Consider deploying, helm stable/nginx-ingress chart, as the upstream nginx ingress controller is not configured to support cross-namespace ingress resources. The following manifests could likely be used with an ingress controller deployed to the quay-enterprise
namespace if an ingress-controller per-namespace is being used.
First create a clusterip service for Quay Enterprise:
apiVersion: v1
kind: Service
metadata:
name: quay-enterprise
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
selector:
quay-enterprise-component: app
sessionAffinity: None
type: ClusterIP
Next create a TLS secret object. This will be used as the SSL cert for the registry. While it is not ideal to have the LB/ingress terminate TLS there is not a known nginx-ingress configuration that will correctly route to the registry backend when using the docker cli (push/pull) without defining TLS in the ingress resource.
If the Using SSL to Protect Quay Enterprise guide was followed. The values of the ingress resource manifest are tls.crt = ssl.cert and tls.key = ssl.key.
Encode the contents of these files like so:
base64 -w=0 ssl.cert
apiVersion: v1
data:
tls.crt: <base64 encoded string>
tls.key: <base64 encoded string>
kind: Secret
metadata:
name: registry-tls
namespace: quay-enterprise
type: Opaque
From the QE superuser panel, navigate to Server Configuration, TLS, and select "My own load balancer handles TLS". Save the config and recycle the quay-enterprise-app pod so the new configuration is deployed.
If the step above is done properly. The config.yaml for quay enterprise will contain:
EXTERNAL_TLS_TERMINATION: true
PREFERRED_URL_SCHEME: https
Deploy the quay-enterprise ingress resource, be sure to replace registry.example.com
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
name: quay-enterprise
spec:
rules:
- host: registry.example.com
http:
paths:
- backend:
serviceName: quay-enterprise
servicePort: 80
path: /
tls:
- hosts:
- registry.example.com
secretName: registry-tls
Comments
0 comments
Please sign in to leave a comment.