Start FAQ docs #66
Start FAQ docs #66
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
bprashanth
force-pushed
the
more_docs
branch
from
d1a5980
to
f606a85
Compare
bprashanth
force-pushed
the
more_docs
branch
7 times, most recently
from
de54f9b
to
f661655
Compare
bprashanth
force-pushed
the
more_docs
branch
from
f661655
to
85c4317
Compare
|
ready for review |
|
|
||
| Yes, please see [this](/examples/static-ip) example. | ||
|
|
||
| ## Does updating a Kubernetes secrete update the GCE TLS certs? |
|
|
||
| ## Does updating a Kubernetes secrete update the GCE TLS certs? | ||
|
|
||
| Yes, expect O(30s) delay. |
There was a problem hiding this comment.
for a faq, prefer something like "up to a minute delay"
| Yes, expect O(30s) delay. | ||
|
|
||
| The controller should create a second ssl certificate suffixed with `-1` and | ||
| atomically swap it with the ssl certificate in your taret proxy, then delete |
|
|
||
| The controller should create a second ssl certificate suffixed with `-1` and | ||
| atomically swap it with the ssl certificate in your taret proxy, then delete | ||
| the obselete ssl certificate. |
| ## Is there a maximum number of Endpoints I can add to the Ingress? | ||
|
|
||
| This limit is directly related to the maximum number of endpoints allowed in a | ||
| Kubernetes cluster, not the the HTTP LB configuration, since the HTTP LB sends |
|
|
||
| 1. Navigate to the [cloud console](https://console.cloud.google.com/) and click on the "Networking" tab, then choose "LoadBalancing" | ||
| 2. Find the loadbalancer you'd like to delete, it should have a name formatted as: k8s-um-ns-name--UUID | ||
| 3. Delete it, check the boxes to also casade the deletion down to associated resources (eg: backend-services) |
| If you find yourself in such a situation, you can delete the resources by hand: | ||
|
|
||
| 1. Navigate to the [cloud console](https://console.cloud.google.com/) and click on the "Networking" tab, then choose "LoadBalancing" | ||
| 2. Find the loadbalancer you'd like to delete, it should have a name formatted as: k8s-um-ns-name--UUID |
There was a problem hiding this comment.
Would be nice for it to be clear what's a variable and what's not. No clue if "-um-" is literal of meant to stand for something.
e.g. k8s-???-$namespace-$name--$UUID is fairly well understood for indicating variables.
|
@bprashanth please add a reference to how is possible to achieve IP preservation in gce/gke |
|
Yeah, on GCE with today's http lb you can't preserve it (you only get XFF). You can manually setup an ssl proxy (does tls termination and proxy protocol) and point it at the nginx controller (with proxy protocol enabled). I will write an example about this. |
|
Yeah exactly, they'd need to deploy the nginx ingress contorller, create the ingress with |
|
@bprashanth the ssl proxy needs a backend service, which only accepts node pools as backends and also requires a health check. Could you point me to an example of this working on GCE/GKE? |
| The Kubernetes Service is an abstraction over endpoints (pod-ip:port pairings). | ||
| The Ingress is an abstraction over Services. This doesn't mean all Ingress | ||
| controller must route *through* a Service, but rather, that routing, security | ||
| and auth configuration is represented in the Ingerss resource per Service, and |
|
I'll address comments in a follow up (#102), merging now since I'm on vacation and this doc will answer FAQ while I'm AFK |
update copyright
No description provided.