Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
k8s-ingress
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
3
Merge Requests
3
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
uplex-varnish
k8s-ingress
Commits
38270bfb
Commit
38270bfb
authored
Aug 18, 2020
by
Geoff Simmons
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Test the ACL example using helm deployment.
parent
6d970389
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
218 additions
and
0 deletions
+218
-0
deploy_helm.sh
examples/acl/deploy_helm.sh
+5
-0
undeploy_helm.sh
examples/acl/undeploy_helm.sh
+9
-0
values.yaml
examples/acl/values.yaml
+174
-0
varnishconfig.yaml
examples/hello/charts/templates/varnishconfig.yaml
+21
-0
values.yaml
examples/hello/charts/values.yaml
+9
-0
No files found.
examples/acl/deploy_helm.sh
0 → 100755
View file @
38270bfb
#! /bin/bash -ex
MYDIR
=
$(
dirname
${
BASH_SOURCE
[0]
})
helm
install
viking-ingress
${
MYDIR
}
/../hello/charts
--values
values.yaml
examples/acl/undeploy_helm.sh
0 → 100755
View file @
38270bfb
#! /bin/bash -ex
MYDIR
=
$(
dirname
${
BASH_SOURCE
[0]
})
source
${
MYDIR
}
/../../test/utils.sh
helm uninstall viking-ingress
echo
"Waiting until varnish-ingress Pods are not configured for Ingress"
wait_until_not_configured app.kubernetes.io/name
=
varnish-ingress
examples/acl/values.yaml
0 → 100644
View file @
38270bfb
apps
:
coffee
:
image
:
nginxdemos/hello:plain-text
replicas
:
2
tea
:
image
:
nginxdemos/hello:plain-text
replicas
:
3
ingress
:
name
:
cafe-ingress
rules
:
-
host
:
cafe.example.com
paths
:
-
path
:
/tea
app
:
tea
-
path
:
/coffee
app
:
coffee
# vikingAdmSvc is required, and identifies the Service name of Varnish
# services in the same namespace to which this config is to be
# applied.
vikingAdmSvc
:
varnish-ingress-admin
# This config defines two whitelists and two blacklists.
# The order of the elements in acl is significant -- ACL matches are
# run in order, until the first set of conditions that leads to a
# failure status is matched, or all of them run without failing.
acls
:
# This ACL defines the address ranges for IPv4 loopback addresses
# and private networks:
# 127.0.0.0/8, 10.0.0.0/24, 172.16.0.0/12 and 192.168.0.0/16
#
# comparand is the default: client.ip, as interpreted in VCL
# (either the client IP forwarded by the PROXY protocol, or
# the peer address of the connection if PROXY is not used).
#
# fail-status is the default (403 Forbidden).
#
# type is default (whitelist) -- the failure status is returned
# if client.ip does not match the ACL.
#
# The conditions field is not defined -- this ACL is matched for
# all client requests.
-
name
:
local-private-ip4
addrs
:
-
addr
:
127.0.0.0
mask-bits
:
8
-
addr
:
10.0.0.0
mask-bits
:
24
-
addr
:
172.16.0.0
mask-bits
:
12
-
addr
:
192.168.0.0
mask-bits
:
16
# This is the ACL shown as an example in vcl(7):
# https://varnish-cache.org/docs/6.3/reference/vcl.html#access-control-list-acl
# The ACL matches:
# - the IP resolved for "localhost" at VCL load time
# - 192.0.2.0/24
# - but it does *not* match the IP 192.0.2.23 (since the negate
# field for that address is set to true).
#
# comparand is the client request header X-Real-IP. The header
# must contain an IP address, otherwise it will not match the ACL.
#
# fail-status is default 403.
#
# type is whitelist.
#
# The conditions specify that the ACL match is executed when:
# - the URL path begins with "/tea", and
# - the Host header is exactly equal to "cafe.example.com"
# (According to the Ingress rules of the cafe example, requests
# are routed to the Service tea-svc under these conditions).
#
# The result-header config means that the client request header
# X-Tea-Whitelisted is set to "true" if the address from X-Real-IP
# is on the whitelist (the "success" string is assigned if the
# fail-status is not invoked); set to "false" otherwise.
-
name
:
man-vcl-example
addrs
:
-
addr
:
localhost
-
addr
:
192.0.2.0
mask-bits
:
24
-
addr
:
192.0.2.23
negate
:
true
comparand
:
req.http.X-Real-IP
type
:
whitelist
conditions
:
-
comparand
:
req.url
compare
:
match
value
:
^/tea(/|$)
-
comparand
:
req.http.Host
value
:
cafe.example.com
result-header
:
header
:
req.http.X-Tea-Whitelisted
success
:
"
true"
failure
:
"
false"
# This ACL defines a blacklist:
# 192.0.20/24 and 198.51.100.0/24
#
# comparand xff-first means that the IP address to be matched
# is in the first comma-separated field in the X-Forwarded-For
# header. This field must contain an IP address, otherwise it
# will not match the ACL.
#
# fail-status is 404 Not Found (making it appear to non-matching
# clients that they used an invalid URL).
#
# type is blacklist -- the failure status is returned if the
# IP address (from X-Forwarded-For) matches the ACL.
#
# The conditions specify that the ACL match is executed when:
# - the URL path begins with "/coffee/black", and
# - the Host header is exactly equal to "cafe.example.com"
#
# The result-header config means that the client request header
# X-Coffee-Blacklist is set to "true" if the address from
# X-Forwarded-For is on the blacklist (the "failure" string is
# assigned if the fail-status is invoked); set to "false"
# otherwise.
-
name
:
xff-first-example
addrs
:
-
addr
:
192.0.2.0
mask-bits
:
24
-
addr
:
198.51.100.0
mask-bits
:
24
comparand
:
xff-first
type
:
blacklist
fail-status
:
404
conditions
:
-
comparand
:
req.url
compare
:
match
value
:
^/coffee/black(/|$)
-
comparand
:
req.http.Host
compare
:
equal
value
:
cafe.example.com
result-header
:
header
:
req.http.X-Coffee-Blacklist
failure
:
"
true"
success
:
"
false"
# This ACL defines a blacklist for 203.0.113.0/24.
#
# comparand xff-2ndlast means that the IP address to be matched
# is in the next-to-last comma-separated field in the X-Forwarded-For
# header, *after* Varnish appends the client IP to X-Forwarded-For.
# In other words, it is the last field in X-Forwarded-For when
# Varnish receives the request. As with xff-first, the field must
# contain an IP address.
#
# fail-status is default 403.
#
# type is blacklist.
#
# The conditions specify that the ACL match is executed when:
# - the URL path begins with "/coffee", and
# - the Host header is exactly equal to "cafe.example.com"
# (According to the Ingress rules of the cafe example, requests
# are routed to the Service coffee-svc under these conditions).
-
name
:
xff-2ndlast-example
addrs
:
-
addr
:
203.0.113.0
mask-bits
:
24
comparand
:
xff-2ndlast
type
:
blacklist
conditions
:
-
comparand
:
req.url
compare
:
match
value
:
^/coffee(/|$)
-
comparand
:
req.http.Host
value
:
cafe.example.com
examples/hello/charts/templates/varnishconfig.yaml
0 → 100644
View file @
38270bfb
{{
if .Values.acls -
}}
{{
if empty .Values.vikingAdmSvc -
}}
{{
fail "Viking admin Service must be specified" -
}}
{{
end -
}}
apiVersion
:
"
ingress.varnish-cache.org/v1alpha1"
kind
:
VarnishConfig
metadata
:
name
:
{{
include "viking-ingress.fullname" .
}}
-vcfg
labels
:
app.kubernetes.io/name
:
{{
.Values.ingress.name
}}
app.kubernetes.io/component
:
varnishConfig
{{
- include "viking-ingress.labels" . | nindent 4
}}
spec
:
services
:
-
{{
.Values.vikingAdmSvc
}}
{{
- if .Values.acls
}}
acl
:
{{
toYaml .Values.acls | nindent 4
}}
{{
- end
}}
{{
- end
}}
examples/hello/charts/values.yaml
View file @
38270bfb
...
...
@@ -31,3 +31,12 @@ ingress:
# - name: tls-secret
# crt: <certificate>
# key: <key>
# The admin Service for the viking workload to implement the Ingress
# and VarnishConfig. Required for VarnishConfig. If empty, then
# default rules apply for Ingress -- typically the one such Service in
# the same namespace.
vikingAdmSvc
:
"
"
# ACL elements for VarnishConfig
acls
:
[]
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment