On Tue, 11 Apr 2017 at 14:40, Matt Snoby <[email protected]> wrote:
> Giancarlo, > This is exactly what I was looking for. Yes we do have proxy protocol > enabled. I did not know about the “ingress-class” command line argument. > I also did not know about the election-id argument. Is there where all > that magic is kept or is there another location? > https://github.com/kubernetes/ingress/blob/12a0373d2e52ac19ec80c80d0c00ab > f2b0975612/core/pkg/ingress/controller/launch.go > The ingres class is just a argument, see this example https://github.com/kubernetes/ingress/blob/master/examples/ customization/custom-vts-metrics/nginx/nginx-ingress-controller.yaml#L53 I assume in your internal / external configuration each ingress controller > spins up it’s own ELB? > Yes, I have 2 ELB (internal/external) with all the workers attached in both. I'm using different nodePort for each ingress to avoid elb attach the incorrect ingress. > Or it shares the same ELB and that’s why you have your health checks on > different ports? > Do you have any ingress annotations set for the ELB? > Yes, I annotated my ingress with kubernetes.io/ingress.class: "internal" or external > Thanks, > Matt > > > On Apr 11, 2017, at 3:36 AM, Giancarlo Rubio <[email protected]> wrote: > > On Sunday, 9 April 2017 16:57:44 UTC+2, [email protected] wrote: > > If anyone can point me to documentation on this I would be much > appreciative. How can I have two or more nginx ingress controllers running > in the same cluster? > > > > This is the use case: > > I have on AWS an nginx ingress controller where I spin up the controller > with annotations to front the ELB with a particular cert. This means I > want ( I think ) the ELB to terminate the TLS and everything behind it to > be unencrypted HTTP. > > > > That being said I have certain application running in the cluster, such > as Kibana as an example that I want to just run as HTTPS. Easy enough to > do with a normal setup, however if I have the ELB terminating the TLS this > presents a problem. > > Why it's a problem? Have you enabled the proxy_protocol for tls > termination? > https://github.com/kubernetes/ingress/tree/098bcb5e656356d9d0ab0f6e592dba > d764dc32e3/controllers/nginx/examples/proxy-protocol > > https://github.com/kubernetes/ingress/search?utf8=✓&q=proxy_protocol&type= > > > > Another use case would be if I wanted to setup one ingress controller to > be internal only meaning having a list of white listed IP's. Another > controller could be open to the world. > > > > I have the same scenario > > this is the internal ingress > > --default-backend-service=kube-system/default-http-backend > --tcp-services-configmap=kube-system/tcp-configmap > --configmap=kube-system/nginx-load-balancer-conf > --healthz-port=10001 > --ingress-class=intern > --election-id=intern > > the annotation for this ingress should be "kubernetes.io/ingress.class: > intern" > > the external ingress > > --default-backend-service=kube-system/default-http-backend > --tcp-services-configmap=kube-system/tcp-configmap > --configmap=kube-system/nginx-load-balancer-conf > --healthz-port=10002 > --ingress-class=extern > --election-id=intern > > Beware that both use different ports for the health check, so you can > isolate both from elb > > whitelist ip => https://github.com/kubernetes/ingress/blob/ > 7ca7652ab26e1a5775f3066f53f28d5ea5eb3bb7/controllers/nginx/ > configuration.md#whitelist-source-range > > > > Does this configuration currently exist? > > > > Thanks, > > M > > > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
