nginx

command
v0.0.0-...-86e3eba Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2016 License: Apache-2.0 Imports: 40 Imported by: 0

README

Nginx Ingress Controller

This is a nginx Ingress controller that uses ConfigMap to store the nginx configuration. See Ingress controller documentation for details on how it works.

Contents

Conventions

Anytime we reference a tls secret, we mean (x509, pem encoded, RSA 2048, etc). You can generate such a certificate with: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $(KEY) -out $(CERT) -subj "/CN=$(HOST)/O=$(HOST)" and creat the secret via kubectl create secret tls --key file --cert file

Requirements

Dry running the Ingress controller

Before deploying the controller to production you might want to run it outside the cluster and observe it.

$ make controller
$ mkdir /etc/nginx-ssl
$ ./nginx-ingress-controller --running-in-cluster=false --default-backend-service=kube-system/default-http-backend

Deployment

First create a default backend:

$ kubectl create -f examples/default-backend.yaml
$ kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend

Loadbalancers are created via a ReplicationController or Daemonset:

$ kubectl create -f examples/default/rc-default.yaml

HTTP

First we need to deploy some application to publish. To keep this simple we will use the echoheaders app that just returns information about the http request as output

kubectl run echoheaders --image=gcr.io/google_containers/echoserver:1.4 --replicas=1 --port=8080

Now we expose the same application in two different services (so we can create different Ingress rules)

kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-x
kubectl expose deployment echoheaders --port=80 --target-port=8080 --name=echoheaders-y

Next we create a couple of Ingress rules

kubectl create -f examples/ingress.yaml

we check that ingress rules are defined:

$ kubectl get ing
NAME      RULE          BACKEND   ADDRESS
echomap   -
          foo.bar.com
          /foo          echoheaders-x:80
          bar.baz.com
          /bar          echoheaders-y:80
          /foo          echoheaders-x:80

Before the deploy of the Ingress controller we need a default backend 404-server

kubectl create -f examples/default-backend.yaml
kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend

Check NGINX it is running with the defined Ingress rules:

$ LBIP=$(kubectl get node `kubectl get po -l name=nginx-ingress-lb --template '{{range .items}}{{.spec.nodeName}}{{end}}'` --template '{{range $i, $n := .status.addresses}}{{if eq $n.type "ExternalIP"}}{{$n.address}}{{end}}{{end}}')
$ curl $LBIP/foo -H 'Host: foo.bar.com'

HTTPS

You can secure an Ingress by specifying a secret that contains a TLS private key and certificate. Currently the Ingress only supports a single TLS port, 443, and assumes TLS termination. This controller supports SNI. The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS, eg:

apiVersion: v1
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
kind: Secret
metadata:
  name: testsecret
  namespace: default
type: Opaque

Referencing this secret in an Ingress will tell the Ingress controller to secure the channel from the client to the loadbalancer using TLS:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: no-rules-map
spec:
  tls:
    secretName: testsecret
  backend:
    serviceName: s1
    servicePort: 80

Please follow test.sh as a guide on how to generate secrets containing SSL certificates. The name of the secret can be different than the name of the certificate.

Check the example

Server-side HTTPS enforcement

By default the controller redirects (301) to HTTPS if TLS is enabled for that ingress . If you want to disable that behaviour globally, you can use ssl-redirect: "false" in the NGINX config map.

To configure this feature for specfic ingress resources, you can use the ingress.kubernetes.io/ssl-redirect: "false" annotation in theparticular resource.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

By default the controller redirects (301) to HTTPS if there is a TLS Ingress rule.

To disable this behavior use hsts=false in the NGINX config map.

Exposing TCP services

Ingress does not support TCP services (yet). For this reason this Ingress controller uses the flag --tcp-services-configmap to point to an existing config map where the key is the external port to use and the value is <namespace/service name>:<service port> It is possible to use a number or the name of the port.

The next example shows how to expose the service example-go running in the namespace default in the port 8080 using the port 9000

apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-configmap-example
data:
  9000: "default/example-go:8080"

Please check the tcp services example

Exposing UDP services

Since 1.9.13 NGINX provides UDP Load Balancing.

Ingress does not support UDP services (yet). For this reason this Ingress controller uses the flag --udp-services-configmap to point to an existing config map where the key is the external port to use and the value is <namespace/service name>:<service port> It is possible to use a number or the name of the port.

The next example shows how to expose the service kube-dns running in the namespace kube-system in the port 53 using the port 53

apiVersion: v1
kind: ConfigMap
metadata:
  name: udp-configmap-example
data:
  53: "kube-system/kube-dns:53"

Please check the udp services example

Proxy Protocol

If you are using a L4 proxy to forward the traffic to the NGINX pods and terminate HTTP/HTTPS there, you will lose the remote endpoint's IP addresses. To prevent this you could use the Proxy Protocol for forwarding traffic, this will send the connection details before forwarding the acutal TCP connection itself.

Amongst others ELBs in AWS and HAProxy support Proxy Protocol.

Please check the proxy-protocol example

Custom errors

In case of an error in a request the body of the response is obtained from the default backend. Each request to the default backend includes two headers:

  • X-Code indicates the HTTP code
  • X-Format the value of the Accept header

Using this two headers is possible to use a custom backend service like this one that inspect each request and returns a custom error page with the format expected by the client. Please check the example custom-errors

NGINX status page

The ngx_http_stub_status_module module provides access to basic status information. This is the default module active in the url /nginx_status. This controller provides an alternitive to this module using nginx-module-vts third party module. To use this module just provide a config map with the key enable-vts-status=true. The URL is exposed in the port 8080. Please check the example example/rc-default.yaml

nginx-module-vts screenshot

To extract the information in JSON format the module provides a custom URL: /nginx_status/format/json

Debug & Troubleshooting

Using the flag --v=XX it is possible to increase the level of logging. In particular:

  • --v=2 shows details using diff about the changes in the configuration in nginx
I0316 12:24:37.581267       1 utils.go:148] NGINX configuration diff a//etc/nginx/nginx.conf b//etc/nginx/nginx.conf
I0316 12:24:37.581356       1 utils.go:149] --- /tmp/922554809  2016-03-16 12:24:37.000000000 +0000
+++ /tmp/079811012  2016-03-16 12:24:37.000000000 +0000
@@ -235,7 +235,6 @@

     upstream default-echoheadersx {
         least_conn;
-        server 10.2.112.124:5000;
         server 10.2.208.50:5000;

     }
I0316 12:24:37.610073       1 command.go:69] change in configuration detected. Reloading...
  • --v=3 shows details about the service, Ingress rule, endpoint changes and it dumps the nginx configuration in JSON format
  • --v=5 configures NGINX in debug mode

These issues were encountered in past versions of Kubernetes:

1.2.0-alpha7 deployment:

  • make setup-files.sh file in hypercube does not provide 10.0.0.1 IP to make-ca-certs, resulting in CA certs that are issued to the external cluster IP address rather then 10.0.0.1 -> this results in nginx-third-party-lb appearing to get stuck at "Utils.go:177 - Waiting for default/default-http-backend" in the docker logs. Kubernetes will eventually kill the container before nginx-third-party-lb times out with a message indicating that the CA certificate issuer is invalid (wrong ip), to verify this add zeros to the end of initialDelaySeconds and timeoutSeconds and reload the RC, and docker will log this error before kubernetes kills the container.

Limitations

  • Ingress rules for TLS require the definition of the field host

NGINX notes

Since gcr.io/google_containers/nginx-slim:0.8 NGINX contains the next patches:

  • Dynamic TLS record size nginx__dynamic_tls_records.patch NGINX provides the parameter ssl_buffer_size to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the TLS Time To First Byte (TTTFB) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency.

  • Add SPDY support back to Nginx with HTTP/2 nginx_1_9_15_http2_spdy.patch At the same NGINX introduced HTTP/2 support for SPDY was removed. This patch add support for SPDY wichout compromising HTTP/2 support using the Application-Layer Protocol Negotiation (ALPN) or Next Protocol Negotiation (NPN) Transport Layer Security (TLS) extension to negotiate what protocol the server and client support

openssl s_client -servername www.my-site.com -connect www.my-site.com:443 -nextprotoneg ''
CONNECTED(00000003)
Protocols advertised by server: h2, spdy/3.1, http/1.1

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL