The rest of this document describes a few recommended approaches to deploying the NGINX Ingress controller inside a
|
||||
Kubernetes cluster running on bare-metal.</p>
|
||||
<h2 id="a-pure-software-solution-metallb">A pure software solution: MetalLB<a class="headerlink" href="#a-pure-software-solution-metallb" title="Permanent link">¶</a></h2>
|
||||
<h2 id="a-pure-software-solution-metallb">A pure software solution: MetalLB<a class="headerlink" href="#a-pure-software-solution-metallb" title="Permanent link"> ¶</a></h2>
|
||||
<p><a href="https://metallb.universe.tf/">MetalLB</a> provides a network load-balancer implementation for Kubernetes clusters that do not run on a
|
||||
supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.</p>
|
||||
<p>This section demonstrates how to use the <a href="https://metallb.universe.tf/tutorial/layer2/">Layer 2 configuration mode</a> of MetalLB together with the NGINX
|
||||
|
|
@ -1328,7 +1328,7 @@ the ports configured in the LoadBalancer Service:</p>
|
|||
traffic policy. Traffic policies are described in more details in <a href="https://metallb.universe.tf/usage/#traffic-policies">Traffic policies</a> as
|
||||
well as in the next section.</p>
|
||||
</div>
|
||||
<h2 id="over-a-nodeport-service">Over a NodePort Service<a class="headerlink" href="#over-a-nodeport-service" title="Permanent link">¶</a></h2>
|
||||
<h2 id="over-a-nodeport-service">Over a NodePort Service<a class="headerlink" href="#over-a-nodeport-service" title="Permanent link"> ¶</a></h2>
|
||||
<p>Due to its simplicity, this is the setup a user will deploy by default when following the steps described in the
|
||||
<a href="../#bare-metal">installation guide</a>.</p>
|
||||
<div class="admonition info">
|
||||
|
|
@ -1469,7 +1469,7 @@ NodePort:</p>
|
|||
</pre></div>
|
||||
|
||||
</div>
|
||||
<h2 id="via-the-host-network">Via the host network<a class="headerlink" href="#via-the-host-network" title="Permanent link">¶</a></h2>
|
||||
<h2 id="via-the-host-network">Via the host network<a class="headerlink" href="#via-the-host-network" title="Permanent link"> ¶</a></h2>
|
||||
<p>In a setup where there is no external load balancer available but using NodePorts is not an option, one can configure
|
||||
<code class="codehilite">ingress-nginx</code> Pods to use the network of the host they run on instead of a dedicated network namespace. The benefit of
|
||||
this approach is that the NGINX Ingress controller can bind ports 80 and 443 directly to Kubernetes nodes' network
|
||||
|
|
@ -1566,7 +1566,7 @@ address of all nodes running the NGINX Ingress controller.</p>
|
|||
<p>Alternatively, it is possible to override the address written to Ingress objects using the
|
||||
<code class="codehilite">--publish-status-address</code> flag. See <a href="../../user-guide/cli-arguments/">Command line arguments</a>.</p>
|
||||
</div>
|
||||
<h2 id="using-a-self-provisioned-edge">Using a self-provisioned edge<a class="headerlink" href="#using-a-self-provisioned-edge" title="Permanent link">¶</a></h2>
|
||||
<h2 id="using-a-self-provisioned-edge">Using a self-provisioned edge<a class="headerlink" href="#using-a-self-provisioned-edge" title="Permanent link"> ¶</a></h2>
|
||||
<p>Similarly to cloud environments, this deployment approach requires an edge network component providing a public
|
||||
entrypoint to the Kubernetes cluster. This edge component can be either hardware (e.g. vendor appliance) or software
|
||||
(e.g. <em>HAproxy</em>) and is usually managed outside of the Kubernetes landscape by operations teams.</p>
|
||||
|
|
@ -1577,7 +1577,7 @@ This is particularly suitable for private Kubernetes clusters where none of the
|
|||
nodes and/or masters. Incoming traffic on TCP ports 80 and 443 is forwarded to the corresponding HTTP and HTTPS NodePort
|
||||
on the target nodes as shown in the diagram below:</p>
|
||||
<p><img alt="User edge" src="../../images/baremetal/user_edge.jpg" /></p>
|
||||
<h2 id="external-ips">External IPs<a class="headerlink" href="#external-ips" title="Permanent link">¶</a></h2>
|
||||
<h2 id="external-ips">External IPs<a class="headerlink" href="#external-ips" title="Permanent link"> ¶</a></h2>
|
||||
<div class="admonition danger">
|
||||
<p class="admonition-title">Source IP address</p>
|
||||
<p>This method does not allow preserving the source IP of HTTP requests in any manner, it is therefore <strong>not
|
||||
|
|
|
|||
|
|
@ -1425,8 +1425,8 @@
|
|||
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/index.md" title="Edit this page" class="md-icon md-content__icon"></a>
|
||||
|
||||
|
||||
<h1 id="installation-guide">Installation Guide<a class="headerlink" href="#installation-guide" title="Permanent link">¶</a></h1>
|
||||
<h2 id="contents">Contents<a class="headerlink" href="#contents" title="Permanent link">¶</a></h2>
|
||||
<h1 id="installation-guide">Installation Guide<a class="headerlink" href="#installation-guide" title="Permanent link"> ¶</a></h1>
|
||||
<h2 id="contents">Contents<a class="headerlink" href="#contents" title="Permanent link"> ¶</a></h2>
|
||||
<ul>
|
||||
<li><a href="#prerequisite-generic-deployment-command">Prerequisite Generic Deployment Command</a></li>
|
||||
<li><a href="#provider-specific-steps">Provider Specific Steps</a><ul>
|
||||
|
|
@ -1442,7 +1442,7 @@
|
|||
<li><a href="#detect-installed-version">Detect installed version</a></li>
|
||||
<li><a href="#using-helm">Using Helm</a></li>
|
||||
</ul>
|
||||
<h2 id="prerequisite-generic-deployment-command">Prerequisite Generic Deployment Command<a class="headerlink" href="#prerequisite-generic-deployment-command" title="Permanent link">¶</a></h2>
|
||||
<h2 id="prerequisite-generic-deployment-command">Prerequisite Generic Deployment Command<a class="headerlink" href="#prerequisite-generic-deployment-command" title="Permanent link"> ¶</a></h2>
|
||||
<div class="admonition attention">
|
||||
<p class="admonition-title">Attention</p>
|
||||
<p>The default configuration watches Ingress object from <em>all the namespaces</em>.
|
||||
|
|
@ -1468,15 +1468,15 @@ To change this behavior use the flag <code class="codehilite">--watch-namespace<
|
|||
<p class="admonition-title">Tip</p>
|
||||
<p>If you are using a Kubernetes version previous to 1.14, you need to change <code class="codehilite">kubernetes.io/os</code> to <code class="codehilite">beta.kubernetes.io/os</code> at line 217 of <a href="https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/mandatory.yaml#L217">mandatory.yaml</a>, see <a href="https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/">Labels details</a>.</p>
|
||||
</div>
|
||||
<h3 id="provider-specific-steps">Provider Specific Steps<a class="headerlink" href="#provider-specific-steps" title="Permanent link">¶</a></h3>
|
||||
<h3 id="provider-specific-steps">Provider Specific Steps<a class="headerlink" href="#provider-specific-steps" title="Permanent link"> ¶</a></h3>
|
||||
<p>There are cloud provider specific yaml files.</p>
|
||||
<h4 id="docker-for-mac">Docker for Mac<a class="headerlink" href="#docker-for-mac" title="Permanent link">¶</a></h4>
|
||||
<h4 id="docker-for-mac">Docker for Mac<a class="headerlink" href="#docker-for-mac" title="Permanent link"> ¶</a></h4>
|
||||
<p>Kubernetes is available in Docker for Mac (from <a href="https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018">version 18.06.0-ce</a>)</p>
|
||||
<p>Create a service</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml</span>
|
||||
</pre></div>
|
||||
|
||||
<h4 id="minikube">minikube<a class="headerlink" href="#minikube" title="Permanent link">¶</a></h4>
|
||||
<h4 id="minikube">minikube<a class="headerlink" href="#minikube" title="Permanent link"> ¶</a></h4>
|
||||
<p>For standard usage:</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">minikube addons enable ingress</span>
|
||||
</pre></div>
|
||||
|
|
@ -1498,11 +1498,11 @@ To change this behavior use the flag <code class="codehilite">--watch-namespace<
|
|||
<span class="go">nginx-ingress-controller-fdcdcd6dd-vvpgs 1/1 Running 0 11s</span>
|
||||
</pre></div>
|
||||
|
||||
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link">¶</a></h4>
|
||||
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link"> ¶</a></h4>
|
||||
<p>In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of <code class="codehilite">Type=LoadBalancer</code>.
|
||||
Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
|
||||
Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">elastic load balancing AWS details page</a></p>
|
||||
<h5 id="elastic-load-balancer-elb">Elastic Load Balancer - ELB<a class="headerlink" href="#elastic-load-balancer-elb" title="Permanent link">¶</a></h5>
|
||||
<h5 id="elastic-load-balancer-elb">Elastic Load Balancer - ELB<a class="headerlink" href="#elastic-load-balancer-elb" title="Permanent link"> ¶</a></h5>
|
||||
<p>This setup requires to choose in which layer (L4 or L7) we want to configure the ELB:</p>
|
||||
<ul>
|
||||
<li><a href="https://en.wikipedia.org/wiki/OSI_model#Layer_4:_Transport_Layer">Layer 4</a>: use TCP as the listener protocol for ports 80 and 443.</li>
|
||||
|
|
@ -1525,26 +1525,26 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
|
|||
|
||||
<p>This example creates an ELB with just two listeners, one in port 80 and another in port 443</p>
|
||||
<p><img alt="Listeners" src="../images/elb-l7-listener.png" /></p>
|
||||
<h5 id="elb-idle-timeouts">ELB Idle Timeouts<a class="headerlink" href="#elb-idle-timeouts" title="Permanent link">¶</a></h5>
|
||||
<h5 id="elb-idle-timeouts">ELB Idle Timeouts<a class="headerlink" href="#elb-idle-timeouts" title="Permanent link"> ¶</a></h5>
|
||||
<p>In some scenarios users will need to modify the value of the ELB idle timeout. Users need to ensure the idle timeout is less than the <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">keepalive_timeout</a> that is configured for NGINX. By default NGINX <code class="codehilite">keepalive_timeout</code> is set to <code class="codehilite">75s</code>.</p>
|
||||
<p>The default ELB idle timeout will work for most scenarios, unless the NGINX <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">keepalive_timeout</a> has been modified, in which case <code class="codehilite">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</code> will need to be modified to ensure it is less than the <code class="codehilite">keepalive_timeout</code> the user has configured.</p>
|
||||
<p><em>Please Note: An idle timeout of <code class="codehilite">3600s</code> is recommended when using WebSockets.</em></p>
|
||||
<p>More information with regards to idle timeouts for your Load Balancer can be found in the <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html">official AWS documentation</a>.</p>
|
||||
<h5 id="network-load-balancer-nlb">Network Load Balancer (NLB)<a class="headerlink" href="#network-load-balancer-nlb" title="Permanent link">¶</a></h5>
|
||||
<h5 id="network-load-balancer-nlb">Network Load Balancer (NLB)<a class="headerlink" href="#network-load-balancer-nlb" title="Permanent link"> ¶</a></h5>
|
||||
<p>This type of load balancer is supported since v1.10.0 as an ALPHA feature.</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-nlb.yaml</span>
|
||||
</pre></div>
|
||||
|
||||
<h4 id="gce-gke">GCE-GKE<a class="headerlink" href="#gce-gke" title="Permanent link">¶</a></h4>
|
||||
<h4 id="gce-gke">GCE-GKE<a class="headerlink" href="#gce-gke" title="Permanent link"> ¶</a></h4>
|
||||
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml</span>
|
||||
</pre></div>
|
||||
|
||||
<p><strong>Important Note:</strong> proxy protocol is not supported in GCE/GKE</p>
|
||||
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link">¶</a></h4>
|
||||
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link"> ¶</a></h4>
|
||||
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml</span>
|
||||
</pre></div>
|
||||
|
||||
<h4 id="bare-metal">Bare-metal<a class="headerlink" href="#bare-metal" title="Permanent link">¶</a></h4>
|
||||
<h4 id="bare-metal">Bare-metal<a class="headerlink" href="#bare-metal" title="Permanent link"> ¶</a></h4>
|
||||
<p>Using <a href="https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport">NodePort</a>:</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml</span>
|
||||
</pre></div>
|
||||
|
|
@ -1553,14 +1553,14 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
|
|||
<p class="admonition-title">Tip</p>
|
||||
<p>For extended notes regarding deployments on bare-metal, see <a href="baremetal/">Bare-metal considerations</a>.</p>
|
||||
</div>
|
||||
<h3 id="verify-installation">Verify installation<a class="headerlink" href="#verify-installation" title="Permanent link">¶</a></h3>
|
||||
<h3 id="verify-installation">Verify installation<a class="headerlink" href="#verify-installation" title="Permanent link"> ¶</a></h3>
|
||||
<p>To check if the ingress controller pods have started, run the following command:</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch</span>
|
||||
</pre></div>
|
||||
|
||||
<p>Once the operator pods are running, you can cancel the above command by typing <code class="codehilite">Ctrl+C</code>.
|
||||
Now, you are ready to create your first ingress.</p>
|
||||
<h3 id="detect-installed-version">Detect installed version<a class="headerlink" href="#detect-installed-version" title="Permanent link">¶</a></h3>
|
||||
<h3 id="detect-installed-version">Detect installed version<a class="headerlink" href="#detect-installed-version" title="Permanent link"> ¶</a></h3>
|
||||
<p>To detect which version of the ingress controller is running, exec into the pod and run <code class="codehilite">nginx-ingress-controller version</code> command.</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">POD_NAMESPACE=ingress-nginx</span>
|
||||
<span class="go">POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')</span>
|
||||
|
|
@ -1568,7 +1568,7 @@ Now, you are ready to create your first ingress.</p>
|
|||
<span class="go">kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version</span>
|
||||
</pre></div>
|
||||
|
||||
<h2 id="using-helm">Using Helm<a class="headerlink" href="#using-helm" title="Permanent link">¶</a></h2>
|
||||
<h2 id="using-helm">Using Helm<a class="headerlink" href="#using-helm" title="Permanent link"> ¶</a></h2>
|
||||
<p>NGINX Ingress controller can be installed via <a href="https://helm.sh/">Helm</a> using the chart <a href="https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress">stable/nginx-ingress</a> from the official charts repository.
|
||||
To install the chart with the release name <code class="codehilite">my-nginx</code>:</p>
|
||||
<div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx</span>
|
||||
|
|
|
|||
|
|
@ -1275,8 +1275,8 @@
|
|||
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/rbac.md" title="Edit this page" class="md-icon md-content__icon"></a>
|
||||
|
||||
|
||||
<h1 id="role-based-access-control-rbac">Role Based Access Control (RBAC)<a class="headerlink" href="#role-based-access-control-rbac" title="Permanent link">¶</a></h1>
|
||||
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link">¶</a></h2>
|
||||
<h1 id="role-based-access-control-rbac">Role Based Access Control (RBAC)<a class="headerlink" href="#role-based-access-control-rbac" title="Permanent link"> ¶</a></h1>
|
||||
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link"> ¶</a></h2>
|
||||
<p>This example applies to nginx-ingress-controllers being deployed in an environment with RBAC enabled.</p>
|
||||
<p>Role Based Access Control is comprised of four layers:</p>
|
||||
<ol>
|
||||
|
|
@ -1288,13 +1288,13 @@
|
|||
<p>In order for RBAC to be applied to an nginx-ingress-controller, that controller
|
||||
should be assigned to a <code class="codehilite">ServiceAccount</code>. That <code class="codehilite">ServiceAccount</code> should be
|
||||
bound to the <code class="codehilite">Role</code>s and <code class="codehilite">ClusterRole</code>s defined for the nginx-ingress-controller.</p>
|
||||
<h2 id="service-accounts-created-in-this-example">Service Accounts created in this example<a class="headerlink" href="#service-accounts-created-in-this-example" title="Permanent link">¶</a></h2>
|
||||
<h2 id="service-accounts-created-in-this-example">Service Accounts created in this example<a class="headerlink" href="#service-accounts-created-in-this-example" title="Permanent link"> ¶</a></h2>
|
||||
<p>One ServiceAccount is created in this example, <code class="codehilite">nginx-ingress-serviceaccount</code>.</p>
|
||||
<h2 id="permissions-granted-in-this-example">Permissions Granted in this example<a class="headerlink" href="#permissions-granted-in-this-example" title="Permanent link">¶</a></h2>
|
||||
<h2 id="permissions-granted-in-this-example">Permissions Granted in this example<a class="headerlink" href="#permissions-granted-in-this-example" title="Permanent link"> ¶</a></h2>
|
||||
<p>There are two sets of permissions defined in this example. Cluster-wide
|
||||
permissions defined by the <code class="codehilite">ClusterRole</code> named <code class="codehilite">nginx-ingress-clusterrole</code>, and
|
||||
namespace specific permissions defined by the <code class="codehilite">Role</code> named <code class="codehilite">nginx-ingress-role</code>.</p>
|
||||
<h3 id="cluster-permissions">Cluster Permissions<a class="headerlink" href="#cluster-permissions" title="Permanent link">¶</a></h3>
|
||||
<h3 id="cluster-permissions">Cluster Permissions<a class="headerlink" href="#cluster-permissions" title="Permanent link"> ¶</a></h3>
|
||||
<p>These permissions are granted in order for the nginx-ingress-controller to be
|
||||
able to function as an ingress across the cluster. These permissions are
|
||||
granted to the ClusterRole named <code class="codehilite">nginx-ingress-clusterrole</code></p>
|
||||
|
|
@ -1305,7 +1305,7 @@ granted to the ClusterRole named <code class="codehilite">nginx-ingress-clusterr
|
|||
<li><code class="codehilite">events</code>: create, patch</li>
|
||||
<li><code class="codehilite">ingresses/status</code>: update</li>
|
||||
</ul>
|
||||
<h3 id="namespace-permissions">Namespace Permissions<a class="headerlink" href="#namespace-permissions" title="Permanent link">¶</a></h3>
|
||||
<h3 id="namespace-permissions">Namespace Permissions<a class="headerlink" href="#namespace-permissions" title="Permanent link"> ¶</a></h3>
|
||||
<p>These permissions are granted specific to the nginx-ingress namespace. These
|
||||
permissions are granted to the Role named <code class="codehilite">nginx-ingress-role</code></p>
|
||||
<ul>
|
||||
|
|
@ -1333,7 +1333,7 @@ are part of the request body).</p>
|
|||
</ul>
|
||||
<p>Please adapt accordingly if you overwrite either parameter when launching the
|
||||
nginx-ingress-controller.</p>
|
||||
<h3 id="bindings">Bindings<a class="headerlink" href="#bindings" title="Permanent link">¶</a></h3>
|
||||
<h3 id="bindings">Bindings<a class="headerlink" href="#bindings" title="Permanent link"> ¶</a></h3>
|
||||
<p>The ServiceAccount <code class="codehilite">nginx-ingress-serviceaccount</code> is bound to the Role
|
||||
<code class="codehilite">nginx-ingress-role</code> and the ClusterRole <code class="codehilite">nginx-ingress-clusterrole</code>.</p>
|
||||
<p>The serviceAccountName associated with the containers in the deployment must
|
||||
|
|
|
|||
|
|
@ -1207,13 +1207,13 @@
|
|||
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/upgrade.md" title="Edit this page" class="md-icon md-content__icon"></a>
|
||||
|
||||
|
||||
<h1 id="upgrading">Upgrading<a class="headerlink" href="#upgrading" title="Permanent link">¶</a></h1>
|
||||
<h1 id="upgrading">Upgrading<a class="headerlink" href="#upgrading" title="Permanent link"> ¶</a></h1>
|
||||
<div class="admonition important">
|
||||
<p class="admonition-title">Important</p>
|
||||
<p>No matter the method you use for upgrading, <em>if you use template overrides,
|
||||
make sure your templates are compatible with the new version of ingress-nginx</em>.</p>
|
||||
</div>
|
||||
<h2 id="without-helm">Without Helm<a class="headerlink" href="#without-helm" title="Permanent link">¶</a></h2>
|
||||
<h2 id="without-helm">Without Helm<a class="headerlink" href="#without-helm" title="Permanent link"> ¶</a></h2>
|
||||
<p>To upgrade your ingress-nginx installation, it should be enough to change the version of the image
|
||||
in the controller Deployment.</p>
|
||||
<p>I.e. if your deployment resource looks like (partial example):</p>
|
||||
|
|
@ -1240,7 +1240,7 @@ The easiest way to do this is e.g. (do note you may need to change the name para
|
|||
</pre></div>
|
||||
|
||||
<p>For interactive editing, use <code class="codehilite">kubectl edit deployment nginx-ingress-controller</code>.</p>
|
||||
<h2 id="with-helm">With Helm<a class="headerlink" href="#with-helm" title="Permanent link">¶</a></h2>
|
||||
<h2 id="with-helm">With Helm<a class="headerlink" href="#with-helm" title="Permanent link"> ¶</a></h2>
|
||||
<p>If you installed ingress-nginx using the Helm command in the deployment docs so its name is <code class="codehilite">ngx-ingress</code>,
|
||||
you should be able to upgrade using</p>
|
||||
<div class="codehilite"><pre><span></span>helm upgrade --reuse-values ngx-ingress stable/nginx-ingress
|
||||
|
|
|
|||
|
|
@ -1341,14 +1341,14 @@
|
|||
<a href="https://github.com/kubernetes/ingress-nginx/edit/master/docs/deploy/validating-webhook.md" title="Edit this page" class="md-icon md-content__icon"></a>
|
||||
|
||||
|
||||
<h1 id="validating-webhook-admission-controller">Validating webhook (admission controller)<a class="headerlink" href="#validating-webhook-admission-controller" title="Permanent link">¶</a></h1>
|
||||
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link">¶</a></h2>
|
||||
<h1 id="validating-webhook-admission-controller">Validating webhook (admission controller)<a class="headerlink" href="#validating-webhook-admission-controller" title="Permanent link"> ¶</a></h1>
|
||||
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link"> ¶</a></h2>
|
||||
<p>Nginx ingress controller offers the option to validate ingresses before they enter the cluster, ensuring controller will generate a valid configuration.</p>
|
||||
<p>This controller is called, when <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook">ValidatingAdmissionWebhook</a> is enabled, by the Kubernetes API server each time a new ingress is to enter the cluster, and rejects objects for which the generated nginx configuration fails to be validated.</p>
|
||||
<p>This feature requires some further configuration of the cluster, hence it is an optional feature, this section explains how to enable it for your cluster.</p>
|
||||
<h2 id="configure-the-webhook">Configure the webhook<a class="headerlink" href="#configure-the-webhook" title="Permanent link">¶</a></h2>
|
||||
<h3 id="generate-the-webhook-certificate">Generate the webhook certificate<a class="headerlink" href="#generate-the-webhook-certificate" title="Permanent link">¶</a></h3>
|
||||
<h4 id="self-signed-certificate">Self signed certificate<a class="headerlink" href="#self-signed-certificate" title="Permanent link">¶</a></h4>
|
||||
<h2 id="configure-the-webhook">Configure the webhook<a class="headerlink" href="#configure-the-webhook" title="Permanent link"> ¶</a></h2>
|
||||
<h3 id="generate-the-webhook-certificate">Generate the webhook certificate<a class="headerlink" href="#generate-the-webhook-certificate" title="Permanent link"> ¶</a></h3>
|
||||
<h4 id="self-signed-certificate">Self signed certificate<a class="headerlink" href="#self-signed-certificate" title="Permanent link"> ¶</a></h4>
|
||||
<p>Validating webhook must be served using TLS, you need to generate a certificate. Note that kube API server is checking the hostname of the certificate, the common name of your certificate will need to match the service name.</p>
|
||||
<div class="admonition example">
|
||||
<p class="admonition-title">Example</p>
|
||||
|
|
@ -1357,7 +1357,7 @@
|
|||
</pre></div>
|
||||
|
||||
</div>
|
||||
<h5 id="using-kubernetes-ca">Using Kubernetes CA<a class="headerlink" href="#using-kubernetes-ca" title="Permanent link">¶</a></h5>
|
||||
<h5 id="using-kubernetes-ca">Using Kubernetes CA<a class="headerlink" href="#using-kubernetes-ca" title="Permanent link"> ¶</a></h5>
|
||||
<p>Kubernetes also provides primitives to sign a certificate request. Here is an example on how to use it</p>
|
||||
<div class="admonition example">
|
||||
<p class="admonition-title">Example</p>
|
||||
|
|
@ -1426,7 +1426,7 @@ kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
|
|||
</pre></div>
|
||||
|
||||
</div>
|
||||
<h4 id="using-helm">Using helm<a class="headerlink" href="#using-helm" title="Permanent link">¶</a></h4>
|
||||
<h4 id="using-helm">Using helm<a class="headerlink" href="#using-helm" title="Permanent link"> ¶</a></h4>
|
||||
<p>To generate the certificate using helm, you can use the following snippet</p>
|
||||
<div class="admonition example">
|
||||
<p class="admonition-title">Example</p>
|
||||
|
|
@ -1436,7 +1436,7 @@ kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
|
|||
</pre></div>
|
||||
|
||||
</div>
|
||||
<h3 id="ingress-controller-flags">Ingress controller flags<a class="headerlink" href="#ingress-controller-flags" title="Permanent link">¶</a></h3>
|
||||
<h3 id="ingress-controller-flags">Ingress controller flags<a class="headerlink" href="#ingress-controller-flags" title="Permanent link"> ¶</a></h3>
|
||||
<p>To enable the feature in the ingress controller, you <em>need</em> to provide 3 flags to the command line.</p>
|
||||
<table>
|
||||
<thead>
|
||||
|
|
@ -1464,10 +1464,10 @@ kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
|
|||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h3 id="kube-api-server-flags">kube API server flags<a class="headerlink" href="#kube-api-server-flags" title="Permanent link">¶</a></h3>
|
||||
<h3 id="kube-api-server-flags">kube API server flags<a class="headerlink" href="#kube-api-server-flags" title="Permanent link"> ¶</a></h3>
|
||||
<p>Validating webhook feature requires specific setup on the kube API server side. Depending on your kubernetes version, the flag can, or not, be enabled by default.
|
||||
To check that your kube API server runs with the required flags, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook">kubernetes</a> documentation.</p>
|
||||
<h3 id="additional-kubernetes-objects">Additional kubernetes objects<a class="headerlink" href="#additional-kubernetes-objects" title="Permanent link">¶</a></h3>
|
||||
<h3 id="additional-kubernetes-objects">Additional kubernetes objects<a class="headerlink" href="#additional-kubernetes-objects" title="Permanent link"> ¶</a></h3>
|
||||
<p>Once both the ingress controller and the kube API server are configured to serve the webhook, add the you can configure the webhook with the following objects:</p>
|
||||
<div class="codehilite"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
|
||||
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Service</span>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue