openshift · openshift-merge-robot · Sep 21, 2017 · Apr 20, 2017 · Aug 25, 2017 · pecameron
diff --git a/hack/build-local-images.py b/hack/build-local-images.py
@@ -96,6 +96,15 @@
         },
         "files": {}
     },
+    "nginx-router": {
+        "directory": "router/nginx",
+        "binaries": {
+            "openshift": "/usr/bin/openshift"
+        },
+        "files": {
+            ".": "/var/lib/nginx"
+        }
+    },
     "haproxy-router": {
         "directory": "router/haproxy",
         "binaries": {

diff --git a/images/router/nginx/.cccp.yml b/images/router/nginx/.cccp.yml
@@ -0,0 +1 @@
+job-id: origin-nginx-router
diff --git a/images/router/nginx/Dockerfile b/images/router/nginx/Dockerfile
@@ -0,0 +1,31 @@
+#
+# This is the NGINX router for OpenShift Origin.
+#
+# The standard name for this image is openshift/origin-nginx-router
+#
+FROM openshift/origin
+
+RUN INSTALL_PKGS="nginx" && \
+    yum install -y "epel-release" && \
+    yum install -y $INSTALL_PKGS && \
+    rpm -V $INSTALL_PKGS && \
+    yum clean all && \
+    mkdir -p /var/lib/nginx/router/{certs,cacerts} && \
+    mkdir -p /var/lib/nginx/{conf,run,bin,log,logs} && \
+    touch /var/lib/nginx/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_route_http_expose,os_route_http_redirect,cert_config,os_wildcard_domain}.map,nginx.config} && \
+    setcap 'cap_net_bind_service=ep' /usr/sbin/nginx && \
+    chown -R :0 /var/lib/nginx && \
+    chown -R :0 /var/log/nginx && \
+    chmod -R 777 /var/log/nginx && \
+    chmod -R 777 /var/lib/nginx
+
+COPY . /var/lib/nginx/
+
+LABEL io.k8s.display-name="OpenShift Origin NGINX Router" \
+      io.k8s.description="This is a component of OpenShift Origin and contains an NGINX instance that automatically exposes services within the cluster through routes, and offers TLS termination, reencryption, or SNI-passthrough on ports 80 and 443."
+USER 1001
+EXPOSE 80 443
+WORKDIR /var/lib/nginx/conf
+ENV TEMPLATE_FILE=/var/lib/nginx/conf/nginx-config.template \
+    RELOAD_SCRIPT=/var/lib/nginx/reload-nginx
+ENTRYPOINT ["/usr/bin/openshift-router"]
diff --git a/images/router/nginx/conf/error-page-503.http b/images/router/nginx/conf/error-page-503.http
@@ -0,0 +1,140 @@
+HTTP/1.0 503 Service Unavailable
+Pragma: no-cache
+Cache-Control: private, max-age=0, no-cache, no-store
+Connection: close
+Content-Type: text/html
+
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <style type="text/css">
+  /*!
+   * Bootstrap v3.3.5 (http://getbootstrap.com)
+   * Copyright 2011-2015 Twitter, Inc.
+   * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+   */
+  /*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
+  html {
+    font-family: sans-serif;
+    -ms-text-size-adjust: 100%;
+    -webkit-text-size-adjust: 100%;
+  }
+  body {
+    margin: 0;
+  }
+  h1 {
+    font-size: 1.7em;
+    font-weight: 400;
+    line-height: 1.3;
+    margin: 0.68em 0;
+  }
+  * {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+  }
+  *:before,
+  *:after {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+  }
+  html {
+    -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
+  }
+  body {
+    font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+    line-height: 1.66666667;
+    font-size: 13px;
+    color: #333333;
+    background-color: #ffffff;
+    margin: 2em 1em;
+  }
+  p {
+    margin: 0 0 10px;
+    font-size: 13px;
+  }
+  .alert.alert-info {
+    padding: 15px;
+    margin-bottom: 20px;
+    border: 1px solid transparent;
+    background-color: #f5f5f5;
+    border-color: #8b8d8f;
+    color: #363636;
+    margin-top: 30px;
+  }
+  .alert p {
+    padding-left: 35px;
+  }
+  a {
+    color: #0088ce;
+  }
+
+  ul {
+    position: relative;
+    padding-left: 51px;
+  }
+  p.info {
+    position: relative;
+    font-size: 15px;
+    margin-bottom: 10px;
+  }
+  p.info:before, p.info:after {
+    content: "";
+    position: absolute;
+    top: 9%;
+    left: 0;
+  }
+  p.info:before {
+    content: "i";
+    left: 3px;
+    width: 20px;
+    height: 20px;
+    font-family: serif;
+    font-size: 15px;
+    font-weight: bold;
+    line-height: 21px;
+    text-align: center;
+    color: #fff;
+    background: #4d5258;
+    border-radius: 16px;
+  }
+
+  @media (min-width: 768px) {
+    body {
+      margin: 4em 3em;
+    }
+    h1 {
+      font-size: 2.15em;}
+  }
+
+  </style>
+  </head>
+  <body>
+    <div>
+      <h1>Application is not available</h1>
+      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>
+
+      <div class="alert alert-info">
+        <p class="info">
+          Possible reasons you are seeing this page:
+        </p>
+        <ul>
+          <li>
+            <strong>The host doesn't exist.</strong>
+            Make sure the hostname was typed correctly and that a route matching this hostname exists.
+          </li>
+          <li>
+            <strong>The host exists, but doesn't have a matching path.</strong>
+            Check if the URL path was typed correctly and that the route was created using the desired path.
+          </li>
+          <li>
+            <strong>Route and path matches, but all pods are down.</strong>
+            Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.
+          </li>
+        </ul>
+      </div>
+    </div>
+  </body>
+</html>
diff --git a/images/router/nginx/conf/nginx-config.template b/images/router/nginx/conf/nginx-config.template
@@ -0,0 +1,70 @@
+{{/*
+    nginx.config: contains the main config with helper backends that are used to terminate
+    					encryption before finally sending to a host_be which is the backend that is the final
+    					backend for a route and contains all the endpoints for the service
+*/}}
+{{- define "/var/lib/nginx/conf/nginx.config" -}}
+{{- $workingDir := .WorkingDir }}
+#user       www www;  ## Default: nobody
+worker_processes  5;  ## Default: 1
+error_log  /var/lib/nginx/logs/error.log;
+pid        /var/lib/nginx/logs/nginx.pid;
+worker_rlimit_nofile 8192;
+
+events {
+  worker_connections  4096;  ## Default: 1024
+}
+
+http {
+  #include    conf/mime.types;
+  #include    /etc/nginx/proxy.conf;
+  #include    /etc/nginx/fastcgi.conf;
+  index    index.html index.htm index.php;
+
+  default_type application/octet-stream;
+  log_format   main '$remote_addr - $remote_user [$time_local]  $status '
+    '"$request" $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log   /var/lib/nginx/logs/access.log  main;
+  sendfile     on;
+  tcp_nopush   on;
+  server_names_hash_bucket_size 128; # this seems to be required for some vhosts
+
+
+
+{{- range $cfgIdx, $cfg := .State }}
+
+  upstream be_{{$cfg.Namespace}}_{{$cfg.Name}} {
+    {{- range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
+      {{- with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
+        {{- range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
+    server {{$endpoint.IP}}:{{$endpoint.Port}};
+        {{ end -}}
+      {{ end -}}
+    {{ end -}}
+  }
+
+  server { # simple load balancing
+ {{- if (eq $cfg.TLSTermination "") }}
+    listen          80;
+ {{- else }}
+    listen          443 ssl;
+ {{ end -}}
+
+    server_name     {{$cfg.Host}};
+ {{- if and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) -}}
+  {{ $cert := index $cfg.Certificates $cfg.Host -}}
+  {{ if ne $cert.Contents "" }}
+    ssl_certificate     {{$workingDir}}/certs/{{$cfgIdx}}.pem;
+    ssl_certificate_key {{$workingDir}}/certs/{{$cfgIdx}}.pem;
+  {{ end -}}
+ {{ end -}}
+    access_log      /var/lib/nginx/logs/be_{{$cfgIdx}}.log main;
+
+    location / {
+      proxy_pass      http://be_{{$cfg.Namespace}}_{{$cfg.Name}};
+    }
+  }
+{{ end -}}{{/* end all routes */}}
+}
+{{ end -}}{{/* end config file */}}
diff --git a/images/router/nginx/reload-nginx b/images/router/nginx/reload-nginx
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -o nounset
+
+config_file=/var/lib/nginx/conf/nginx.config
+if [ -f /var/lib/nginx/logs/nginx.pid ]; then
+  /usr/sbin/nginx -c ${config_file} -s reload
+  reload_status=$?
+else
+  /usr/sbin/nginx -c ${config_file}
+  reload_status=$?
+fi
+exit $reload_status