diff --git a/hack/build-local-images.py b/hack/build-local-images.py index f11cec70fee8..76b3e6e7cdb0 100755 --- a/hack/build-local-images.py +++ b/hack/build-local-images.py @@ -96,6 +96,15 @@ }, "files": {} }, + "nginx-router": { + "directory": "router/nginx", + "binaries": { + "openshift": "/usr/bin/openshift" + }, + "files": { + ".": "/var/lib/nginx" + } + }, "haproxy-router": { "directory": "router/haproxy", "binaries": { diff --git a/images/router/nginx/.cccp.yml b/images/router/nginx/.cccp.yml new file mode 100644 index 000000000000..04812a559fdf --- /dev/null +++ b/images/router/nginx/.cccp.yml @@ -0,0 +1 @@ +job-id: origin-nginx-router diff --git a/images/router/nginx/Dockerfile b/images/router/nginx/Dockerfile new file mode 100644 index 000000000000..5aebfb560ce5 --- /dev/null +++ b/images/router/nginx/Dockerfile @@ -0,0 +1,31 @@ +# +# This is the NGINX router for OpenShift Origin. +# +# The standard name for this image is openshift/origin-nginx-router +# +FROM openshift/origin + +RUN INSTALL_PKGS="nginx" && \ + yum install -y "epel-release" && \ + yum install -y $INSTALL_PKGS && \ + rpm -V $INSTALL_PKGS && \ + yum clean all && \ + mkdir -p /var/lib/nginx/router/{certs,cacerts} && \ + mkdir -p /var/lib/nginx/{conf,run,bin,log,logs} && \ + touch /var/lib/nginx/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_route_http_expose,os_route_http_redirect,cert_config,os_wildcard_domain}.map,nginx.config} && \ + setcap 'cap_net_bind_service=ep' /usr/sbin/nginx && \ + chown -R :0 /var/lib/nginx && \ + chown -R :0 /var/log/nginx && \ + chmod -R 777 /var/log/nginx && \ + chmod -R 777 /var/lib/nginx + +COPY . /var/lib/nginx/ + +LABEL io.k8s.display-name="OpenShift Origin NGINX Router" \ + io.k8s.description="This is a component of OpenShift Origin and contains an NGINX instance that automatically exposes services within the cluster through routes, and offers TLS termination, reencryption, or SNI-passthrough on ports 80 and 443." +USER 1001 +EXPOSE 80 443 +WORKDIR /var/lib/nginx/conf +ENV TEMPLATE_FILE=/var/lib/nginx/conf/nginx-config.template \ + RELOAD_SCRIPT=/var/lib/nginx/reload-nginx +ENTRYPOINT ["/usr/bin/openshift-router"] diff --git a/images/router/nginx/conf/error-page-503.http b/images/router/nginx/conf/error-page-503.http new file mode 100644 index 000000000000..cb826df8673a --- /dev/null +++ b/images/router/nginx/conf/error-page-503.http @@ -0,0 +1,140 @@ +HTTP/1.0 503 Service Unavailable +Pragma: no-cache +Cache-Control: private, max-age=0, no-cache, no-store +Connection: close +Content-Type: text/html + + + + + + + + +
+

Application is not available

+

The application is currently not serving requests at this endpoint. It may not have been started or is still starting.

+ +
+

+ Possible reasons you are seeing this page: +

+ +
+
+ + diff --git a/images/router/nginx/conf/nginx-config.template b/images/router/nginx/conf/nginx-config.template new file mode 100644 index 000000000000..449daa1dbf54 --- /dev/null +++ b/images/router/nginx/conf/nginx-config.template @@ -0,0 +1,70 @@ +{{/* + nginx.config: contains the main config with helper backends that are used to terminate + encryption before finally sending to a host_be which is the backend that is the final + backend for a route and contains all the endpoints for the service +*/}} +{{- define "/var/lib/nginx/conf/nginx.config" -}} +{{- $workingDir := .WorkingDir }} +#user www www; ## Default: nobody +worker_processes 5; ## Default: 1 +error_log /var/lib/nginx/logs/error.log; +pid /var/lib/nginx/logs/nginx.pid; +worker_rlimit_nofile 8192; + +events { + worker_connections 4096; ## Default: 1024 +} + +http { + #include conf/mime.types; + #include /etc/nginx/proxy.conf; + #include /etc/nginx/fastcgi.conf; + index index.html index.htm index.php; + + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/lib/nginx/logs/access.log main; + sendfile on; + tcp_nopush on; + server_names_hash_bucket_size 128; # this seems to be required for some vhosts + + + +{{- range $cfgIdx, $cfg := .State }} + + upstream be_{{$cfg.Namespace}}_{{$cfg.Name}} { + {{- range $serviceUnitName, $weight := $cfg.ServiceUnitNames }} + {{- with $serviceUnit := index $.ServiceUnits $serviceUnitName }} + {{- range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }} + server {{$endpoint.IP}}:{{$endpoint.Port}}; + {{ end -}} + {{ end -}} + {{ end -}} + } + + server { # simple load balancing + {{- if (eq $cfg.TLSTermination "") }} + listen 80; + {{- else }} + listen 443 ssl; + {{ end -}} + + server_name {{$cfg.Host}}; + {{- if and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) -}} + {{ $cert := index $cfg.Certificates $cfg.Host -}} + {{ if ne $cert.Contents "" }} + ssl_certificate {{$workingDir}}/certs/{{$cfgIdx}}.pem; + ssl_certificate_key {{$workingDir}}/certs/{{$cfgIdx}}.pem; + {{ end -}} + {{ end -}} + access_log /var/lib/nginx/logs/be_{{$cfgIdx}}.log main; + + location / { + proxy_pass http://be_{{$cfg.Namespace}}_{{$cfg.Name}}; + } + } +{{ end -}}{{/* end all routes */}} +} +{{ end -}}{{/* end config file */}} diff --git a/images/router/nginx/reload-nginx b/images/router/nginx/reload-nginx new file mode 100755 index 000000000000..f20f1070b44a --- /dev/null +++ b/images/router/nginx/reload-nginx @@ -0,0 +1,13 @@ +#!/bin/bash + +set -o nounset + +config_file=/var/lib/nginx/conf/nginx.config +if [ -f /var/lib/nginx/logs/nginx.pid ]; then + /usr/sbin/nginx -c ${config_file} -s reload + reload_status=$? +else + /usr/sbin/nginx -c ${config_file} + reload_status=$? +fi +exit $reload_status