From 88586068d794566c41872b0860ab6392c143cc19 Mon Sep 17 00:00:00 2001 From: theteacat Date: Tue, 8 Oct 2024 12:50:00 +0100 Subject: [PATCH 1/4] Add example files for kubernetes demo setup --- examples/kubernetes/appspec.yml | 21 +++++++++++++++++++++ examples/kubernetes/firetail.yaml | 11 +++++++++++ 2 files changed, 32 insertions(+) create mode 100644 examples/kubernetes/appspec.yml create mode 100644 examples/kubernetes/firetail.yaml diff --git a/examples/kubernetes/appspec.yml b/examples/kubernetes/appspec.yml new file mode 100644 index 0000000..8ebb424 --- /dev/null +++ b/examples/kubernetes/appspec.yml @@ -0,0 +1,21 @@ +openapi: 3.0.1 +info: + title: Firetail Nginx Ingest Example + version: "0.1" +paths: + /tea: + get: + summary: Returns a cup of tea + responses: + "200": + description: A cup of tea + content: + text/plain: + schema: + type: string + example: | + Server address: 10.1.0.64:8080 + Server name: tea-df5655878-smhzt + Date: 08/Oct/2024:10:55:42 +0000 + URI: /tea + Request ID: fc99c0eb87b19fef8de34d8c7c7e1424 diff --git a/examples/kubernetes/firetail.yaml b/examples/kubernetes/firetail.yaml new file mode 100644 index 0000000..6e2b1e0 --- /dev/null +++ b/examples/kubernetes/firetail.yaml @@ -0,0 +1,11 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: nginx-config + namespace: nginx-ingress +data: + main-snippets: | + load_module modules/ngx_firetail_module.so; + http-snippets: | + firetail_api_token "YOUR_API_TOKEN_HERE"; + firetail_url "https://api.logging.eu-west-1.prod.firetail.app/logs/bulk"; From 1a2e32783d3d4d01c2085876231d806668029928 Mon Sep 17 00:00:00 2001 From: theteacat Date: Tue, 8 Oct 2024 12:50:12 +0100 Subject: [PATCH 2/4] Add ingress and ingress-dev stages for kubernetes demo setup --- Dockerfile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Dockerfile b/Dockerfile index 6bbaef1..193d9b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,3 +44,15 @@ COPY dev/appspec.yml /etc/nginx/appspec.yml COPY dev/nginx.conf /etc/nginx/nginx.conf COPY dev/index.html /usr/share/nginx/html/ CMD ["nginx-debug", "-g", "daemon off;"] + +# An image for Kubernetes ingress +FROM nginx/nginx-ingress:3.7.0 as firetail-nginx-ingress +USER root +RUN mkdir -p /var/lib/apt/lists/partial && apt-get update && apt-get install -y libjson-c-dev +COPY --from=build-golang /dist/firetail-validator.so /etc/nginx/modules/ +COPY --from=build-c /tmp/nginx-${NGINX_VERSION}/objs/ngx_firetail_module.so /etc/nginx/modules/ +USER nginx + +# A dev image for Kubernetes ingress +FROM firetail-nginx-ingress AS firetail-nginx-ingress-dev +COPY --chown=nginx:nginx examples/kubernetes/appspec.yml /etc/nginx/appspec.yml From cb7661962e2bc175fa000e7fe979d6de611a29ab Mon Sep 17 00:00:00 2001 From: theteacat Date: Tue, 8 Oct 2024 12:50:28 +0100 Subject: [PATCH 3/4] Doc Kubernetes example setup --- README.md | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/README.md b/README.md index 2e3a976..7e8943b 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,125 @@ Once you've configured your `nginx.conf` you will also need to provide an OpenAP +## Kubernetes Example Setup + +An example setup for the Firetail NGINX plugin installed on an NGINX-ingress image for Kubernetes is included in the [Dockerfile](./Dockerfile) in this repository. You can build it as follows: + +```bash +git clone git@github.com:FireTail-io/firetail-nginx-module.git +cd firetail-nginx-module +docker build -t firetail-nginx-ingress-dev . --target firetail-nginx-ingress-dev --build-arg="NGINX_VERSION=1.27.1" +``` + +You can then modify the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples/ingress-resources/complete-example) in the [nginxinc/kubernetes-ingress repository](https://github.com/nginxinc/kubernetes-ingress) to use the NGINX-ingress image you just built. First, clone the repository: + +```bash +git clone git@github.com:nginxinc/kubernetes-ingress.git +cd kubernetes-ingress +``` + +You'll then need to change the image used in `deployments/daemon-set/nginx-ingress.yaml` for the `nginx-ingress` container to `firetail-nginx-ingress-dev`. + +```yaml +... + containers: + - image: firetail-nginx-ingress-dev + name: nginx-ingress +... +``` + +Follow [the instructions linked from the example](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-manifests/) to setup the nginx-ingress: + +```bash +kubectl apply -f deployments/common/ns-and-sa.yaml +kubectl apply -f deployments/rbac/rbac.yaml +kubectl apply -f examples/shared-examples/default-server-secret/default-server-secret.yaml +kubectl apply -f deployments/common/nginx-config.yaml +kubectl apply -f deployments/common/ingress-class.yaml +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.7.0/deploy/crds.yaml +kubectl apply -f deployments/daemon-set/nginx-ingress.yaml +kubectl create -f deployments/service/nodeport.yaml +``` + +You should then be able to see the `nginx-ingress` pod in a `Running` state: + +```bash +kubectl get pods --namespace=nginx-ingress +``` + +```bash +NAME READY STATUS RESTARTS AGE +nginx-ingress-g6tss 1/1 Running 0 7s +``` + +Then follow the instructions for the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples/ingress-resources/complete-example) in the [nginxinc/kubernetes-ingress repository](https://github.com/nginxinc/kubernetes-ingress): + +```bash +kubectl create -f examples/ingress-resources/complete-example/cafe.yaml +kubectl create -f examples/ingress-resources/complete-example/cafe-secret.yaml +kubectl create -f examples/ingress-resources/complete-example/cafe-ingress.yaml +``` + +Find the port used by the `nginx-ingress`: + +```bash +kubectl get service --namespace=nginx-ingress +``` + +```bash +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +nginx-ingress NodePort 10.106.182.250 80:32724/TCP,443:32334/TCP 13s +``` + +You should then be able to `curl` the tea or coffee endpoint as follows: + +```bash +export CAFE_PORT=32334 +curl --resolve cafe.example.com:$CAFE_PORT:0.0.0.0 https://cafe.example.com:$CAFE_PORT/tea --insecure +``` + +``` +Server address: 10.1.0.78:8080 +Server name: tea-df5655878-7blfk +Date: 08/Oct/2024:11:06:13 +0000 +URI: /tea +Request ID: 8292a274a2774d7e5257c53dcb8adbe6 +``` + +In this repository you will also find [`examples/kubernetes/firetail.yml`](./examples/kubernetes/firetail.yml). Modify this file to include your own API token from the FireTail platform, and update the Firetail URL to match the region you're using then apply it. + +```bash +kubectl apply -f firetail.yaml +``` + +This will update the `nginx.conf` file in the `nginx-ingress` container to load the FireTail module and provide your API token and FireTail URL. + +You should still be able to curl the `/tea` endpoint, as it is included in [the example OpenAPI specification used in the `firetail-nginx-ingress-dev` image](./dev/appspec.yml): + +```bash +curl --resolve cafe.example.com:$CAFE_PORT:0.0.0.0 https://cafe.example.com:$CAFE_PORT/tea --insecure +``` + +``` +Server address: 10.1.0.77:8080 +Server name: tea-df5655878-s5rbl +Date: 08/Oct/2024:11:09:40 +0000 +URI: /tea +Request ID: 2a094910b76a06a3a11a5820df10d56c +``` + +However, if you try and curl the `/coffee` endpoint your request should be blocked by the FireTail module as it is not defined in the OpenAPI specification. + +```bash +curl --resolve cafe.example.com:$CAFE_PORT:0.0.0.0 https://cafe.example.com:$CAFE_PORT/coffee --insecure +``` + +```json +{"code":404,"title":"the resource \"/coffee\" could not be found","detail":"a path for \"/coffee\" could not be found in your appspec"} +``` + + + ## Local Development A [Dockerfile](./Dockerfile) is provided which will build the module, install it in [an NGINX docker image](https://hub.docker.com/_/nginx), and setup a custom [nginx.conf](./dev/nginx.conf) and [index.html](./dev/index.html). It should be as simple as: From f858c4a15a8e56d14c8d45c694a4e10c299a8ece Mon Sep 17 00:00:00 2001 From: theteacat Date: Tue, 8 Oct 2024 14:03:45 +0100 Subject: [PATCH 4/4] Move firetail.yaml from examples/kubernetes into README --- README.md | 20 ++++++++++++++++++-- examples/kubernetes/firetail.yaml | 11 ----------- 2 files changed, 18 insertions(+), 13 deletions(-) delete mode 100644 examples/kubernetes/firetail.yaml diff --git a/README.md b/README.md index 7e8943b..307db35 100644 --- a/README.md +++ b/README.md @@ -128,10 +128,26 @@ URI: /tea Request ID: 8292a274a2774d7e5257c53dcb8adbe6 ``` -In this repository you will also find [`examples/kubernetes/firetail.yml`](./examples/kubernetes/firetail.yml). Modify this file to include your own API token from the FireTail platform, and update the Firetail URL to match the region you're using then apply it. +In order for the `nginx-ingest` to load the FireTail module we need to add a `load_module` directive to the main block, and `firetail_api_token` and `firetail_url` directives to the `nginx.conf`. This can be done using a `ConfigMap` like this: + +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: nginx-config + namespace: nginx-ingress +data: + main-snippets: | + load_module modules/ngx_firetail_module.so; + http-snippets: | + firetail_api_token "YOUR_API_TOKEN_HERE"; + firetail_url "https://api.logging.eu-west-1.prod.firetail.app/logs/bulk"; +``` + +Modify this file to include your own API token from the FireTail platform, and update the Firetail URL to match the region you're using. You can then save it and apply it like so: ```bash -kubectl apply -f firetail.yaml +kubectl apply -f my-firetail-config-map.yaml ``` This will update the `nginx.conf` file in the `nginx-ingress` container to load the FireTail module and provide your API token and FireTail URL. diff --git a/examples/kubernetes/firetail.yaml b/examples/kubernetes/firetail.yaml deleted file mode 100644 index 6e2b1e0..0000000 --- a/examples/kubernetes/firetail.yaml +++ /dev/null @@ -1,11 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-config - namespace: nginx-ingress -data: - main-snippets: | - load_module modules/ngx_firetail_module.so; - http-snippets: | - firetail_api_token "YOUR_API_TOKEN_HERE"; - firetail_url "https://api.logging.eu-west-1.prod.firetail.app/logs/bulk";