Add an example for Ingress with TLS offload.

05b6cabc · Geoff Simmons · 1f4ef09b · 05b6cabc · 05b6cabc · 05b6cabc
Commit 05b6cabc authored May 08, 2020 by Geoff Simmons
7 changed files
--- a/examples/hello/tls/cafe-ingress.yaml
+++ b/examples/hello/tls/cafe-ingress.yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: cafe-ingress-varnish
+  annotations:
+    kubernetes.io/ingress.class: "varnish"
+spec:
+  tls:
+  - hosts:
+    - cafe.example.com
+    secretName: cafe-tls-secret
+  rules:
+  - host: cafe.example.com
+    http:
+      paths:
+      - path: /tea
+        backend:
+          serviceName: tea-svc
+          servicePort: 80
+      - path: /coffee
+        backend:
+          serviceName: coffee-svc
+          servicePort: 80
--- a/examples/hello/tls/cafe-tls-secret.yaml
+++ b/examples/hello/tls/cafe-tls-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cafe-tls-secret
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXVENDQWtFQ0ZIYjhFTjBsMFF3aVI0ZUtLSVc2aDE3MnorSnJNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1HZ3gKQ3pBSkJnTlZCQVlUQWtSRk1SQXdEZ1lEVlFRSURBZElZVzFpZFhKbk1SQXdEZ1lEVlFRSERBZElZVzFpZFhKbgpNUm93R0FZRFZRUUtEQkZIY21WbGJpQk5hV1JuWlhRZ1EyRm1aVEVaTUJjR0ExVUVBd3dRWTJGbVpTNWxlR0Z0CmNHeGxMbU52YlRBZ0Z3MHlNREExTURReE56QTVOVGxhR0E4eU1USXdNRFF4TURFM01EazFPVm93YURFTE1Ba0cKQTFVRUJoTUNSRVV4RURBT0JnTlZCQWdNQjBoaGJXSjFjbWN4RURBT0JnTlZCQWNNQjBoaGJXSjFjbWN4R2pBWQpCZ05WQkFvTUVVZHlaV1Z1SUUxcFpHZGxkQ0JEWVdabE1Sa3dGd1lEVlFRRERCQmpZV1psTG1WNFlXMXdiR1V1ClkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXRzMEhDcTZmcTlndjB1RWEKM2lPcnVaM0duY3RkQ29lR2pyUVE0RmgyY1FvTW0vaTNwa0RVdDZ4MnBMVFFoeGxOM29IM1dFbzFhMjRyLzNTOApYZnk2WGYwUHRpK2REaUNxQXdNZDZ2ZXU1NlJJdFZNTzFwbXgxd0RqR0ZUdXBscG5QUnR6OEVLc2FLWWZqWmQxCkJhYmRoa1doc0E5ZzNubnM4K2xxZU5idmViaGs3aGl2OWxwZ0RXQW5CaWUraGlvYW40V1FkUFptMS9iQU5INm8KK29XRHUxbzZHZHJrL2lhajJwUjczVlRGc1IyVUVtU1RwWGEzNVc3L25zbWdBREljNFJvdlUrOWhvMUk0L2ZTeQpqZ1ZsWlZCejI5eUxhRHlOdW9abGp6Tmh2R3FxMXdXNkpxL3YxdUJPUHhOSDFrM1pRSmw0amxHMHRzb0FTbm03Cm1yOWhld0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQk1OQ1ZZTVRkbGFOYVRqSjVDem5rOUdkK3UKVFNJRm1PQ2V0VE90M2wwWGUwYlNUeGJvVDZPejluRkRNUDJBMkhSSy9HVHAyNWVjK0VrMWlpQ0lGNDdSY3NHcApDZHVnK3g0d1FWUDNweGFrSi9vZEZOMVJlWkdaQ2pOd0JsdHhsUlh3SmhBcks1UFdtUXBwbU1aUHJXMVVZVzh5CngrbTVVUkV6T3pXZ2E2RUlsaHBNRWZnTmEwQk5DTC8yZ1BhejJNcEtYcTVXZTkzSURlMk8wbmxScnJWb0RIVTIKR0ZNaFRwV1NMa2xvYU16SU1sY0tSMElHeWV6Rzl3YVZnc2xpUzAwYllLcDhlUko1U3FDVVl2Q011QXBqb3l6VwpOMnc1OXA2dDV4RTdLdGIwY21oWmc4M0lTUFRCbEdxVkp4RjBjbExvYjVuV3lldXRYTmtQL0tPaTM4UEkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdHMwSENxNmZxOWd2MHVFYTNpT3J1WjNHbmN0ZENvZUdqclFRNEZoMmNRb01tL2kzCnBrRFV0NngycExUUWh4bE4zb0gzV0VvMWEyNHIvM1M4WGZ5NlhmMFB0aStkRGlDcUF3TWQ2dmV1NTZSSXRWTU8KMXBteDF3RGpHRlR1cGxwblBSdHo4RUtzYUtZZmpaZDFCYWJkaGtXaHNBOWczbm5zOCtscWVOYnZlYmhrN2hpdgo5bHBnRFdBbkJpZStoaW9hbjRXUWRQWm0xL2JBTkg2bytvV0R1MW82R2Ryay9pYWoycFI3M1ZURnNSMlVFbVNUCnBYYTM1VzcvbnNtZ0FESWM0Um92VSs5aG8xSTQvZlN5amdWbFpWQnoyOXlMYUR5TnVvWmxqek5odkdxcTF3VzYKSnEvdjF1Qk9QeE5IMWszWlFKbDRqbEcwdHNvQVNubTdtcjloZXdJREFRQUJBb0lCQUVTN3ZzUVRlTklpallqYgpQMEQ3Wkp4OGFLdjRSVm1xTDd3RWxMdm1SMUtsbHF3bXp0YmlWWmxpYlpIc3N1TzViZ0FXR2l6R2FtT2tuMEtFCllEZHV5WnlCaEtEYU1sR1hrcFZqWEtKMjB2c2lXSHhsYUpUa1lXd1lWMHRVMUE4VXV2RE5HOERoTVBhQVVDanIKSkFNbUJQRnh5U1BzQkY1aXRlZllna0pCZnZYaTdzb2JhQ002QTc1RCtkQkxNZXEycStZYklRSC9jQW9qSFlmVgo3eXB5UTFRYVkrd3NEaUNNNm45UWprNGtybUhaL3ozOXk4bU83MXl0RmNNZkpKYWQ4TEtNNUo0cDlRdTk5cWViCklSRE9UL1NiOVFYTFhXVGVDRHY1SldQWXlGSDJ1M2UvOEdzdlFMYlhZWWJmV0xOb1U2UkRhRlNjMndta093VUgKVThwU0NERUNnWUVBM0tJUWNtZS8vNkIyalAzMUNvYTJmOGhzRU5kMG5MK0VEUjllclhMU1VnYTJsMFlOUEpaagpXNlZuTmRhZUdxOTJCN1d4Z2orZFNlZVNCZElSaFh3QUJPSEhqcnVHK2dvdGRSUnlvTzFsZHc3bUpqTi9xM1d4CkExZnBKK0owMFMxWk8xRmJ1a0tabVI3c21UUzdpNzNhOFY3QXQzZHlqQ0c2V3hFclAzTjVOTThDZ1lFQTFCcDUKeVlJSDhvSm1Qc3VKdDUwMWs5blU0U2R4eFFKcGI2dVo5UUNCcWJFc0drV0UzdnRMRXJsVThSbm0ySHVpck12RAo4UTNPc3VvdXBkQ1RDaHJKSjA0b0wvMnI2MG9UR2FwZURlNEJ1Uk0rRFJBWjJ0ckN3WHkzblQyNmJaL0RKdHVyCkhxdnQwdGV5OWVlOU1pVkhXRjJiaVplamQrS01VeFBDQ29aVlM1VUNnWUVBcGJ6OG0rU0NIM1liK0RnQjdvRloKOE0zUEdDdXh4dG83U1Z4S1ZBTlFLUnd2NTUxUTdqV090OWFkbkp6M01kYWkxSkhSb2FWRjg3R0lTT1VRRW5VZQowb3dFeTV6bGZVbE44b2lFdjR6MXpxVWJrSkRaRkNVWjd3Z0g5dFV2cWI3bUxDQW14dG1tNXBhTFoxOXNqMEgwCmlhTURKQThQdG1MVHlmc3d3TDV1eTVNQ2dZRUFyZEJNZ1Urbng1b0l3K2owSUo0YUsrRlV6SFlRaTR2Z2IzekcKbTdvZ2g3a0RGVHhuR0h3Q0Y0UDlFZDlTQjVHNXk3VG9DNEJ2SkxzNEl2WDdxVW91RWFIQTJTTWVZYURBYWtYcwo4YWxiakJreXZtMjFZbDNuUDd3K2xBTGo1YllJcksxVFc3MDFGWlZodUphQnVyaEY4U28wcmRxd1FTeE1Ka0NJCndTczRkc2tDZ1lCcjFMTzNHSU5Td0dIdDczdWVaRHRudkZ2TytFRkRhT0ZGYnNFZDE0TzFtbHVNNCtXcklaa3kKaW5aQ3Z5Z0pXemdIRjlMQ09wb0FaeEh5a01OckVvbWlkcHhWaUFscEJ6Yi9DNUNucHpsZmlWQnFMTjNOdk94Rwp6ZGtvcTZCaVpuem5zVmdvSHlQN1RRbFVYOTRhaFZUMDF5WjBualBrMmFZVmlwUFdVb0hRTVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+type: kubernetes.io/tls
--- a/examples/hello/tls/cafe.vtc
+++ b/examples/hello/tls/cafe.vtc
+# looks like -*- vcl -*-
+
+varnishtest "cafe example with TLS offload"
+
+feature ignore_unknown_macro
+
+feature cmd {haproxy --version 2>&1 | grep -q 'HA-Proxy version'}
+
+# Use haproxy to forward the non-TLS request from the VTC client below to
+# the Ingress TLS port.
+haproxy h1 -conf {
+    defaults
+	mode   http
+	timeout connect         5s
+	timeout server          30s
+	timeout client          30s
+
+    backend ingress
+	server ingress ${localhost}:${localport} ssl verify none
+
+    frontend http1
+	use_backend ingress
+	bind "fd@${fe1}"
+	acl backend_tls ssl_bc
+	http-response add-header X-Backend-TLS "true" if backend_tls
+} -start
+
+client c1 -connect ${h1_fe1_sock} {
+	txreq -url /coffee/foo/bar -hdr "Host: cafe.example.com"
+	rxresp
+	expect resp.status == 200
+	expect resp.body ~ "(?m)^URI: /coffee/foo/bar$"
+	expect resp.body ~ "(?m)^Server name: coffee-[a-z0-9]+-[a-z0-9]+$"
+	expect resp.http.X-Backend-TLS == "true"
+
+	txreq -url /tea/baz/quux -hdr "Host: cafe.example.com"
+	rxresp
+	expect resp.status == 200
+	expect resp.body ~ "(?m)^URI: /tea/baz/quux$"
+	expect resp.body ~ "(?m)^Server name: tea-[a-z0-9]+-[a-z0-9]+$"
+	expect resp.http.X-Backend-TLS == "true"
+
+	txreq -url /coffee/foo/bar
+	rxresp
+	expect resp.status == 404
+	expect resp.http.X-Backend-TLS == "true"
+
+        # Connection:close reduces (but does not entirely eliminate) error
+        # messages from kubectl port-forward: EPIPE and ECONNRESET
+	txreq -url /milk -hdr "Host: cafe.example.com" -hdr "Connection: close"
+	rxresp
+	expect resp.status == 404
+	expect resp.http.X-Backend-TLS == "true"
+} -run
--- a/examples/hello/tls/cafe.yaml
+++ b/examples/hello/tls/cafe.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/hello:plain-text
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee-svc
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tea
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: tea 
+  template:
+    metadata:
+      labels:
+        app: tea 
+    spec:
+      containers:
+      - name: tea 
+        image: nginxdemos/hello:plain-text
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tea-svc
+  labels:
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: tea
--- a/examples/hello/tls/deploy.sh
+++ b/examples/hello/tls/deploy.sh
+#! /bin/bash -ex
+
+kubectl create -f cafe-tls-secret.yaml
+
+kubectl create -f cafe.yaml
+
+kubectl create -f cafe-ingress.yaml
--- a/examples/hello/tls/undeploy.sh
+++ b/examples/hello/tls/undeploy.sh
+#! /bin/bash -ex
+
+kubectl delete -f cafe-ingress.yaml
+
+kubectl delete -f cafe.yaml
+
+kubectl delete -f cafe-tls-secret.yaml
+
+echo "Waiting until varnish-ingress Pods are not ready"
+JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}'
+
+N=0
+until [ $N -ge 120 ]
+do
+    if kubectl get pods -l app=varnish-ingress -o jsonpath="${JSONPATH}" | grep -q '\bReady=True\b'; then
+        sleep 10
+        N=$(( N + 10 ))
+        continue
+    fi
+    exit 0
+done
+echo "Giving up"
+exit 1
--- a/examples/hello/tls/verify.sh
+++ b/examples/hello/tls/verify.sh
+#! /bin/bash -x
+
+function killforward {
+    kill $KUBEPID
+}
+
+LOCALPORT=${LOCALPORT:-4443}
+
+# Long timeout to wait for the Secret to appear as a certificate on
+# the Pods.
+kubectl wait --timeout=5m pod -l app=varnish-ingress --for=condition=Ready
+ret=$?
+if [ $ret -ne 0 ]; then
+    exit $ret
+fi
+
+kubectl port-forward svc/varnish-ingress ${LOCALPORT}:443 >/dev/null &
+ret=$?
+if [ $ret -ne 0 ]; then
+    exit $ret
+fi
+KUBEPID=$!
+trap killforward EXIT
+
+sleep 1
+# The test may be skipped (exit status 77) if haproxy is not installed.
+varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe.vtc
+ret=$?
+if [ $ret -eq 77 ]; then
+    exit 0
+elif [ $ret -ne 0 ]; then
+    exit $ret
+fi
+
+exit 0
+