aleleba/letsEncryptKubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Se crea la presentacion y se agregan los archivos de ejemplo.

Browse Source
This commit is contained in:
Alejandro Lembke Barrientos 2021-07-15 23:48:31 +00:00
parent f4224add95
commit d9f9d157a8
27 changed files with 3711 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
README.md
View File

@ -1,2 +1,73 @@
# letsEncryptKubernetes
Master Class de como utilizando Ngnix Ingress Controller, Cert Manager y Lets Encrypt para crear y utilizar certificados de seguridad firmados en Kubernetes.
## Entender lo que vamos a hacer
Kubernetes es un orquestador de contenedores. Lo que haremos a continuación es dentro de un cluster de kubernetes de DigitalOcean instalar Nginx Ingress Controller y Cert Manager dentro de ese cluster para generara certificados de Seguridad con Let's Encrypt.
## ¿Qué es Nginx Ingress Controller?
![Nginx Ingress Controller](./img/NGINX-Ingress-Controller.png)
Nginx Ingress Controller es un enrutador o router de las peticiones que le realicen al servidor. Este es un servicio de tipo LoadBalancer que redireccina el tráfico al servicio de la aplicación que se desee segun su nombre de dominio.
Por ejemplo si tenemos una aplicación web con dominio midominio.com, ingress es un servcio encarcado de enrutar esa petición al servicio al que este mapeado ese dominio, este se configura con un archivo .yaml, lo veremos más adelante.
## ¿Qué es Cert Manager?
![Cert Manager](./img/cert.png)
Cert Manager es un servicio que se comunica con el pod de Ingress Controller. Para administrar y gestionar los certificados de seguridad de los dominios definidos en Ingress Controller.
Para este servicio es necesario crear
Custom Resource Definitions llamados Issuer y Cluster Issuer, que son los recursos encargados de comunicarse con el proveedor de certificados, en este caso Let's Encrypt.
## Como comenzar
### Paso 1: Instalar Ingress Controller
Primero hay que crear un namespace para el ingress controller y un serviceAccount para el mismo que se necesitará.
Visualizar el archivo:
[01-ns-and-sa.yaml](./ingress/01-ns-and-sa.yaml)
Luego hay que crear un cluster role binding de ngnix ingress controller:
`kubectl create clusterrolebinding nginx-ingress-admin -n nginx-ingress --clusterrole=cluster-admin --serviceaccount=nginx-ingress:nginx-ingress`
Luego Se instalan los Custom Resource Definitions de Ingres:
Visualizar la carpeta:
[./crds](./crds/)
Por ultimo tienen que correr los archivos de configuración de ingress.
Visualizar la carpeta:
[./ingress](./ingress/)
### Paso 2: Instalar Cert Manager
En este caso es más rápido ya que usaremos helm para instalar Cert Manager.
Primero creamos el namespace de CertManager
`kubectl create namespace cert-manager`
Luego instalamos con helm con los siguientes comandos.
`helm repo add jetstack https://charts.jetstack.io`
`helm repo update`
`helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.2.0 --set installCRDs=true`
Este es un tip que nos va a servir adelante:
comando para ver challenges:
`kubectl describe challenge`
Ahora Crearemos la instancias de un Custom Resources definitions. Vamos a crear un ClusterIssuer. Este sera el encargado de comunicarse con Let's Encrypt.
Visualizar la carpeta:
[./cert-manager](./cert-manager/)
### Paso 3: Instalar App y Crear certificados
Por último debes instalar la app web que tu hayas desarrollado y crear el enrutador ingress que redireccionara el trafico con sus certificados para ver un ejemplo por favor ver carpeta: [./app](./app/)
## Espero les haya gustado la clase.
Alejandro Lembke Barrientos

12
app/00-ns-and-sa.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Namespace
metadata:
#colocar nombre del namespace de la app
name: app
---
apiVersion: v1
kind: ServiceAccount
metadata:
#colocar nombre del serviceAccount
name: app
namespace: app

24
app/01-app-deployment.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: app
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
#descomentar si tienes un secret
#imagePullSecrets:
#- name: regcred
containers:
- name: app
image: gcr.io/google-samples/hello-app:1.0
imagePullPolicy: Always
ports:
- containerPort: 8080

14
app/02-app-svc.yaml Normal file
View File

@ -0,0 +1,14 @@
kind: Service
apiVersion: v1
metadata:
name: app-svc
namespace: app
spec:
selector:
app: app
type: ClusterIP
ports:
- protocol: TCP
name: app-main
port: 8080
targetPort: 8080

41
app/03-ingress-tls-prod.yaml Normal file
View File

@ -0,0 +1,41 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: app
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/use-regex: "true"
# add an annotation indicating the issuer to use.
cert-manager.io/cluster-issuer: letsencrypt-prod
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issue-temporary-certificate: "true"
spec:
tls:
#colocar tus propios dominios
- hosts:
- p-lao.tk
- www.p-lao.tk
secretName: p-lao-lets-encrypt-prod-tls
rules:
- host: p-lao.tk
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 8080
- host: www.p-lao.tk
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 8080

41
app/03-ingress-tls-staging.yaml Normal file
View File

@ -0,0 +1,41 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: app
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/use-regex: "true"
# add an annotation indicating the issuer to use.
cert-manager.io/cluster-issuer: letsencrypt-staging
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/issue-temporary-certificate: "true"
spec:
tls:
#colocar tus propios dominios
- hosts:
- p-lao.tk
- www.p-lao.tk
secretName: p-lao-lets-encrypt-staging-tls
rules:
- host: p-lao.tk
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 8080
- host: www.p-lao.tk
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 8080

31
app/03-ingress.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: app
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
rules:
- host: p-lao.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 8080
- host: www.p-lao.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 8080

15
cert-manager/01-issuer-prod.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: aleleba@hotmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
#http01: {}

15
cert-manager/01-issuer-staging.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: aleleba@hotmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
#http01: {}

64
crds/appprotect.f5.com_aplogconfs.yaml Normal file
View File

@ -0,0 +1,64 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: aplogconfs.appprotect.f5.com
spec:
group: appprotect.f5.com
names:
kind: APLogConf
listKind: APLogConfList
plural: aplogconfs
singular: aplogconf
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: APLogConf is the Schema for the APLogConfs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: APLogConfSpec defines the desired state of APLogConf
properties:
content:
properties:
format:
enum:
- splunk
- arcsight
- default
- user-defined
type: string
format_string:
type: string
max_message_size:
pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$
type: string
max_request_size:
pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$
type: string
type: object
filter:
properties:
request_type:
enum:
- all
- illegal
- blocked
type: string
type: object
type: object
type: object
served: true
storage: true

1498
crds/appprotect.f5.com_appolicies.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

93
crds/appprotect.f5.com_apusersigs.yaml Normal file
View File

@ -0,0 +1,93 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: apusersigs.appprotect.f5.com
spec:
group: appprotect.f5.com
names:
kind: APUserSig
listKind: APUserSigList
plural: apusersigs
singular: apusersig
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: APUserSig is the Schema for the apusersigs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: APUserSigSpec defines the desired state of APUserSig
properties:
properties:
type: string
signatures:
items:
properties:
accuracy:
enum:
- high
- medium
- low
type: string
attackType:
properties:
name:
type: string
type: object
description:
type: string
name:
type: string
references:
properties:
type:
enum:
- bugtraq
- cve
- nessus
- url
type: string
value:
type: string
type: object
risk:
enum:
- high
- medium
- low
type: string
rule:
type: string
signatureType:
enum:
- request
- response
type: string
systems:
items:
properties:
name:
type: string
type: object
type: array
type: object
type: array
tag:
type: string
type: object
type: object
served: true
storage: true

56
crds/k8s.nginx.org_globalconfigurations.yaml Normal file
View File

@ -0,0 +1,56 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: globalconfigurations.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: GlobalConfiguration
listKind: GlobalConfigurationList
plural: globalconfigurations
shortNames:
- gc
singular: globalconfiguration
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GlobalConfiguration defines the GlobalConfiguration resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource.
type: object
properties:
listeners:
type: array
items:
description: Listener defines a listener.
type: object
properties:
name:
type: string
port:
type: integer
protocol:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

158
crds/k8s.nginx.org_policies.yaml Normal file
View File

@ -0,0 +1,158 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: policies.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: Policy
listKind: PolicyList
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed.
type: object
properties:
accessControl:
description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
type: object
properties:
allow:
type: array
items:
type: string
deny:
type: array
items:
type: string
egressMTLS:
description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
type: object
properties:
ciphers:
type: string
protocols:
type: string
serverName:
type: boolean
sessionReuse:
type: boolean
sslName:
type: string
tlsSecret:
type: string
trustedCertSecret:
type: string
verifyDepth:
type: integer
verifyServer:
type: boolean
ingressMTLS:
description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
type: object
properties:
clientCertSecret:
type: string
verifyClient:
type: string
verifyDepth:
type: integer
jwt:
description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
type: object
properties:
realm:
type: string
secret:
type: string
token:
type: string
oidc:
description: OIDC defines an Open ID Connect policy.
type: object
properties:
authEndpoint:
type: string
clientID:
type: string
clientSecret:
type: string
jwksURI:
type: string
redirectURI:
type: string
scope:
type: string
tokenEndpoint:
type: string
rateLimit:
description: 'RateLimit defines a rate limit policy. policy status: preview'
type: object
properties:
burst:
type: integer
delay:
type: integer
dryRun:
type: boolean
key:
type: string
logLevel:
type: string
noDelay:
type: boolean
rate:
type: string
rejectCode:
type: integer
zoneSize:
type: string
status:
description: PolicyStatus is the status of the policy resource
type: object
properties:
message:
type: string
reason:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

80
crds/k8s.nginx.org_transportservers.yaml Normal file
View File

@ -0,0 +1,80 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: transportservers.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: TransportServer
listKind: TransportServerList
plural: transportservers
shortNames:
- ts
singular: transportserver
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: TransportServer defines the TransportServer resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TransportServerSpec is the spec of the TransportServer resource.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
host:
type: string
listener:
description: TransportServerListener defines a listener for a TransportServer.
type: object
properties:
name:
type: string
protocol:
type: string
upstreamParameters:
description: UpstreamParameters defines parameters for an upstream.
type: object
properties:
udpRequests:
type: integer
udpResponses:
type: integer
upstreams:
type: array
items:
description: Upstream defines an upstream.
type: object
properties:
name:
type: string
port:
type: integer
service:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

619
crds/k8s.nginx.org_virtualserverroutes.yaml Normal file
View File

@ -0,0 +1,619 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: virtualserverroutes.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: VirtualServerRoute
listKind: VirtualServerRouteList
plural: virtualserverroutes
shortNames:
- vsr
singular: virtualserverroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.externalEndpoints[*].ip
name: IP
type: string
- jsonPath: .status.externalEndpoints[*].ports
name: Ports
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: VirtualServerRoute defines the VirtualServerRoute resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource.
type: object
properties:
host:
type: string
ingressClassName:
type: string
subroutes:
type: array
items:
description: Route defines a route.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
errorPages:
type: array
items:
description: ErrorPage defines an ErrorPage in a Route.
type: object
properties:
codes:
type: array
items:
type: integer
redirect:
description: ErrorPageRedirect defines a redirect for an ErrorPage.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ErrorPageReturn defines a return for an ErrorPage.
type: object
properties:
body:
type: string
code:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
type:
type: string
location-snippets:
type: string
matches:
type: array
items:
description: Match defines a match.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
conditions:
type: array
items:
description: Condition defines a condition in a MatchRule.
type: object
properties:
argument:
type: string
cookie:
type: string
header:
type: string
value:
type: string
variable:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
path:
type: string
policies:
type: array
items:
description: PolicyReference references a policy by name and an optional namespace.
type: object
properties:
name:
type: string
namespace:
type: string
route:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
upstreams:
type: array
items:
description: Upstream defines an upstream.
type: object
properties:
buffer-size:
type: string
buffering:
type: boolean
buffers:
description: UpstreamBuffers defines Buffer Configuration for an Upstream.
type: object
properties:
number:
type: integer
size:
type: string
client-max-body-size:
type: string
connect-timeout:
type: string
fail-timeout:
type: string
healthCheck:
description: HealthCheck defines the parameters for active Upstream HealthChecks.
type: object
properties:
connect-timeout:
type: string
enable:
type: boolean
fails:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
interval:
type: string
jitter:
type: string
passes:
type: integer
path:
type: string
port:
type: integer
read-timeout:
type: string
send-timeout:
type: string
statusMatch:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
keepalive:
type: integer
lb-method:
type: string
max-conns:
type: integer
max-fails:
type: integer
name:
type: string
next-upstream:
type: string
next-upstream-timeout:
type: string
next-upstream-tries:
type: integer
port:
type: integer
queue:
description: UpstreamQueue defines Queue Configuration for an Upstream.
type: object
properties:
size:
type: integer
timeout:
type: string
read-timeout:
type: string
send-timeout:
type: string
service:
type: string
sessionCookie:
description: SessionCookie defines the parameters for session persistence.
type: object
properties:
domain:
type: string
enable:
type: boolean
expires:
type: string
httpOnly:
type: boolean
name:
type: string
path:
type: string
secure:
type: boolean
slow-start:
type: string
subselector:
type: object
additionalProperties:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
status:
description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource.
type: object
properties:
externalEndpoints:
type: array
items:
description: ExternalEndpoint defines the IP and ports used to connect to this resource.
type: object
properties:
ip:
type: string
ports:
type: string
message:
type: string
reason:
type: string
referencedBy:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

647
crds/k8s.nginx.org_virtualservers.yaml Normal file
View File

@ -0,0 +1,647 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: virtualservers.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: VirtualServer
listKind: VirtualServerList
plural: virtualservers
shortNames:
- vs
singular: virtualserver
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.externalEndpoints[*].ip
name: IP
type: string
- jsonPath: .status.externalEndpoints[*].ports
name: Ports
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: VirtualServer defines the VirtualServer resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VirtualServerSpec is the spec of the VirtualServer resource.
type: object
properties:
host:
type: string
http-snippets:
type: string
ingressClassName:
type: string
policies:
type: array
items:
description: PolicyReference references a policy by name and an optional namespace.
type: object
properties:
name:
type: string
namespace:
type: string
routes:
type: array
items:
description: Route defines a route.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
errorPages:
type: array
items:
description: ErrorPage defines an ErrorPage in a Route.
type: object
properties:
codes:
type: array
items:
type: integer
redirect:
description: ErrorPageRedirect defines a redirect for an ErrorPage.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ErrorPageReturn defines a return for an ErrorPage.
type: object
properties:
body:
type: string
code:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
type:
type: string
location-snippets:
type: string
matches:
type: array
items:
description: Match defines a match.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
conditions:
type: array
items:
description: Condition defines a condition in a MatchRule.
type: object
properties:
argument:
type: string
cookie:
type: string
header:
type: string
value:
type: string
variable:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
path:
type: string
policies:
type: array
items:
description: PolicyReference references a policy by name and an optional namespace.
type: object
properties:
name:
type: string
namespace:
type: string
route:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
server-snippets:
type: string
tls:
description: TLS defines TLS configuration for a VirtualServer.
type: object
properties:
redirect:
description: TLSRedirect defines a redirect for a TLS.
type: object
properties:
basedOn:
type: string
code:
type: integer
enable:
type: boolean
secret:
type: string
upstreams:
type: array
items:
description: Upstream defines an upstream.
type: object
properties:
buffer-size:
type: string
buffering:
type: boolean
buffers:
description: UpstreamBuffers defines Buffer Configuration for an Upstream.
type: object
properties:
number:
type: integer
size:
type: string
client-max-body-size:
type: string
connect-timeout:
type: string
fail-timeout:
type: string
healthCheck:
description: HealthCheck defines the parameters for active Upstream HealthChecks.
type: object
properties:
connect-timeout:
type: string
enable:
type: boolean
fails:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
interval:
type: string
jitter:
type: string
passes:
type: integer
path:
type: string
port:
type: integer
read-timeout:
type: string
send-timeout:
type: string
statusMatch:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
keepalive:
type: integer
lb-method:
type: string
max-conns:
type: integer
max-fails:
type: integer
name:
type: string
next-upstream:
type: string
next-upstream-timeout:
type: string
next-upstream-tries:
type: integer
port:
type: integer
queue:
description: UpstreamQueue defines Queue Configuration for an Upstream.
type: object
properties:
size:
type: integer
timeout:
type: string
read-timeout:
type: string
send-timeout:
type: string
service:
type: string
sessionCookie:
description: SessionCookie defines the parameters for session persistence.
type: object
properties:
domain:
type: string
enable:
type: boolean
expires:
type: string
httpOnly:
type: boolean
name:
type: string
path:
type: string
secure:
type: boolean
slow-start:
type: string
subselector:
type: object
additionalProperties:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
status:
description: VirtualServerStatus defines the status for the VirtualServer resource.
type: object
properties:
externalEndpoints:
type: array
items:
description: ExternalEndpoint defines the IP and ports used to connect to this resource.
type: object
properties:
ip:
type: string
ports:
type: string
message:
type: string
reason:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

BIN
img/NGINX-Ingress-Controller.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
img/cert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

10
ingress/01-ns-and-sa.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: nginx-ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress
namespace: nginx-ingress

9
ingress/02-default-server-secret.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: default-server-secret
namespace: nginx-ingress
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

10
ingress/03-nginx-config.yaml Normal file
View File

@ -0,0 +1,10 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
namespace: nginx-ingress
data:
proxy-body-size: "500m"
proxy-read-timeout: "3600"
proxy-connect-timeout: "3600"
client-max-body-size: "500m"

13
ingress/04-global-configuration.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: k8s.nginx.org/v1alpha1
kind: GlobalConfiguration
metadata:
name: nginx-configuration
namespace: nginx-ingress
#spec:
#listener:
#- name: dns-tcp-http
#port: 80
#protocol: TCP
#- name: dns-tcp-https
#port: 443
#protocol: TCP

8
ingress/04-ingress-class.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
# annotations:
# ingressclass.kubernetes.io/is-default-class: "true"
spec:
controller: nginx.org/ingress-controller

100
ingress/05-rbac.yaml Normal file
View File

@ -0,0 +1,100 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-ingress
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- list
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- k8s.nginx.org
resources:
- virtualservers
- virtualserverroutes
- globalconfigurations
- transportservers
- policies
verbs:
- list
- watch
- get
- apiGroups:
- k8s.nginx.org
resources:
- virtualservers/status
- virtualserverroutes/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nginx-ingress
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: nginx-ingress
roleRef:
kind: ClusterRole
name: nginx-ingress
apiGroup: rbac.authorization.k8s.io

64
ingress/06-nginx-ingress-deployment.yaml Normal file
View File

@ -0,0 +1,64 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress
namespace: nginx-ingress
spec:
replicas: 2
selector:
matchLabels:
app: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
#annotations:
#prometheus.io/scrape: "true"
#prometheus.io/port: "9113"
spec:
serviceAccountName: nginx-ingress
containers:
- image: nginx/nginx-ingress:1.10.0
imagePullPolicy: Always
name: nginx-ingress
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: readiness-port
containerPort: 8081
#- name: prometheus
#containerPort: 9113
readinessProbe:
httpGet:
path: /nginx-ready
port: readiness-port
periodSeconds: 1
securityContext:
allowPrivilegeEscalation: true
runAsUser: 101 #nginx
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
#- -report-ingress-status
- -external-service=nginx-ingress
#- -enable-prometheus-metrics
- -global-configuration=$(POD_NAMESPACE)/nginx-configuration

18
ingress/07-nginx-ingress-loadbalancer.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
namespace: nginx-ingress
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
- protocol: TCP
port: 443
targetPort: 443
name: https
selector:
app: nginx-ingress