Merge pull request kubernetes#11246 from bprashanth/nginx_https

Add an nginx https example
crawshaw · Jul 15, 2015 · 8f3c310 · 8f3c310
2 parents 9748d26 + 5fe8afc
commit 8f3c310
Show file tree

Hide file tree

Showing 6 changed files with 254 additions and 0 deletions.
diff --git a/examples/https-nginx/Dockerfile b/examples/https-nginx/Dockerfile
@@ -0,0 +1,18 @@
+# Copyright 2015 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM nginx
+MAINTAINER Prashanth B <beeps@google.com>
+COPY default.conf /etc/nginx/conf.d/default.conf
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/examples/https-nginx/Makefile b/examples/https-nginx/Makefile
@@ -0,0 +1,24 @@
+all:
+
+TAG = 1.0
+PREFIX = bprashanth/nginxhttps
+KEY = /tmp/nginx.key
+CERT = /tmp/nginx.crt
+SECRET = /tmp/secret.json
+
+keys:
+	# The CName used here is specific to the service specified in nginx-app.yaml.
+	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $(KEY) -out $(CERT) -subj "/CN=nginxsvc/O=nginxsvc"
+
+secret:
+	CGO_ENABLED=0 GOOS=linux go run -a -installsuffix cgo -ldflags '-w' make_secret.go -crt $(CERT) -key $(KEY) > $(SECRET)
+
+container:
+	docker build -t $(PREFIX):$(TAG) .
+
+push: container
+	docker push $(PREFIX):$(TAG)
+
+clean:
+	rm $(KEY)
+	rm $(CERT)
diff --git a/examples/https-nginx/README.md b/examples/https-nginx/README.md
@@ -0,0 +1,87 @@
+<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
+
+<!-- BEGIN STRIP_FOR_RELEASE -->
+
+![WARNING](http://kubernetes.io/img/warning.png)
+![WARNING](http://kubernetes.io/img/warning.png)
+![WARNING](http://kubernetes.io/img/warning.png)
+
+<h1>PLEASE NOTE: This document applies to the HEAD of the source
+tree only. If you are using a released version of Kubernetes, you almost
+certainly want the docs that go with that version.</h1>
+
+<strong>Documentation for specific releases can be found at
+[releases.k8s.io](http://releases.k8s.io).</strong>
+
+![WARNING](http://kubernetes.io/img/warning.png)
+![WARNING](http://kubernetes.io/img/warning.png)
+![WARNING](http://kubernetes.io/img/warning.png)
+
+<!-- END STRIP_FOR_RELEASE -->
+
+<!-- END MUNGE: UNVERSIONED_WARNING -->
+# Nginx https service
+
+This example creates a basic nginx https service useful in verifying proof of concept, keys, secrets, and end-to-end https service creation in kubernetes.
+It uses an [nginx server block](http://wiki.nginx.org/ServerBlockExample) to serve the index page over both http and https.
+
+### Generate certificates
+First generate a self signed rsa key and certificate that the server can use for TLS.
+
+```shell
+$ make keys secret KEY=/tmp/nginx.key CERT=/tmp/nginx.crt SECRET=/tmp/secret.json
+```
+
+### Create a https nginx application running in a kubernetes cluster
+
+You need a [running kubernetes cluster](../../docs/getting-started-guides/) for this to work.
+
+```
+$ kubectl create -f /tmp/secret.json
+secrets/nginxsecret
+
+$ kubectl create -f nginx-app.yaml
+services/nginxsvc
+replicationcontrollers/my-nginx
+
+$ kubectl get svc nginxsvc -o json
+...
+                    {
+                        "name": "http",
+                        "protocol": "TCP",
+                        "port": 80,
+                        "targetPort": 80,
+                        "nodePort": 30849
+                    },
+                    {
+                        "name": "https",
+                        "protocol": "TCP",
+                        "port": 443,
+                        "targetPort": 443,
+                        "nodePort": 30744
+                    }
+...
+
+$ kubectl get nodes -o json | grep ExternalIP -A 2
+...
+                        "type": "ExternalIP",
+                        "address": "104.197.63.17"
+                    }
+--
+                        "type": "ExternalIP",
+                        "address": "104.154.89.170"
+                    }
+...
+
+$ curl https://nodeip:30744 -k
+...
+<title>Welcome to nginx!</title>
+...
+```
+
+For more information on how to run this in a kubernetes cluster, please see the [user-guide](../../docs/user-guide/connecting-applications.md).
+
+
+<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
+[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/examples/https-nginx/README.md?pixel)]()
+<!-- END MUNGE: GENERATED_ANALYTICS -->
diff --git a/examples/https-nginx/default.conf b/examples/https-nginx/default.conf
@@ -0,0 +1,17 @@
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server ipv6only=on;
+
+        listen 443 ssl;
+
+        root /usr/share/nginx/html;
+        index index.html index.htm;
+
+        server_name localhost;
+        ssl_certificate /etc/nginx/ssl/nginx.crt;
+        ssl_certificate_key /etc/nginx/ssl/nginx.key;
+
+        location / {
+                try_files $uri $uri/ =404;
+        }
+}
diff --git a/examples/https-nginx/make_secret.go b/examples/https-nginx/make_secret.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// A small script that converts the given open ssl public/private keys to
+// a secret that it writes to stdout as json. Most common use case is to
+// create a secret from self signed certificates used to authenticate with
+// a devserver. Usage: go run make_secret.go -crt ca.crt -key priv.key > secret.json
+package main
+
+import (
+	"flag"
+	"fmt"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/latest"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
+	"io/ioutil"
+	"log"
+)
+
+// TODO:
+// Add a -o flag that writes to the specified destination file.
+// Teach the script to create crt and key if -crt and -key aren't specified.
+var (
+	crt = flag.String("crt", "", "path to nginx certificates.")
+	key = flag.String("key", "", "path to nginx private key.")
+)
+
+func read(file string) []byte {
+	b, err := ioutil.ReadFile(file)
+	if err != nil {
+		log.Fatalf("Cannot read file %v, %v", file, err)
+	}
+	return b
+}
+
+func main() {
+	flag.Parse()
+	if *crt == "" || *key == "" {
+		log.Fatalf("Need to specify -crt -key and -template")
+	}
+	nginxCrt := read(*crt)
+	nginxKey := read(*key)
+	secret := &api.Secret{
+		ObjectMeta: api.ObjectMeta{
+			Name: "nginxsecret",
+		},
+		Data: map[string][]byte{
+			"nginx.crt": nginxCrt,
+			"nginx.key": nginxKey,
+		},
+	}
+	fmt.Printf(runtime.EncodeOrDie(latest.Codec, secret))
+}
diff --git a/examples/https-nginx/nginx-app.yaml b/examples/https-nginx/nginx-app.yaml
@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginxsvc
+  labels:
+    app: nginx
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    protocol: TCP
+    name: http
+  - port: 443
+    protocol: TCP
+    name: https
+  selector:
+    app: nginx
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: my-nginx
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: nginxsecret
+      containers:
+      - name: nginxhttps
+        image: bprashanth/nginxhttps:1.0
+        ports:
+        - containerPort: 443
+        - containerPort: 80
+        volumeMounts:
+        - mountPath: /etc/nginx/ssl
+          name: secret-volume