Need a Kubernetes 1.2 Ingress bare metal controller with SSL tutorial
Question
The closest tutorial I can find in getting an SSL terminating Ingress and an nginx based controller running on bare metal (Digital Ocean, for example) is this:
https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
but it leaves so many assumptions unexplained.
My ingress requirements are simply:
- default backend at port 80 for all hosts that:
- file access to
location ^~ /.well-known/acme-challenge/which allows my LetsEncrypt cert renewals to work - 404 on
location /.well-known/acme-challenge/ - 301 on
location /
- file access to
- subdomain based routing to different backend services on port 443
- each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)
What I think need is this:
- full documentation on writing Ingress rules
- can I configure SSL certs (on port 443) for each backend individually?
- is / the "path" that's a catchall for a host?
- updating Ingress rules in place
- what nginx controller do I use? nginx? nginx-alpha? nginx-ingress docker container -- and where is the documentation for each of these controllers?
- is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
- how do you store SSL keys and certs as secrets?
1 answers
solution1
5 2016-04-13 00:14:32
boo my answers apply to https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
- default backend at port 80 for all hosts that:
- 404 on
location /.well-known/acme-challenge/
this is not possible using Ingress rules
- 301 on
location /
This is already supported. If the server contains a SSL certificate it will redirect to https automatically
- subdomain based routing to different backend services on port 443
- each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)
You need to create multiple Ingress rules, one per subdomain. Each rule can use a different secret name (this will create multiple servers, one per subdomain)
What I think need is this:
- full documentation on writing Ingress rules
http://kubernetes.io/docs/user-guide/ingress/
(I don't know id there's additional information besides the go code)
- can I configure SSL certs (on port 443) for each backend individually?
- is / the "path" that's a catchall for a host?
yes
- updating Ingress rules in place
- what nginx controller do I use? nginx? nginx-alpha? nginx-ingress docker container -- and where is the documentation for each of these controllers?
This depends on what you need, if you want to build you custom Ingress controller you can use nginx-alpha as reference. If nginx-ingress is not clear in the examples please open an issue and mention what could be improved in the examples or it's missing
- is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
No. The reason for this is that the template is tied to the go code that populates the template. That said, you can build a custom image changing the template but this requires you deploy the image to tests the changes
- how do you store SSL keys and certs as secrets?
yes, as secrets like this http://kubernetes.io/docs/user-guide/ingress/#tls
For the letsencrypt support please check this comment https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009
Here is a complete example https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 added to examples in #766
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.