d33d33/README.md

## README.md

      
    Raw
  

              README.md
            
          
    OVH ingress LB

This gist describe how to deploy a K8S LB at OVH and preserve source IP
Howto

1. Install the NGINX Ingress Controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
2. Deploy a LB with proxy protocol support

kubectl apply -f https://gist.githubusercontent.com/d33d33/d95fc38e7b94dc4e41533196af228c8e/raw/ingress-lb.yml
3. Patch the Ingress Controller to support proxy protocol

kubectl -n ingress-nginx patch configmap nginx-configuration -p "$(curl -s https://gist.githubusercontent.com/d33d33/d95fc38e7b94dc4e41533196af228c8e/raw/patch-ingress-configmap.yml)"
4. Restart the Ingress Controller

kubectl -n ingress-nginx get pod | grep 'ingress' | cut -d " " -f1 - | xargs -n1 kubectl -n ingress-nginx delete pod
Testing

1. Deploy a simple echo service

kubectl apply -f https://gist.githubusercontent.com/d33d33/d95fc38e7b94dc4e41533196af228c8e/raw/echo-deployment.yml
2. Create a single Service Ingress

kubectl apply -f https://gist.githubusercontent.com/d33d33/d95fc38e7b94dc4e41533196af228c8e/raw/echo-ingress.yml

  
## echo-deployment.yml
apiVersion: v1
kind: Namespace
metadata:
  name: echo

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
  namespace: echo
  labels:
    app: echo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo
  template:
    metadata:
      labels:
        app: echo
    spec:
      containers:
      - name: echo
        image: mendhak/http-https-echo
        ports:
        - containerPort: 80
        - containerPort: 443

## echo-ingress.yml
apiVersion: v1
kind: Service
metadata:
  name: echo-service
  namespace: echo
spec:
  selector:
    app: echo
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echo-ingress
  namespace: echo
spec:
  backend:
    serviceName: echo-service
    servicePort: 80

## ingress-lb.yml
kind: Service
apiVersion: v1
metadata:
  name: ingress-lb
  namespace: ingress-nginx
  annotations:
    service.beta.kubernetes.io/ovh-loadbalancer-proxy-protocol: "v1"
spec:
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  externalTrafficPolicy: Local
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80
  - name: https
    protocol: TCP
    port: 443
    targetPort: 443
  type: LoadBalancer

## patch-ingress-configmap.yml
data:
  use-proxy-protocol: "true"
  proxy-real-ip-cidr: "10.108.0.0/14"
  use-forwarded-headers: "false"
  http-snippet: |
    geo $realip_remote_addr $is_lb {
      default       0;
      10.108.0.0/14 1;
    }
  server-snippet: |
    if ($is_lb != 1) {
      return 403;
    }
	apiVersion: v1
	kind: Namespace
	metadata:
	name: echo

	---

	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: echo-deployment
	namespace: echo
	labels:
	app: echo
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: echo
	template:
	metadata:
	labels:
	app: echo
	spec:
	containers:
	- name: echo
	image: mendhak/http-https-echo
	ports:
	- containerPort: 80
	- containerPort: 443
	apiVersion: v1
	kind: Service
	metadata:
	name: echo-service
	namespace: echo
	spec:
	selector:
	app: echo
	ports:
	- name: http
	port: 80
	targetPort: 80
	protocol: TCP

	---

	apiVersion: extensions/v1beta1
	kind: Ingress
	metadata:
	name: echo-ingress
	namespace: echo
	spec:
	backend:
	serviceName: echo-service
	servicePort: 80
	data:
	use-proxy-protocol: "true"
	proxy-real-ip-cidr: "10.108.0.0/14"
	use-forwarded-headers: "false"
	http-snippet: \|
	geo $realip_remote_addr $is_lb {
	default 0;
	10.108.0.0/14 1;
	}
	server-snippet: \|
	if ($is_lb != 1) {
	return 403;
	}