You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
HostPort
In HostPort
type Ingress, HAProxy pods are run via a Kubernetes deployment named voyager-${ingress-name}
with hostNetwork: true
. A headless Service is also created for the HAProxy pods. To enable this, apply the ingress.appscode.com/type: HostPort
annotation on a Ingress object.
How It Works
- First, deploy voyager operator.
curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.1.1/hack/deploy/voyager.sh \
| bash -s -- --provider=minikube
- Now, deploy test servers using this script script.
curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.1.1/docs/examples/ingress/types/hostport/deploy-servers.sh | bash
deployment "nginx" created
service "web" exposed
deployment "echoserver" created
service "rest" exposed
- Now, create an Ingress object running
kubectl apply -f https://raw.githubusercontent.com/appscode/voyager/7.1.1/docs/examples/ingress/types/hostport/ing.yaml
Please note the annotaiton on ingress:
annotations:
ingress.appscode.com/type: HostPort
$ kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
po/echoserver-566fcc4fdb-7fth7 1/1 Running 0 6m
po/nginx-d5dc44cf7-m4xcg 1/1 Running 0 6m
po/voyager-test-ingress-668594cc46-5zswh 1/1 Running 0 4m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 1h
svc/rest ClusterIP 10.103.13.42 <none> 80/TCP 6m
svc/voyager-test-ingress ClusterIP None <none> 80/TCP 4m
svc/web ClusterIP 10.99.232.60 <none> 80/TCP 6m
- Now, ssh into the minikube vm and run the following commands from host:
$ minikube ssh
$ curl -vv 127.1.1.1 -H "Host: web.example.com"
> GET / HTTP/1.1
> Host: web.example.com
> User-Agent: curl/7.53.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.8
< Date: Thu, 28 Dec 2017 04:27:20 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 26 Dec 2017 11:11:22 GMT
< ETag: "5a422e5a-264"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
$ curl -vv 127.1.1.1 -H "Host: app.example.com"
> GET / HTTP/1.1
> Host: app.example.com
> User-Agent: curl/7.53.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.0
< Date: Thu, 28 Dec 2017 04:27:39 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
<
CLIENT VALUES:
client_address=172.17.0.1
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://app.example.com:8080/
SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001
HEADERS RECEIVED:
accept=*/*
connection=close
host=app.example.com
user-agent=curl/7.53.0
x-forwarded-for=127.1.1.1
BODY:
Now, if you run netstat
, you should port 80 is listened on by haproxy.
$ netstat -tuln | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.1.1.1:2380 0.0.0.0:* LISTEN
FAQ
Does Voyager configure firewalls for HostPort Ingress?
Voyager operator will configure firewall rules for HostPort Ingress for the following cloud providers: AWS, GCE/GKE .
What IAM permissions are reuired for Voyager operator to configure firewalls for HostPort Ingress in AWS?
Master: For aws clusters provisioned via Kops, no additional permission should be needed. Master instances already has
ec2:*
iam permissions.Nodes:
Describe*
permissions are applied by default. Additionalwrite
permissions need to be applied are:
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:ModifyInstanceAttribute",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Resource": "*"
}