Document nginx controller configuration tweaks #132
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
cmluciano
reviewed
Jan 16, 2017
| **Please note the template is tied to the go code. Be sure to no change names in the variable `$cfg`** | ||
| **Please note the template is tied to the Go code. Do not change names in the variable `$cfg`.** | ||
|
|
||
| To know more about the template syntax please check the [Go template package](https://golang.org/pkg/text/template/). |
There was a problem hiding this comment.
"For more information about"
|
|
||
| To use custom values in an Ingress rule define this annotations: | ||
| **With the default values NGINX will not health check your backends, and whenever the endpoints controller notices a readiness probe failure that pod's IP will be removed from the list of endpoints, causing nginx to also remove it from the upstreams.** |
There was a problem hiding this comment.
This sentence should probably be split up
|
|
||
| **Important:** | ||
| The upstreams are shared. All Ingress rules using the same service will use the same upstream. This means only one of the rules should define annotations to configure the upstream servers. |
There was a problem hiding this comment.
I know that this existed before, but it would be helpful to expand on "the upstreams".
| Name of the secret that contains the usernames and passwords with access to the `path/s` defined in the Ingress Rule. | ||
| The secret must be created in the same namespace than the Ingress rule | ||
| The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule. | ||
| The secret must be created in the same namespace than the Ingress rule. |
There was a problem hiding this comment.
Is this meant to say "as the" instead of "than the" ? Or is this implying ordering?
|
|
||
|
|
||
| ### Rate limiting | ||
|
|
||
| The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` allows the creation of a limit in the connections that can be opened by a single client IP address. This can be use to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus) | ||
| The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernetes.io/limit-rps` allows the creation of a limit in the connections that can be opened by a single client IP address. This can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus). |
|
|
||
| Please check the [whitelist](examples/whitelist/README.md) example | ||
| *Note:* adding an annotation overrides any global restriction. |
|
|
||
| #### Retries in no idempotent methods | ||
| #### Retries in non idempotent methods |
pedrosland
commented
Jan 17, 2017
| The upstreams are shared. All Ingress rules using the same service will use the same upstream. This means only one of the rules should define annotations to configure the upstream servers. | ||
| In NGINX, backend server pools are called "[upstreams](http://nginx.org/en/docs/http/ngx_http_upstream_module.html)". Each upstream contains the endpoints for a service. An upstream is created for each service that has Ingress rules defined. | ||
|
|
||
| **Important:** All Ingress rules using the same service will use the same upstream. Only one of the Ingress rules should define annotations to configure the upstream servers. |
There was a problem hiding this comment.
Is this the right idea?
|
Thanks for the feedback. |
euank
reviewed
Jan 17, 2017
| @@ -9,27 +9,27 @@ | |||
| * [Rate limiting](#rate-limiting) | |||
| * [Secure backends](#secure-backends) | |||
| * [Whitelist source range](#whitelist-source-range) | |||
| * [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-configmap) | |||
| * [Allowed parameters in configuration config map](#allowed-parameters-in-configuration-config-map) | |||
There was a problem hiding this comment.
nit, the text could read "ConfigMap" which is what the k8s docs typically call it.
|
|
||
| 1. config map: create a stand alone config map, use this if you want a different global configuration | ||
| 2. annotations: [annotate the ingress](#annotations), use this if you want a specific configuration for the site defined in the Ingress rule | ||
| 1. [config map](#allowed-parameters-in-configuration-config-map): create a stand alone config map, use this if you want a different global configuration |
There was a problem hiding this comment.
Same nit as above about ConfigMap.
| @@ -110,49 +110,47 @@ Indicates the [HTTP Authentication Type: Basic or Digest Access Authentication]( | |||
| ingress.kubernetes.io/auth-secret:secretName | |||
| ``` | |||
|
|
|||
| Name of the secret that contains the usernames and passwords with access to the `path/s` defined in the Ingress Rule. | |||
| The secret must be created in the same namespace than the Ingress rule | |||
| The name of the secret that contains the usernames and passwords with access to the `path`'s defined in the Ingress Rule. | |||
There was a problem hiding this comment.
nit, I prefer paths to path's.
| @@ -110,49 +110,47 @@ Indicates the [HTTP Authentication Type: Basic or Digest Access Authentication]( | |||
| ingress.kubernetes.io/auth-secret:secretName | |||
|
|
||
|
|
||
| ### External Authentication | ||
|
|
||
| To use an existing service that provides authentication the Ingress rule can be annotated with `ingress.kubernetes.io/auth-url` to indicate the URL where the HTTP request should be sent. | ||
| Additionally is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default). | ||
| Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default). | ||
|
|
||
| ``` | ||
| ingress.kubernetes.io/auth-url:"URL to the authentication service" |
|
|
||
| TLSv1 is enabled to allow old clients like: | ||
| - [IE 8-10 / Win 7](https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8-10&platform=Win%207&key=113) | ||
| - [Java 7u25](https://www.ssllabs.com/ssltest/viewClient.html?name=Java&version=7u25&key=26) | ||
|
|
||
| If you dont need to support this clients please remove TLSv1 | ||
| If you dont need to support this clients please remove TLSv1. |
|
|
||
| **use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections | ||
| **use-http2:** Enables or disables the [HTTP/2](http://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. |
|
|
||
|
|
||
| **gzip-types:** Sets the MIME types in addition to "text/html" to compress. The special value "*"" matches any MIME type. | ||
| Responses with the "text/html" type are always compressed if `use-gzip` is enabled | ||
| **use-proxy-protocol:** Enables or disables the use of the [PROXY protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol/) to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). |
There was a problem hiding this comment.
s/the use of the/use of the/
|
|
||
|
|
||
| **worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores | ||
| **worker-processes:** Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default "auto" means number of available CPU cores. |
| @@ -340,22 +342,23 @@ The next table shows the options, the default value and a description | |||
| |use-gzip|"true"| | |||
| |use-http2|"true"| | |||
| |vts-status-zone-size|10m| | |||
| |worker-processes|<number of CPUs>| | |||
| |worker-processes|number of CPUs| | |||
There was a problem hiding this comment.
maybe something like "$(nproc)" would be clearer, since it isn't literally being set to 'number of CPUs'.
I'm not sure the best option.
There was a problem hiding this comment.
I'm not sure about these either. It was on my list to ask about for later.
I have a couple more changes in the pipeline and I don't see a clear way to express:
|ssl-dh-param|value provided by OpenSSL|
Your suggestion would fix this case though and perhaps that is good enough for now? Another idea is to simply write < instead of <.
Some of these values are quoted but others are not. Perhaps we could quote the items to be taken literally or </> the values that are not?
There was a problem hiding this comment.
@pedrosland @euank I think we can leave this change for a different PR
|
I left some nits, but overall looks much cleaner, thanks a ton! ✏️ ✏️ ✏️ |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@pedrosland thanks! |
haoqing0110
pushed a commit
to stolostron/management-ingress
that referenced
this pull request
Mar 5, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains many small tweaks to the nginx controller configuration documentation.
Some of these changes are perhaps personal taste. I am happy to change or to delete entirely.
I have another PR to follow for config map additions but I think this is un-reviewable enough.