https://github.com/rosskukulinski/nginx-kubernetes-reload

Containerized NGINX that watches for configuration file changes from Kubernetes Secrets or ConfigMaps.
https://github.com/rosskukulinski/nginx-kubernetes-reload

Last synced: 4 days ago
JSON representation

Containerized NGINX that watches for configuration file changes from Kubernetes Secrets or ConfigMaps.

• Host: GitHub
• URL: https://github.com/rosskukulinski/nginx-kubernetes-reload
• Owner: rosskukulinski
• License: mit
• Created: 2017-01-17T17:45:07.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2020-09-18T16:00:03.000Z (about 4 years ago)
• Last Synced: 2024-10-19T19:30:17.678Z (20 days ago)
• Language: Dockerfile
• Size: 6.84 KB
• Stars: 48
• Watchers: 5
• Forks: 22
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-kubernetes - NGINX for Kubernetes Reloaded - Containerized NGINX that watches for configuration file changes from Kubernetes Secrets or ConfigMaps. (Tools)

README

        
# NGINX for Kubernetes

[![Docker Hub](https://img.shields.io/badge/docker-ready-blue.svg)](https://hub.docker.com/r/rosskukulinski/nginx-kubernetes-reload/)

[![Docker Pulls](https://img.shields.io/docker/pulls/rosskukulinski/nginx-kubernetes-reload.svg?maxAge=2592000)]()

[![Docker Stars](https://img.shields.io/docker/stars/rosskukulinski/nginx-kubernetes-reload.svg?maxAge=2592000)]()

This repo provides a containerized NGINX that supports watching for configuration file changes

from Kubernetes Secrets or ConfigMaps.

The primary motivation for this NGINX configuration was to support dynamically updating LetsEncrypt

TLS certificates from [kube-cert-manager](https://github.com/PalmStoneGames/kube-cert-manager) within Kubernetes.

## Why not an Ingress Controller?

An Ingress controller is an application that monitors Ingress resources via the Kubernetes API and updates the configuration of a load balancer in case of any changes.

While the Kubernetes community is slowly moving towards leveraging Ingress as the primary L7 load balancer,

I've consistently run into situations that require a customized NGINX configuration or where the Ingress controllers are missing key features.

To support those instances, I utilize this NGINX Deployment to dynamically handle TLS & ConfigMap changes

while still enabling a completely customized config.

## How it works

As you can see in the [Dockerfile](./Dockerfile):

* Alpine NGINX base image (nginx:1.10-alpine) to [support http2](https://github.com/nginxinc/docker-nginx/issues/76)

* [dumb-init](https://github.com/Yelp/dumb-init) as the PID 1

* [nginx-reload.sh](./nginx-reload.sh) as the init script

* Expose NGINX health stub on port 8080

The key configuration parameter is the environment variable, `WATCH_PATHS`.  nginx-reload.sh uses `inotifywait` to watch the paths defined in `WATCH_PATHS` for changes, additions, or deletions of files.  When a change is identified, `nginx -t` is run to ensure that the new configuration is valid, and if it is, then NGINX is reloaded using `nginx -s reload`.

If the configuration is not valid, NGINX is not reloaded - it will continue to use the last valid configuration.

## Example Deployment

```

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

  labels:

    app: gateway

  name: gateway

spec:

  strategy:

    type: RollingUpdate

    rollingUpdate:

      maxUnavailable: 0

  template:

    metadata:

      labels:

        app: gateway

    spec:

      containers:

      - image: rosskukulinski/nginx-kubernetes-reload:v2.0.0

        imagePullPolicy: Always

        name: gateway

        ports:

        - containerPort: 80

          protocol: TCP

        - containerPort: 8080

          protocol: TCP

        env:

          - name: WATCH_PATHS

            value: "/etc/nginx /etc/nginx-ssl/jenkins/"

        volumeMounts:

        - mountPath: /etc/nginx/

          name: gateway-config

        - mountPath: /etc/nginx-ssl/jenkins/

          name: jenkins-tls

        livenessProbe:

          httpGet:

            path: /

            port: 8080

          initialDelaySeconds: 5

          timeoutSeconds: 1

        readinessProbe:

          httpGet:

            path: /

            port: 8080

          initialDelaySeconds: 5

          timeoutSeconds: 1

      restartPolicy: Always

      volumes:

      - name: gateway-config

        configMap:

          name: gateway-config

      - name: jenkins-tls

        secret:

          secretName: jenkins-tls

```

## Bad-Bots

This Docker image has been pre-loaded with support for [nginx-badbot-blocker](https://github.com/mariusv/nginx-badbot-blocker/tree/master/VERSION_2).

Blacklist.conf has already been loaded, you should apply your whitelist-ips and whitelist-domains accordingly.

## Contact

I'd love to hear your feedback! If you have any suggestions or experience issues with this NGINX configuration, please create an issue or send a pull request on Github.

You can contact me directly via [[email protected]](mailto:[email protected]).