yurifrl/cm.yml

## cm.yml
apiVersion: v1
data:
  proxy.conf: |
    ## Nginx Production Https Ember Server Configuration

    ## http redirects to https ##
    server {
      listen 443 ssl default deferred;

      # @todo Check if the `server_name` is necessary
      ssl_certificate /etc/tls/application.crt;
      ssl_certificate_key /etc/tls/application.key;


      # enable session resumption to improve https performance
      # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
      ssl_session_cache shared:SSL:50m;
      ssl_session_timeout 5m;

      # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
      # What is this?
      # ssl_dhparam /etc/nginx/ssl/dhparam.pem;

      # enables server-side protection from BEAST attacks
      # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
      ssl_prefer_server_ciphers on;
      # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      # ciphers chosen for forward secrecy and compatibility
      # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
      ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

      # Gzip
      gzip on;
      gzip_comp_level 6;
      gzip_http_version 1.0;
      gzip_types text/plain text/css text/javascript application/javascript font/woff2 application/font-woff;
      gzip_proxied any;
      gzip_disable "msie6";

      # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
      # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
      resolver 8.8.8.8;
      ssl_stapling on;

      ssl_trusted_certificate /etc/tls/application.crt;

      # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
      # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

      root /usr/local/html;
      index index.html index.htm;

      # Robots
      location /robots.txt {
        gzip on;
        try_files $uri $uri/ /index.html?/$request_uri;
        access_log off;
        log_not_found off;
      }

      # Sitemap
      location /sitemap.xml {
        gzip on;
        try_files $uri $uri/ /index.html?/$request_uri;
        access_log off;
        log_not_found off;
      }

      # Assets
      location /assets {
        gzip on;
        try_files $uri $uri/ /index.html?/$request_uri;
      }

      # Default
      location / {
        gzip on;
        # Check user Agent
        if ($http_user_agent ~* "Googlebot|baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
          # when a crawler asks for a page proxy the request to the prerender host
          rewrite .* /$scheme://$host$request_uri? break;
          # if prerender is inside the pod it shares the same network
          proxy_pass http://prerender:3000;
        }

        # Redirect all to the index.html
        try_files $uri $uri/ /index.html?/$request_uri;
      }
    }

    # redirect all http traffic to https
    server {
      listen 80;
      return 301 https://$host$request_uri;
    }
kind: ConfigMap
metadata:
  creationTimestamp: 2016-12-06T20:25:16Z
  name: nginx-conf
  namespace: default
  resourceVersion: "891834"
  selfLink: /api/v1/namespaces/default/configmaps/nginx-conf
  uid: 19bbb2dd-bbf2-11e6-a0ea-42010af00055

## deploy.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: demo
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - name: demo
          image: "gcr.io/yebo-project/demo:latest"
          lifecycle:
            preStop:
              exec:
                command: ["/usr/sbin/nginx","-s","quit"]
          volumeMounts:
            - name: "nginx-conf"
              mountPath: "/etc/nginx/conf.d"
            - name: "tls-demo-certs"
              mountPath: "/etc/tls"
      volumes:
        - name: "nginx-conf"
          configMap:
            name: "nginx-conf"
            items:
              - key: "proxy.conf"
                path: "proxy.conf"
        - name: "tls-demo-certs"
          secret:
            secretName: "tls-demo-certs"

## po.yml
apiVersion: v1
kind: Pod
metadata:
  name: demo
  labels:
    app: demo
spec:
  restartPolicy: OnFailure
  containers:
    - name: demo
      image: "gcr.io/yebo-project/demo:latest"
      volumeMounts:
        - name: "nginx-conf"
          mountPath: "/etc/nginx/conf.d"
        - name: "tls-demo-certs"
          mountPath: "/etc/tls"
  volumes:
    - name: "nginx-conf"
      configMap:
        name: "nginx-conf"
        items:
          - key: "proxy.conf"
            path: "proxy.conf"
    - name: "tls-demo-certs"
      secret:
        secretName: "tls-demo-certs"

## rc.yml
apiVersion: v1
kind: ReplicationController
metadata:
  name: demo
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: demo
        image: "gcr.io/yebo-project/demo:latest"
        ports:
        - containerPort: 443
        - containerPort: 80

## secrets.yml
apiVersion: v1
data:
  application.crt: <a-big-string>
  application.key: <a-big-string>
kind: Secret
metadata:
  creationTimestamp: 2016-12-06T18:56:01Z
  name: tls-demo-certs
  namespace: default
  resourceVersion: "883143"
  selfLink: /api/v1/namespaces/default/secrets/tls-demo-certs
  uid: a1cef21e-bbe5-11e6-a0ea-42010af00055
type: Opaque

## svc.yml
apiVersion: v1
kind: Service
metadata:
  name: demo
  labels:
    app: demo
spec:
  selector:
    app: demo
  ports:
  - port: 80
    protocol: TCP
    name: http
  - port: 443
    protocol: TCP
    name: https
  type: LoadBalancer
	apiVersion: v1
	data:
	proxy.conf: \|
	## Nginx Production Https Ember Server Configuration

	## http redirects to https ##
	server {
	listen 443 ssl default deferred;

	# @todo Check if the `server_name` is necessary
	ssl_certificate /etc/tls/application.crt;
	ssl_certificate_key /etc/tls/application.key;


	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	# What is this?
	# ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	# Gzip
	gzip on;
	gzip_comp_level 6;
	gzip_http_version 1.0;
	gzip_types text/plain text/css text/javascript application/javascript font/woff2 application/font-woff;
	gzip_proxied any;
	gzip_disable "msie6";

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	resolver 8.8.8.8;
	ssl_stapling on;

	ssl_trusted_certificate /etc/tls/application.crt;

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	root /usr/local/html;
	index index.html index.htm;

	# Robots
	location /robots.txt {
	gzip on;
	try_files $uri $uri/ /index.html?/$request_uri;
	access_log off;
	log_not_found off;
	}

	# Sitemap
	location /sitemap.xml {
	gzip on;
	try_files $uri $uri/ /index.html?/$request_uri;
	access_log off;
	log_not_found off;
	}

	# Assets
	location /assets {
	gzip on;
	try_files $uri $uri/ /index.html?/$request_uri;
	}

	# Default
	location / {
	gzip on;
	# Check user Agent
	if ($http_user_agent ~* "Googlebot\|baiduspider\|twitterbot\|facebookexternalhit\|rogerbot\|linkedinbot\|embedly\|quora link preview\|showyoubot\|outbrain\|pinterest\|slackbot\|vkShare\|W3C_Validator") {
	# when a crawler asks for a page proxy the request to the prerender host
	rewrite .* /$scheme://$host$request_uri? break;
	# if prerender is inside the pod it shares the same network
	proxy_pass http://prerender:3000;
	}

	# Redirect all to the index.html
	try_files $uri $uri/ /index.html?/$request_uri;
	}
	}

	# redirect all http traffic to https
	server {
	listen 80;
	return 301 https://$host$request_uri;
	}
	kind: ConfigMap
	metadata:
	creationTimestamp: 2016-12-06T20:25:16Z
	name: nginx-conf
	namespace: default
	resourceVersion: "891834"
	selfLink: /api/v1/namespaces/default/configmaps/nginx-conf
	uid: 19bbb2dd-bbf2-11e6-a0ea-42010af00055
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: demo
	spec:
	replicas: 1
	template:
	metadata:
	labels:
	app: demo
	spec:
	containers:
	- name: demo
	image: "gcr.io/yebo-project/demo:latest"
	lifecycle:
	preStop:
	exec:
	command: ["/usr/sbin/nginx","-s","quit"]
	volumeMounts:
	- name: "nginx-conf"
	mountPath: "/etc/nginx/conf.d"
	- name: "tls-demo-certs"
	mountPath: "/etc/tls"
	volumes:
	- name: "nginx-conf"
	configMap:
	name: "nginx-conf"
	items:
	- key: "proxy.conf"
	path: "proxy.conf"
	- name: "tls-demo-certs"
	secret:
	secretName: "tls-demo-certs"
	apiVersion: v1
	kind: Pod
	metadata:
	name: demo
	labels:
	app: demo
	spec:
	restartPolicy: OnFailure
	containers:
	- name: demo
	image: "gcr.io/yebo-project/demo:latest"
	volumeMounts:
	- name: "nginx-conf"
	mountPath: "/etc/nginx/conf.d"
	- name: "tls-demo-certs"
	mountPath: "/etc/tls"
	volumes:
	- name: "nginx-conf"
	configMap:
	name: "nginx-conf"
	items:
	- key: "proxy.conf"
	path: "proxy.conf"
	- name: "tls-demo-certs"
	secret:
	secretName: "tls-demo-certs"
	apiVersion: v1
	kind: ReplicationController
	metadata:
	name: demo
	spec:
	replicas: 1
	template:
	metadata:
	labels:
	app: demo
	spec:
	containers:
	- name: demo
	image: "gcr.io/yebo-project/demo:latest"
	ports:
	- containerPort: 443
	- containerPort: 80
	apiVersion: v1
	data:
	application.crt: <a-big-string>
	application.key: <a-big-string>
	kind: Secret
	metadata:
	creationTimestamp: 2016-12-06T18:56:01Z
	name: tls-demo-certs
	namespace: default
	resourceVersion: "883143"
	selfLink: /api/v1/namespaces/default/secrets/tls-demo-certs
	uid: a1cef21e-bbe5-11e6-a0ea-42010af00055
	type: Opaque
	apiVersion: v1
	kind: Service
	metadata:
	name: demo
	labels:
	app: demo
	spec:
	selector:
	app: demo
	ports:
	- port: 80
	protocol: TCP
	name: http
	- port: 443
	protocol: TCP
	name: https
	type: LoadBalancer