K
Q

Need a Kubernetes 1.2 Ingress bare metal controller with SSL tutorial

4/12/2016

The closest tutorial I can find in getting an SSL terminating Ingress and an nginx based controller running on bare metal (Digital Ocean, for example) is this:

https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx

but it leaves so many assumptions unexplained.

My ingress requirements are simply:

  • default backend at port 80 for all hosts that:
    • file access to location ^~ /.well-known/acme-challenge/ which allows my LetsEncrypt cert renewals to work
    • 404 on location /.well-known/acme-challenge/
    • 301 on location /
  • subdomain based routing to different backend services on port 443
  • each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)

What I think need is this:

  • full documentation on writing Ingress rules
    • can I configure SSL certs (on port 443) for each backend individually?
    • is / the "path" that's a catchall for a host?
  • updating Ingress rules in place
  • what nginx controller do I use? nginx? nginx-alpha? nginx-ingress docker container -- and where is the documentation for each of these controllers?
    • is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?
  • how do you store SSL keys and certs as secrets?
-- bloo
kubernetes
nginx
ssl

Similar Questions

How to setup git and git-sync in a docker container?
Kubernetes iptables - should the master node be running pods?
Docker Swarm and Kubernetes Manager hardware requirements
`kubctl get pods` has high latency

1 Answer

4/13/2016

boo my answers apply to https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx

  • default backend at port 80 for all hosts that:
    • 404 on location /.well-known/acme-challenge/

this is not possible using Ingress rules

  • 301 on location /

This is already supported. If the server contains a SSL certificate it will redirect to httpsautomatically

  • subdomain based routing to different backend services on port 443
  • each subdomain points to a different SSL key/cert (generated by my LetsEncrypt, and stored in K8S as a secret I suppose??)

You need to create multiple Ingress rules, one per subdomain. Each rule can use a different secret name (this will create multiple servers, one per subdomain)

What I think need is this:

  • full documentation on writing Ingress rules

http://kubernetes.io/docs/user-guide/ingress/

(I don't know id there's additional information besides the go code)

  • can I configure SSL certs (on port 443) for each backend individually?
  • is / the "path" that's a catchall for a host?

yes

  • updating Ingress rules in place
  • what nginx controller do I use? nginx? nginx-alpha? nginx-ingress docker container -- and where is the documentation for each of these controllers?

This depends on what you need, if you want to build you custom Ingress controller you can use nginx-alpha as reference. If nginx-ingress is not clear in the examples please open an issue and mention what could be improved in the examples or it's missing

  • is there a base controller image that I can override the nginx.conf template that gets populated by Ingress changes from the API server?

No. The reason for this is that the template is tied to the go code that populates the template. That said, you can build a custom image changing the template but this requires you deploy the image to tests the changes

  • how do you store SSL keys and certs as secrets?

yes, as secrets like this http://kubernetes.io/docs/user-guide/ingress/#tls

For the letsencrypt support please check this comment https://github.com/kubernetes/kubernetes/issues/19899#issuecomment-184059009

Here is a complete example https://gist.github.com/aledbf/d88c7f7d0b8d4d032035b14ab0965e26 added to examples in #766

-- aledbf
Source: StackOverflow