Created
December 6, 2016 22:14
-
-
Save yurifrl/3981d9761d2be1ebf27b09c42d4815c7 to your computer and use it in GitHub Desktop.
Kubernetes examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
data: | |
proxy.conf: | | |
## Nginx Production Https Ember Server Configuration | |
## http redirects to https ## | |
server { | |
listen 443 ssl default deferred; | |
# @todo Check if the `server_name` is necessary | |
ssl_certificate /etc/tls/application.crt; | |
ssl_certificate_key /etc/tls/application.key; | |
# enable session resumption to improve https performance | |
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 5m; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
# What is this? | |
# ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
# enables server-side protection from BEAST attacks | |
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
ssl_prefer_server_ciphers on; | |
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# ciphers chosen for forward secrecy and compatibility | |
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
# Gzip | |
gzip on; | |
gzip_comp_level 6; | |
gzip_http_version 1.0; | |
gzip_types text/plain text/css text/javascript application/javascript font/woff2 application/font-woff; | |
gzip_proxied any; | |
gzip_disable "msie6"; | |
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) | |
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
resolver 8.8.8.8; | |
ssl_stapling on; | |
ssl_trusted_certificate /etc/tls/application.crt; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
root /usr/local/html; | |
index index.html index.htm; | |
# Robots | |
location /robots.txt { | |
gzip on; | |
try_files $uri $uri/ /index.html?/$request_uri; | |
access_log off; | |
log_not_found off; | |
} | |
# Sitemap | |
location /sitemap.xml { | |
gzip on; | |
try_files $uri $uri/ /index.html?/$request_uri; | |
access_log off; | |
log_not_found off; | |
} | |
# Assets | |
location /assets { | |
gzip on; | |
try_files $uri $uri/ /index.html?/$request_uri; | |
} | |
# Default | |
location / { | |
gzip on; | |
# Check user Agent | |
if ($http_user_agent ~* "Googlebot|baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") { | |
# when a crawler asks for a page proxy the request to the prerender host | |
rewrite .* /$scheme://$host$request_uri? break; | |
# if prerender is inside the pod it shares the same network | |
proxy_pass http://prerender:3000; | |
} | |
# Redirect all to the index.html | |
try_files $uri $uri/ /index.html?/$request_uri; | |
} | |
} | |
# redirect all http traffic to https | |
server { | |
listen 80; | |
return 301 https://$host$request_uri; | |
} | |
kind: ConfigMap | |
metadata: | |
creationTimestamp: 2016-12-06T20:25:16Z | |
name: nginx-conf | |
namespace: default | |
resourceVersion: "891834" | |
selfLink: /api/v1/namespaces/default/configmaps/nginx-conf | |
uid: 19bbb2dd-bbf2-11e6-a0ea-42010af00055 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: extensions/v1beta1 | |
kind: Deployment | |
metadata: | |
name: demo | |
spec: | |
replicas: 1 | |
template: | |
metadata: | |
labels: | |
app: demo | |
spec: | |
containers: | |
- name: demo | |
image: "gcr.io/yebo-project/demo:latest" | |
lifecycle: | |
preStop: | |
exec: | |
command: ["/usr/sbin/nginx","-s","quit"] | |
volumeMounts: | |
- name: "nginx-conf" | |
mountPath: "/etc/nginx/conf.d" | |
- name: "tls-demo-certs" | |
mountPath: "/etc/tls" | |
volumes: | |
- name: "nginx-conf" | |
configMap: | |
name: "nginx-conf" | |
items: | |
- key: "proxy.conf" | |
path: "proxy.conf" | |
- name: "tls-demo-certs" | |
secret: | |
secretName: "tls-demo-certs" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: demo | |
labels: | |
app: demo | |
spec: | |
restartPolicy: OnFailure | |
containers: | |
- name: demo | |
image: "gcr.io/yebo-project/demo:latest" | |
volumeMounts: | |
- name: "nginx-conf" | |
mountPath: "/etc/nginx/conf.d" | |
- name: "tls-demo-certs" | |
mountPath: "/etc/tls" | |
volumes: | |
- name: "nginx-conf" | |
configMap: | |
name: "nginx-conf" | |
items: | |
- key: "proxy.conf" | |
path: "proxy.conf" | |
- name: "tls-demo-certs" | |
secret: | |
secretName: "tls-demo-certs" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ReplicationController | |
metadata: | |
name: demo | |
spec: | |
replicas: 1 | |
template: | |
metadata: | |
labels: | |
app: demo | |
spec: | |
containers: | |
- name: demo | |
image: "gcr.io/yebo-project/demo:latest" | |
ports: | |
- containerPort: 443 | |
- containerPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
data: | |
application.crt: <a-big-string> | |
application.key: <a-big-string> | |
kind: Secret | |
metadata: | |
creationTimestamp: 2016-12-06T18:56:01Z | |
name: tls-demo-certs | |
namespace: default | |
resourceVersion: "883143" | |
selfLink: /api/v1/namespaces/default/secrets/tls-demo-certs | |
uid: a1cef21e-bbe5-11e6-a0ea-42010af00055 | |
type: Opaque |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: demo | |
labels: | |
app: demo | |
spec: | |
selector: | |
app: demo | |
ports: | |
- port: 80 | |
protocol: TCP | |
name: http | |
- port: 443 | |
protocol: TCP | |
name: https | |
type: LoadBalancer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
kubectl create secret generic yebo-secrets --from-file=./secrets
kubectl get secrets yebo-secrets -o yaml >> secrets.yml