Установка с помощью манифестов#
Предварительные требования#
Необходим доступ к Docker-образу в нашем репозитории:
anic.docker.angie.software/
Для текущей версии доступны следующие образы:
anic.docker.angie.software/anic:0.5.0-alpine
anic.docker.angie.software/anic:0.5.0-debian
anic.docker.angie.software/anic:0.5.0-altlinux
За доступом обращайтесь на .
Настройка RBAC#
-
Создайте пространство имен и сервисный аккаунт для ANIC:
$ kubectl apply -f - <<EOF apiVersion: v1 kind: Namespace metadata: name: angie-ingress --- apiVersion: v1 kind: ServiceAccount metadata: name: angie-ingress namespace: angie-ingress EOF
-
Создайте
ClusterRoleиClusterRoleBinding:Пример
$ kubectl apply -f - <<EOF kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: angie-ingress rules: - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - get - list - watch - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - update - create - apiGroups: - "" resources: - pods verbs: - get - list - watch - update - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - list - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - update - create - apiGroups: - networking.k8s.io resources: - ingresses verbs: - list - watch - get - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - k8s.angie.software resources: - virtualservers - virtualserverroutes - globalconfigurations - transportservers - policies verbs: - list - watch - get - apiGroups: - k8s.angie.software resources: - virtualservers/status - virtualserverroutes/status - policies/status - transportservers/status - dnsendpoints/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingressclasses verbs: - get - apiGroups: - cis.f5.com resources: - ingresslinks verbs: - list - watch - get - apiGroups: - cert-manager.io resources: - certificates verbs: - list - watch - get - update - create - delete - apiGroups: - externaldns.angie.software resources: - dnsendpoints verbs: - list - watch - get - update - create - delete - apiGroups: - externaldns.angie.software resources: - dnsendpoints/status verbs: - update --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: angie-ingress subjects: - kind: ServiceAccount name: angie-ingress namespace: angie-ingress roleRef: kind: ClusterRole name: angie-ingress apiGroup: rbac.authorization.k8s.io EOF
Создание ресурсов#
-
Добавьте TLS-сертификат в настройки:
$ kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: default-server-secret namespace: angie-ingress type: kubernetes.io/tls data: tls.crt: Place TLS Certificate here in base64 format tls.key: Place TLS Key here in base64 format EOF
-
Добавьте
ConfigMapс настройками для Angie PRO:$ kubectl apply -f - <<EOF kind: ConfigMap apiVersion: v1 metadata: name: angie-config namespace: angie-ingress data: EOF
-
Создайте
IngressClass:$ kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: angie spec: controller: angie/ingress-controller EOF
-
Создайте пользовательские ресурсы
VirtualServer,VirtualServerRoute,TransportServerиPolicy:Пример Virtual Server
$ kubectl apply -f - <<EOF apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: virtualservers.k8s.angie.software spec: group: k8s.angie.software names: kind: VirtualServer listKind: VirtualServerList plural: virtualservers shortNames: - vs singular: virtualserver scope: Namespaced versions: - additionalPrinterColumns: - description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by ANIC. jsonPath: .status.state name: State type: string - jsonPath: .spec.host name: Host type: string - jsonPath: .status.externalEndpoints[*].ip name: IP type: string - jsonPath: .status.externalEndpoints[*].hostname name: ExternalHostname priority: 1 type: string - jsonPath: .status.externalEndpoints[*].ports name: Ports type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: VirtualServer defines the VirtualServer resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: VirtualServerSpec is the spec of the VirtualServer resource. type: object properties: dos: type: string externalDNS: description: ExternalDNS defines externaldns sub-resource of a virtual server. type: object properties: enable: type: boolean labels: description: Labels stores labels defined for the Endpoint type: object additionalProperties: type: string providerSpecific: description: ProviderSpecific stores provider specific config type: array items: description: ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. type: object properties: name: description: Name of the property type: string value: description: Value of the property type: string recordTTL: description: TTL for the record type: integer format: int64 recordType: type: string host: type: string http-snippets: type: string ingressClassName: type: string policies: type: array items: description: PolicyReference references a policy by name and an optional namespace. type: object properties: name: type: string namespace: type: string routes: type: array items: description: Route defines a route. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string dos: type: string errorPages: type: array items: description: ErrorPage defines an ErrorPage in a Route. type: object properties: codes: type: array items: type: integer redirect: description: ErrorPageRedirect defines a redirect for an ErrorPage. type: object properties: code: type: integer url: type: string return: description: ErrorPageReturn defines a return for an ErrorPage. type: object properties: body: type: string code: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string type: type: string location-snippets: type: string matches: type: array items: description: Match defines a match. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string conditions: type: array items: description: Condition defines a condition in a MatchRule. type: object properties: argument: type: string cookie: type: string header: type: string value: type: string variable: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer path: type: string policies: type: array items: description: PolicyReference references a policy by name and an optional namespace. type: object properties: name: type: string namespace: type: string route: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer server-snippets: type: string tls: description: TLS defines TLS configuration for a VirtualServer. type: object properties: cert-manager: description: CertManager defines a cert manager config for a TLS. type: object properties: cluster-issuer: type: string common-name: type: string duration: type: string issuer: type: string issuer-group: type: string issuer-kind: type: string renew-before: type: string usages: type: string redirect: description: TLSRedirect defines a redirect for a TLS. type: object properties: basedOn: type: string code: type: integer enable: type: boolean secret: type: string upstreams: type: array items: description: Upstream defines an upstream. type: object properties: buffer-size: type: string buffering: type: boolean buffers: description: UpstreamBuffers defines Buffer Configuration for an Upstream. type: object properties: number: type: integer size: type: string client-max-body-size: type: string connect-timeout: type: string fail-timeout: type: string healthCheck: description: HealthCheck defines the parameters for active Upstream HealthChecks. type: object properties: connect-timeout: type: string enable: type: boolean fails: type: integer grpcService: type: string grpcStatus: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string interval: type: string jitter: type: string keepalive-time: type: string mandatory: type: boolean passes: type: integer path: type: string persistent: type: boolean port: type: integer read-timeout: type: string send-timeout: type: string statusMatch: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean keepalive: type: integer lb-method: type: string max-conns: type: integer max-fails: type: integer name: type: string next-upstream: type: string next-upstream-timeout: type: string next-upstream-tries: type: integer ntlm: type: boolean port: type: integer queue: description: UpstreamQueue defines Queue Configuration for an Upstream. type: object properties: size: type: integer timeout: type: string read-timeout: type: string send-timeout: type: string service: type: string sessionCookie: description: SessionCookie defines the parameters for session persistence. type: object properties: domain: type: string enable: type: boolean expires: type: string httpOnly: type: boolean name: type: string path: type: string secure: type: boolean slow-start: type: string subselector: type: object additionalProperties: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean type: type: string use-cluster-ip: type: boolean status: description: VirtualServerStatus defines the status for the VirtualServer resource. type: object properties: externalEndpoints: type: array items: description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. type: object properties: hostname: type: string ip: type: string ports: type: string message: type: string reason: type: string state: type: string served: true storage: true subresources: status: {} EOF
Пример VirtualServerRoute
$ kubectl apply -f - <<EOF apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: virtualserverroutes.k8s.angie.software spec: group: k8s.angie.software names: kind: VirtualServerRoute listKind: VirtualServerRouteList plural: virtualserverroutes shortNames: - vsr singular: virtualserverroute scope: Namespaced versions: - additionalPrinterColumns: - description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by ANIC. jsonPath: .status.state name: State type: string - jsonPath: .spec.host name: Host type: string - jsonPath: .status.externalEndpoints[*].ip name: IP type: string - jsonPath: .status.externalEndpoints[*].hostname name: ExternalHostname priority: 1 type: string - jsonPath: .status.externalEndpoints[*].ports name: Ports type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: VirtualServerRoute defines the VirtualServerRoute resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. type: object properties: host: type: string ingressClassName: type: string subroutes: type: array items: description: Route defines a route. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string dos: type: string errorPages: type: array items: description: ErrorPage defines an ErrorPage in a Route. type: object properties: codes: type: array items: type: integer redirect: description: ErrorPageRedirect defines a redirect for an ErrorPage. type: object properties: code: type: integer url: type: string return: description: ErrorPageReturn defines a return for an ErrorPage. type: object properties: body: type: string code: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string type: type: string location-snippets: type: string matches: type: array items: description: Match defines a match. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string conditions: type: array items: description: Condition defines a condition in a MatchRule. type: object properties: argument: type: string cookie: type: string header: type: string value: type: string variable: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer path: type: string policies: type: array items: description: PolicyReference references a policy by name and an optional namespace. type: object properties: name: type: string namespace: type: string route: type: string splits: type: array items: description: Split defines a split. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string proxy: description: ActionProxy defines a proxy in an Action. type: object properties: requestHeaders: description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. type: object properties: pass: type: boolean set: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string responseHeaders: description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. type: object properties: add: type: array items: description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header directive. type: object properties: always: type: boolean name: type: string value: type: string hide: type: array items: type: string ignore: type: array items: type: string pass: type: array items: type: string rewritePath: type: string upstream: type: string redirect: description: ActionRedirect defines a redirect in an Action. type: object properties: code: type: integer url: type: string return: description: ActionReturn defines a return in an Action. type: object properties: body: type: string code: type: integer type: type: string weight: type: integer upstreams: type: array items: description: Upstream defines an upstream. type: object properties: buffer-size: type: string buffering: type: boolean buffers: description: UpstreamBuffers defines Buffer Configuration for an Upstream. type: object properties: number: type: integer size: type: string client-max-body-size: type: string connect-timeout: type: string fail-timeout: type: string healthCheck: description: HealthCheck defines the parameters for active Upstream HealthChecks. type: object properties: connect-timeout: type: string enable: type: boolean fails: type: integer grpcService: type: string grpcStatus: type: integer headers: type: array items: description: Header defines an HTTP Header. type: object properties: name: type: string value: type: string interval: type: string jitter: type: string keepalive-time: type: string mandatory: type: boolean passes: type: integer path: type: string persistent: type: boolean port: type: integer read-timeout: type: string send-timeout: type: string statusMatch: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean keepalive: type: integer lb-method: type: string max-conns: type: integer max-fails: type: integer name: type: string next-upstream: type: string next-upstream-timeout: type: string next-upstream-tries: type: integer ntlm: type: boolean port: type: integer queue: description: UpstreamQueue defines Queue Configuration for an Upstream. type: object properties: size: type: integer timeout: type: string read-timeout: type: string send-timeout: type: string service: type: string sessionCookie: description: SessionCookie defines the parameters for session persistence. type: object properties: domain: type: string enable: type: boolean expires: type: string httpOnly: type: boolean name: type: string path: type: string secure: type: boolean slow-start: type: string subselector: type: object additionalProperties: type: string tls: description: UpstreamTLS defines a TLS configuration for an Upstream. type: object properties: enable: type: boolean type: type: string use-cluster-ip: type: boolean status: description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. type: object properties: externalEndpoints: type: array items: description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. type: object properties: hostname: type: string ip: type: string ports: type: string message: type: string reason: type: string referencedBy: type: string state: type: string served: true storage: true subresources: status: {} EOF
Пример TransportServer
$ kubectl apply -f - <<EOF apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: transportservers.k8s.angie.software spec: group: k8s.angie.software names: kind: TransportServer listKind: TransportServerList plural: transportservers shortNames: - ts singular: transportserver scope: Namespaced versions: - additionalPrinterColumns: - description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by ANIC. jsonPath: .status.state name: State type: string - jsonPath: .status.reason name: Reason type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: TransportServer defines the TransportServer resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: TransportServerSpec is the spec of the TransportServer resource. type: object properties: action: description: Action defines an action. type: object properties: pass: type: string host: type: string ingressClassName: type: string listener: description: TransportServerListener defines a listener for a TransportServer. type: object properties: name: type: string protocol: type: string serverSnippets: type: string sessionParameters: description: SessionParameters defines session parameters. type: object properties: timeout: type: string streamSnippets: type: string tls: description: TLS defines TLS configuration for a TransportServer. type: object properties: secret: type: string upstreamParameters: description: UpstreamParameters defines parameters for an upstream. type: object properties: connectTimeout: type: string nextUpstream: type: boolean nextUpstreamTimeout: type: string nextUpstreamTries: type: integer udpRequests: type: integer udpResponses: type: integer upstreams: type: array items: description: Upstream defines an upstream. type: object properties: failTimeout: type: string healthCheck: description: HealthCheck defines the parameters for active Upstream HealthChecks. type: object properties: enable: type: boolean fails: type: integer interval: type: string jitter: type: string match: description: Match defines the parameters of a custom health check. type: object properties: expect: type: string send: type: string passes: type: integer port: type: integer timeout: type: string loadBalancingMethod: type: string maxConns: type: integer maxFails: type: integer name: type: string port: type: integer service: type: string status: description: TransportServerStatus defines the status for the TransportServer resource. type: object properties: message: type: string reason: type: string state: type: string served: true storage: true subresources: status: {} EOF
Пример Policy
$ kubectl apply -f - <<EOF apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: policies.k8s.angie.software spec: group: k8s.angie.software names: kind: Policy listKind: PolicyList plural: policies shortNames: - pol singular: policy scope: Namespaced versions: - additionalPrinterColumns: - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by ANIC. jsonPath: .status.state name: State type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. type: object properties: accessControl: description: AccessControl defines an access policy based on the source IP of a request. type: object properties: allow: type: array items: type: string deny: type: array items: type: string basicAuth: description: 'BasicAuth holds HTTP Basic authentication configuration policy status: preview' type: object properties: realm: type: string secret: type: string egressMTLS: description: EgressMTLS defines an Egress MTLS policy. type: object properties: ciphers: type: string protocols: type: string serverName: type: boolean sessionReuse: type: boolean sslName: type: string tlsSecret: type: string trustedCertSecret: type: string verifyDepth: type: integer verifyServer: type: boolean ingressClassName: type: string ingressMTLS: description: IngressMTLS defines an Ingress MTLS policy. type: object properties: clientCertSecret: type: string crlFileName: type: string verifyClient: type: string verifyDepth: type: integer jwt: description: JWT holds JWT authentication configuration. realm: string secret: string token: string oidc: description: OIDC defines an Open ID Connect policy. type: object properties: clientID: type: string clientSecret: type: string authEndpoint: type: string jwksURI: type: string tokenEndpoint: type: string scope: type: string accessTokenEnable: type: boolean rateLimit: description: RateLimit defines a rate limit policy. type: object properties: burst: type: integer delay: type: integer dryRun: type: boolean key: type: string logLevel: type: string noDelay: type: boolean rate: type: string rejectCode: type: integer zoneSize: type: string status: description: PolicyStatus is the status of the policy resource type: object properties: message: type: string reason: type: string state: type: string served: true storage: true subresources: status: {} - name: v1alpha1 schema: openAPIV3Schema: description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. type: object properties: accessControl: description: AccessControl defines an access policy based on the source IP of a request. type: object properties: allow: type: array items: type: string deny: type: array items: type: string egressMTLS: description: EgressMTLS defines an Egress MTLS policy. type: object properties: ciphers: type: string protocols: type: string serverName: type: boolean sessionReuse: type: boolean sslName: type: string tlsSecret: type: string trustedCertSecret: type: string verifyDepth: type: integer verifyServer: type: boolean ingressMTLS: description: IngressMTLS defines an Ingress MTLS policy. type: object properties: clientCertSecret: type: string verifyClient: type: string verifyDepth: type: integer jwt: description: JWT holds JWT authentication configuration. realm: string secret: string token: string rateLimit: description: RateLimit defines a rate limit policy. type: object properties: burst: type: integer delay: type: integer dryRun: type: boolean key: type: string logLevel: type: string noDelay: type: boolean rate: type: string rejectCode: type: integer zoneSize: type: string served: true storage: false EOF
-
Если нужно использовать балансировщик нагрузки для TCP- и UDP-соединений, добавьте
GlobalConfiguration:Пример
$ kubectl apply -f - <<EOF apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: globalconfigurations.k8s.angie.software spec: group: k8s.angie.software names: kind: GlobalConfiguration listKind: GlobalConfigurationList plural: globalconfigurations shortNames: - gc singular: globalconfiguration scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: GlobalConfiguration defines the GlobalConfiguration resource. type: object properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. type: object properties: listeners: type: array items: description: Listener defines a listener. type: object properties: name: type: string port: type: integer protocol: type: string served: true storage: true EOF
Развертывание ANIC#
Поддерживаются два варианта использования ANIC:
-
Deployment: используйте этот тип развертывания, если планируете динамически изменять количество реплик ANIC.Пример Deployment
$ kubectl apply -f - <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: angie-ingress namespace: angie-ingress spec: replicas: 1 selector: matchLabels: app: angie-ingress template: metadata: labels: app: angie-ingress app.kubernetes.io/name: angie-ingress #annotations: #prometheus.io/scrape: "true" #prometheus.io/port: "9113" #prometheus.io/scheme: http spec: serviceAccountName: angie-ingress automountServiceAccountToken: true securityContext: seccompProfile: type: RuntimeDefault # fsGroup: 101 #angie sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" # volumes: # - name: angie-etc # emptyDir: {} # - name: angie-cache # emptyDir: {} # - name: angie-lib # emptyDir: {} # - name: angie-log # emptyDir: {} containers: - image: docker.angie.software/angie-ingress:latest imagePullPolicy: IfNotPresent name: angie-ingress ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: readiness-port containerPort: 8081 - name: prometheus containerPort: 9113 readinessProbe: httpGet: path: /angie-ready port: readiness-port periodSeconds: 1 resources: requests: cpu: "100m" memory: "128Mi" #limits # cpu: "1" # memory: "1Gi" securityContext: allowPrivilegeEscalation: false runAsUser: 101 #angie runAsNonRoot: true capabilities: drop: - ALL # volumeMounts: # - mountPath: /etc/angie # name: angie-etc # - mountPath: /var/cache/angie # name: angie-cache # - mountPath: /var/lib/angie # name: angie-lib # - mountPath: /var/log/angie # name: angie-log env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - -angie-configmaps=$(POD_NAMESPACE)/angie-config #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -enable-cert-manager #- -enable-external-dns #- -v=3 # Enables extensive logging. Useful for troubleshooting. #- -report-ingress-status #- -external-service=angie-ingress #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/angie-configuration EOF
-
DaemonSet: используйте этот тип, если планируете развертывать ANIC на каждом узле кластера или подмножестве узлов.Пример DaemonSet
$ kubectl apply -f - <<EOF apiVersion: apps/v1 kind: DaemonSet metadata: name: angie-ingress namespace: angie-ingress spec: selector: matchLabels: app: angie-ingress template: metadata: labels: app: angie-ingress app.kubernetes.io/name: angie-ingress spec: serviceAccountName: angie-ingress automountServiceAccountToken: true securityContext: seccompProfile: type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" containers: - image: docker.angie.software/angie-ingress:latest imagePullPolicy: IfNotPresent name: angie-ingress ports: - name: http containerPort: 80 hostPort: 80 - name: https containerPort: 443 hostPort: 443 - name: readiness-port containerPort: 8081 - name: prometheus containerPort: 9113 readinessProbe: httpGet: path: /angie-ready port: readiness-port periodSeconds: 1 resources: requests: cpu: "100m" memory: "128Mi" env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - -angie-configmaps=$(POD_NAMESPACE)/angie-config #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -v=3 # Enables extensive logging. Useful for troubleshooting. #- -report-ingress-status #- -external-service=angie-ingress #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/angie-configuration EOF