Use a separate example for testing VSR functionality

jjngx · jjngx · commit 6440451d38a1 · 2024-11-18T14:15:15.000Z
diff --git a/examples/custom-resources/vsr-route-selector/README.md b/examples/custom-resources/vsr-route-selector/README.md
@@ -0,0 +1,146 @@
+# Cross-Namespace Configuration
+
+In this example we use the [VirtualServer and
+VirtualServerRoute](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/)
+resources to configure load balancing for the modified cafe application from the [Basic
+Configuration](../basic-configuration/) example. We have put the load balancing configuration as well as the deployments
+and services into multiple namespaces. Instead of one namespace, we now use three: `tea`, `coffee`, and `cafe`.
+
+- In the tea namespace, we create the tea deployment, service, and the corresponding load-balancing configuration.
+- In the coffee namespace, we create the coffee deployment, service, and the corresponding load-balancing configuration.
+- In the cafe namespace, we create the cafe secret with the TLS certificate and key and the load-balancing configuration
+  for the cafe application. That configuration references the coffee and tea configurations.
+
+## Prerequisites
+
+1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)
+   instructions to deploy the Ingress Controller with custom resources enabled.
+1. Save the public IP address of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_IP=XXX.YYY.ZZZ.III
+    ```
+
+1. Save the HTTPS port of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_HTTPS_PORT=<port number>
+    ```
+
+## Step 1 - Create Namespaces
+
+Create the required tea, coffee, and cafe namespaces:
+
+```console
+kubectl create -f namespaces.yaml
+```
+
+## Step 2 - Deploy the Cafe Application
+
+1. Create the tea deployment and service in the tea namespace:
+
+    ```console
+    kubectl create -f tea.yaml
+    ```
+
+1. Create the coffee deployment and service in the coffee namespace:
+
+    ```console
+    kubectl create -f coffee.yaml
+    ```
+
+## Step 3 - Configure Load Balancing and TLS Termination
+
+1. Create the VirtualServerRoute resource for tea in the tea namespace:
+
+    ```console
+    kubectl create -f tea-virtual-server-route.yaml
+    ```
+
+1. Create the VirtualServerRoute resource for coffee in the coffee namespace:
+
+    ```console
+    kubectl create -f coffee-virtual-server-route.yaml
+    ```
+
+1. Create the secret with the TLS certificate and key in the cafe namespace:
+
+    ```console
+    kubectl create -f cafe-secret.yaml
+    ```
+
+1. Create the VirtualServer resource for the cafe app in the cafe namespace:
+
+    ```console
+    kubectl create -f cafe-virtual-server.yaml
+    ```
+
+## Step 4 - Test the Configuration
+
+1. Check that the configuration has been successfully applied by inspecting the events of the VirtualServerRoutes and
+   VirtualServer:
+
+    ```console
+    kubectl describe virtualserverroute tea -n tea
+    ```
+
+    ```text
+    . . .
+    Events:
+      Type     Reason                 Age   From                      Message
+      ----     ------                 ----  ----                      -------
+      Warning  NoVirtualServersFound  2m    nginx-ingress-controller  No VirtualServer references VirtualServerRoute tea/tea
+      Normal   AddedOrUpdated         1m    nginx-ingress-controller  Configuration for tea/tea was added or updated
+    ```
+
+    ```console
+    kubectl describe virtualserverroute coffee -n coffee
+    ```
+
+    ```text
+    . . .
+    Events:
+      Type     Reason                 Age   From                      Message
+      ----     ------                 ----  ----                      -------
+      Warning  NoVirtualServersFound  2m    nginx-ingress-controller  No VirtualServer references VirtualServerRoute coffee/coffee
+      Normal   AddedOrUpdated         1m    nginx-ingress-controller  Configuration for coffee/coffee was added or updated
+    ```
+
+    ```console
+    kubectl describe virtualserver cafe -n cafe
+    ```
+
+    ```text
+    . . .
+    Events:
+      Type    Reason          Age   From                      Message
+      ----    ------          ----  ----                      -------
+      Normal  AddedOrUpdated  1m    nginx-ingress-controller  Configuration for cafe/cafe was added or updated
+    ```
+
+1. Access the application using curl. We'll use curl's `--insecure` option to turn off certificate verification of our
+   self-signed certificate and `--resolve` option to set the IP address and HTTPS port of the Ingress Controller to the
+   domain name of the cafe application:
+
+    To get coffee:
+
+    ```console
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure
+    ```
+
+    ```text
+    Server address: 10.16.1.193:80
+    Server name: coffee-7dbb5795f6-mltpf
+    ...
+    ```
+
+    If your prefer tea:
+
+    ```console
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure
+    ```
+
+    ```text
+    Server address: 10.16.0.157:80
+    Server name: tea-7d57856c44-674b8
+    ...
diff --git a/examples/custom-resources/vsr-route-selector/api-key-policy.yaml b/examples/custom-resources/vsr-route-selector/api-key-policy.yaml
@@ -0,0 +1,13 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: api-key-policy
+  namespace: cafe
+spec:
+  apiKey:
+    suppliedIn:
+      header:
+      - "X-header-name"
+      query:
+      - "queryName"
+    clientSecret: api-key-client-secret
diff --git a/examples/custom-resources/vsr-route-selector/api-key-secret.yaml b/examples/custom-resources/vsr-route-selector/api-key-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: api-key-client-secret
+  namespace: cafe
+type: nginx.org/apikey
+data:
+    client1: cGFzc3dvcmQ= # password
+    client2: YW5vdGhlci1wYXNzd29yZA== # another-password
diff --git a/examples/custom-resources/vsr-route-selector/cafe-secret.yaml b/examples/custom-resources/vsr-route-selector/cafe-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cafe-secret
+  namespace: cafe
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
diff --git a/examples/custom-resources/vsr-route-selector/cafe-virtual-server.yaml b/examples/custom-resources/vsr-route-selector/cafe-virtual-server.yaml
@@ -0,0 +1,34 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: cafe
+  namespace: cafe
+spec:
+  host: cafe.example.com
+  tls:
+    secret: cafe-secret
+  server-snippets: |
+    # snippet defined in VS server block
+    proxy_set_header X-VS-Name "Cafe";
+  routes:
+#  - path: /tea
+#    route: tea/tea
+#    policies:
+#      - name: rate-limit-policy
+#  - path: /coffee
+#    route: coffee/coffee
+  - path: /
+    routeSelector:
+      matchLabels:
+       app: cafe
+#       route: tea
+    policies:
+    - name: api-key-policy
+    location-snippets: |
+      # snippet defined in VS
+      proxy_set_header X-VS-Name "Cafe";
+    errorPages:
+    - codes: [ 502, 503 ]
+      redirect:
+        code: 301
+        url: https://nginx.org
diff --git a/examples/custom-resources/vsr-route-selector/coffee-virtual-server-route.yaml b/examples/custom-resources/vsr-route-selector/coffee-virtual-server-route.yaml
@@ -0,0 +1,28 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServerRoute
+metadata:
+  name: coffee
+  namespace: coffee
+  labels:
+    app: cafe
+    route: coffee
+spec:
+  host: cafe.example.com
+  upstreams:
+  - name: coffee
+    service: coffee-svc
+    port: 80
+  subroutes:
+  - path: /coffee
+    action:
+      pass: coffee
+    policies:
+     - name: rate-limit-policy
+    location-snippets: |
+      # snippet defined in VSR
+      proxy_set_header X-VSR-Name "Coffee";
+    errorPages:
+    - codes: [404]
+      return:
+        code: 200
+        body: "Original resource not found, but success!"
diff --git a/examples/custom-resources/vsr-route-selector/coffee.yaml b/examples/custom-resources/vsr-route-selector/coffee.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+  namespace: coffee
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee-svc
+  namespace: coffee
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
diff --git a/examples/custom-resources/vsr-route-selector/namespaces.yaml b/examples/custom-resources/vsr-route-selector/namespaces.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cafe
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tea
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coffee
diff --git a/examples/custom-resources/vsr-route-selector/rate-limit.yaml b/examples/custom-resources/vsr-route-selector/rate-limit.yaml
@@ -0,0 +1,10 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: rate-limit-policy
+  namespace: coffee
+spec:
+  rateLimit:
+    rate: 1r/s
+    key: ${binary_remote_addr}
+    zoneSize: 10M
diff --git a/examples/custom-resources/vsr-route-selector/tea-virtual-server-route.yaml b/examples/custom-resources/vsr-route-selector/tea-virtual-server-route.yaml
@@ -0,0 +1,21 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServerRoute
+metadata:
+  name: tea
+  namespace: tea
+  labels:
+    route: tea
+    app: cafe
+spec:
+  host: cafe.example.com
+  upstreams:
+  - name: tea
+    service: tea-svc
+    port: 80
+  subroutes:
+  - path: /tea
+    action:
+      pass: tea
+#    location-snippets: |
+#      # snippet defined in VSR
+#      proxy_set_header X-VSR-Name "Tea";
diff --git a/examples/custom-resources/vsr-route-selector/tea.yaml b/examples/custom-resources/vsr-route-selector/tea.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tea
+  namespace: tea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tea
+  template:
+    metadata:
+      labels:
+        app: tea
+    spec:
+      containers:
+      - name: tea
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tea-svc
+  namespace: tea
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: tea
