Skip to content

Instantly share code, notes, and snippets.

@chanjarster
Created August 16, 2018 06:25
Show Gist options
  • Save chanjarster/a0529d14466895de1ea69866d69c107c to your computer and use it in GitHub Desktop.
Save chanjarster/a0529d14466895de1ea69866d69c107c to your computer and use it in GitHub Desktop.
istio gateway behind nginx with SSL termination
apiVersion: v1
kind: Namespace
metadata:
name: istio-test
labels:
istio-injection: enabled
---
apiVersion: v1
kind: Service
metadata:
name: echo-server
namespace: istio-test
labels:
app: echo-server
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app: echo-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-server
namespace: istio-test
spec:
selector:
matchLabels:
app: echo-server
replicas: 3
template:
metadata:
labels:
app: echo-server
spec:
containers:
- name: echo-server
image: gcr.io/google-containers/echoserver:1.10
ports:
- containerPort: 8080
name: http
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo-server-ingress
namespace: istio-test
spec:
rules:
- host: <your domain name>
http:
paths:
- path: /echo-server-istio
backend:
serviceName: echo-server
servicePort: http
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
namespace: istio-test
name: istio-test-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
namespace: istio-test
name: istio-test-virtual-service
spec:
hosts:
- "*"
gateways:
- istio-test-gateway
http:
- match:
- uri:
prefix: /echo-server-istio
route:
- destination:
host: echo-server
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
upstream rancher-istio-http {
server 172.50.xx.xx:31380; # istio ingressgateway's node port
server 172.50.xx.xx:31380;
server 172.50.xx.xx:31380;
}
server {
listen 443 ssl http2;
server_name <your domain name>;
ssl_certificate <fullchain.pem>; # managed by Certbot
ssl_certificate_key <privkey.pem>; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher-istio-http;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
}
}
server {
listen 80;
server_name <your domain name>;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher-istio-http;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment