Merge pull request #198 from bprashanth/static-ip

Add an example for static-ip and deployment

examples/deployment/gce/README.md

@@ -0,0 +1,78 @@
+# Deploying the GCE Ingress controller
+
+This example demonstrates the deployment of a GCE Ingress controller.
+
+Note: __all GCE/GKE clusters already have an Ingress controller running
+on the master. The only reason to deploy another GCE controller is if you want
+to debug or otherwise observe its operation (eg via kubectl logs). Before
+deploying another one in your cluster, make sure you disable the master
+controller.__
+
+## Disabling the master controller
+
+As of Kubernetes 1.3, GLBC runs as a static pod on the master. If you want to
+totally disable it, you can ssh into the master node and delete the GLBC
+manifest file found at `/etc/kubernetes/manifests/glbc.manifest`. You can also
+disable it on GKE at cluster bring-up time through the `disable-addons` flag:
+
+```console
+gcloud container clusters create mycluster --network "default" --num-nodes 1 \
+--machine-type n1-standard-2 --zone $ZONE \
+--disable-addons HttpLoadBalancing \
+--disk-size 50 --scopes storage-full
+```
+
+## Deploying a new controller
+
+The following command deploys a GCE Ingress controller in your cluster
+
+```console
+$ kubectl create -f gce-ingress-controller.yaml
+service "default-http-backend" created
+replicationcontroller "l7-lb-controller" created
+
+$ kubectl get po -l name=glbc
+NAME                     READY     STATUS    RESTARTS   AGE
+l7-lb-controller-1s22c   2/2       Running   0          27s
+```
+
+now you can create an Ingress and observe the controller
+
+```console
+$ kubectl create -f gce-tls-ingress.yaml
+ingress "test" created
+
+$ kubectl logs l7-lb-controller-1s22c -c l7-lb-controller
+I0201 01:03:17.387548       1 main.go:179] Starting GLBC image: glbc:0.9.0, cluster name
+I0201 01:03:18.459740       1 main.go:291] Using saved cluster uid "32658fa96c080068"
+I0201 01:03:18.459771       1 utils.go:122] Changing cluster name from  to 32658fa96c080068
+I0201 01:03:18.461652       1 gce.go:331] Using existing Token Source &oauth2.reuseTokenSource{new:google.computeSource{account:""}, mu:sync.Mutex{state:0, sema:0x0}, t:(*oauth2.Token)(nil)}
+I0201 01:03:18.553142       1 cluster_manager.go:264] Created GCE client without a config file
+I0201 01:03:18.553773       1 controller.go:234] Starting loadbalancer controller
+I0201 01:04:58.314271       1 event.go:217] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"test", UID:"73549716-e81a-11e6-a8c5-42010af00002", APIVersion:"extensions", ResourceVersion:"673016", FieldPath:""}): type: 'Normal' reason: 'ADD' default/test
+I0201 01:04:58.413616       1 instances.go:76] Creating instance group k8s-ig--32658fa96c080068 in zone us-central1-b
+I0201 01:05:01.998169       1 gce.go:2084] Adding port 30301 to instance group k8s-ig--32658fa96c080068 with 0 ports
+I0201 01:05:02.444014       1 backends.go:149] Creating backend for 1 instance groups, port 30301 named port &{port30301 30301 []}
+I0201 01:05:02.444175       1 utils.go:495] No pod in service http-svc with node port 30301 has declared a matching readiness probe for health checks.
+I0201 01:05:02.555599       1 healthchecks.go:62] Creating health check k8s-be-30301--32658fa96c080068
+I0201 01:05:11.300165       1 gce.go:2084] Adding port 31938 to instance group k8s-ig--32658fa96c080068 with 1 ports
+I0201 01:05:11.743914       1 backends.go:149] Creating backend for 1 instance groups, port 31938 named port &{port31938 31938 []}
+I0201 01:05:11.744008       1 utils.go:495] No pod in service default-http-backend with node port 31938 has declared a matching readiness probe for health checks.
+I0201 01:05:11.811972       1 healthchecks.go:62] Creating health check k8s-be-31938--32658fa96c080068
+I0201 01:05:19.871791       1 loadbalancers.go:121] Creating l7 default-test--32658fa96c080068
+...
+
+$ kubectl get ing test
+NAME      HOSTS     ADDRESS          PORTS     AGE
+test      *         35.186.208.106   80, 443   4m
+
+$ curl 35.186.208.106 -kL
+CLIENT VALUES:
+client_address=10.180.3.1
+command=GET
+real path=/
+query=nil
+request_version=1.1
+request_uri=http://35.186.208.106:8080/
+...
+```

examples/deployment/gce/gce-ingress-controller.yaml

@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: Service
+metadata:
+  # This must match the --default-backend-service argument of the l7 lb
+  # controller and is required because GCE mandates a default backend.
+  name: default-http-backend
+  labels:
+    k8s-app: glbc
+spec:
+  # The default backend must be of type NodePort.
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    k8s-app: glbc
+
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: l7-lb-controller
+  labels:
+    k8s-app: glbc
+    version: v0.9.0
+spec:
+  # There should never be more than 1 controller alive simultaneously.
+  replicas: 1
+  selector:
+    k8s-app: glbc
+    version: v0.9.0
+  template:
+    metadata:
+      labels:
+        k8s-app: glbc
+        version: v0.9.0
+        name: glbc
+    spec:
+      terminationGracePeriodSeconds: 600
+      containers:
+      - name: default-http-backend
+        # Any image is permissable as long as:
+        # 1. It serves a 404 page at /
+        # 2. It serves 200 on a /healthz endpoint
+        image: gcr.io/google_containers/defaultbackend:1.0
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            cpu: 10m
+            memory: 20Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+      - image: gcr.io/google_containers/glbc:0.9.0-beta.1
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        name: l7-lb-controller
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        args:
+        - --default-backend-service=default/default-http-backend
+        - --sync-period=300s

examples/static-ip/gce/README.md

@@ -0,0 +1,128 @@
+# Static IPs
+
+This example demonstrates how to assign a [static-ip](https://cloud.google.com/compute/docs/configure-instance-ip-addresses#reserve_new_static) to an Ingress on GCE.
+
+## Prerequisites
+
+You need a [TLS cert](/examples/PREREQUISITES.md#tls-certificates) and a [test HTTP service](/examples/PREREQUISITES.md#test-http-service) for this example.
+You will also need to make sure you Ingress targets exactly one Ingress
+controller by specifying the [ingress.class annotation](/examples/PREREQUISITES.md#ingress-class).
+
+## Acquiring a static IP
+
+In GCE, static IP belongs to a given project until the owner decides to release
+it. If you create a static IP and assign it to an Ingress, deleting the Ingress
+or tearing down the GKE cluster *will not* delete the static IP. You can check
+the static IPs you have as follows
+
+```console
+$ gcloud compute addresses list --global
+NAME                     REGION  ADDRESS          STATUS
+test-ip                          35.186.221.137   RESERVED
+
+$ gcloud compute addresses list
+NAME                      REGION       ADDRESS          STATUS
+test-ip                                35.186.221.137   RESERVED
+test-ip                   us-central1  35.184.21.228    RESERVED
+```
+
+Note the difference between a regional and a global static ip. Only global
+static-ips will work with Ingress. If you don't already have an IP, you can
+create it
+
+```console
+$ gcloud compute addresses create test-ip --global
+Created [https://www.googleapis.com/compute/v1/projects/kubernetesdev/global/addresses/test-ip].
+---
+address: 35.186.221.137
+creationTimestamp: '2017-01-31T10:32:29.889-08:00'
+description: ''
+id: '9221457935391876818'
+kind: compute#address
+name: test-ip
+selfLink: https://www.googleapis.com/compute/v1/projects/kubernetesdev/global/addresses/test-ip
+status: RESERVED
+```
+
+## Assigning a static IP to an Ingress
+
+You can now add the static IP from the previous step to an Ingress,
+by specifying the `kubernetes.io/global-static-ip-name` annotation,
+the example yaml in this directory already has it set to `test-ip`
+
+```console
+$ kubectl create -f gce-static-ip-ingress.yaml
+ingress "static-ip" created
+
+$ gcloud compute addresses list test-ip
+NAME     REGION       ADDRESS         STATUS
+test-ip               35.186.221.137  IN_USE
+test-ip  us-central1  35.184.21.228   RESERVED
+
+$ kubectl get ing
+NAME        HOSTS     ADDRESS          PORTS     AGE
+static-ip   *         35.186.221.137   80, 443   1m
+
+$ curl 35.186.221.137 -Lk
+CLIENT VALUES:
+client_address=10.180.1.1
+command=GET
+real path=/
+query=nil
+request_version=1.1
+request_uri=http://35.186.221.137:8080/
+...
+```
+
+## Retaining the static IP
+
+You can test retention by deleting the Ingress
+
+```console
+$ kubectl delete -f gce-static-ip-ingress.yaml
+ingress "static-ip" deleted
+
+$ kubectl get ing
+No resources found.
+
+$ gcloud compute addresses list test-ip --global
+NAME     REGION       ADDRESS         STATUS
+test-ip               35.186.221.137  RESERVED
+```
+
+## Promote ephemeral to static IP
+
+If you simply create a HTTP Ingress resource, it gets an ephemeral IP
+
+```console
+$ kubectl create -f gce-http-ingress.yaml
+ingress "http-ingress" created
+
+$ kubectl get ing
+NAME           HOSTS     ADDRESS         PORTS     AGE
+http-ingress   *         35.186.195.33   80        1h
+
+$ gcloud compute forwarding-rules list
+NAME                                           REGION       IP_ADDRESS      IP_PROTOCOL  TARGET
+k8s-fw-default-http-ingress--32658fa96c080068               35.186.195.33   TCP          k8s-tp-default-http-ingress--32658fa96c080068
+```
+
+Note that because this is an ephemeral IP, it won't show up in the output of
+`gcloud compute addresses list`.
+
+If you either directly create an Ingress with a TLS section, or modify a HTTP
+Ingress to have a TLS section, it gets a static IP.
+
+```console
+$ kubectl patch ing http-ingress -p '{"spec":{"tls":[{"secretName":"tls-secret"}]}}'
+"http-ingress" patched
+
+$ kubectl get ing
+NAME           HOSTS     ADDRESS         PORTS     AGE
+http-ingress   *         35.186.195.33   80, 443   1h
+
+$ gcloud compute addresses list
+NAME                                           REGION       ADDRESS          STATUS
+k8s-fw-default-http-ingress--32658fa96c080068               35.186.195.33    IN_USE
+```
+

examples/static-ip/gce/gce-http-ingress.yaml

@@ -0,0 +1,12 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: http-ingress
+  annotations:
+    kubernetes.io/ingress.class: "gce"
+spec:
+  backend:
+    # This assumes http-svc exists and routes to healthy endpoints.
+    serviceName: http-svc
+    servicePort: 80
+

examples/static-ip/gce/gce-static-ip-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: static-ip
+  # Assumes a global static ip with the same name exists.
+  # You can acquire a static IP by running
+  # gcloud compute addresses create test-ip --global
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: "test-ip"
+    kubernetes.io/ingress.class: "gce"
+spec:
+  tls:
+  # This assumes tls-secret exists.
+  - secretName: tls-secret
+  backend:
+    # This assumes http-svc exists and routes to healthy endpoints.
+    serviceName: http-svc
+    servicePort: 80
+