Tag: nginx

Grafana https behind nginx controller

if grafana is running on https and you do not add below setting it will give HTTP ERROR 400

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  • Also check grafana.ini aur default.ini for root_url
root_url = https://grafana.example.com
  • Also check the liveness and readiness probe scheme

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol

https://stackoverflow.com/questions/54459015/how-to-configure-ingress-to-direct-traffic-to-an-https-backend-using-https

  • grafana helm values.yaml
image:
  repository: grafana/grafana
  tag: 8.5.2
persistence:
  enabled: true
  type: statefulset
resources:
 limits:
   cpu: 500m
   memory: 512Mi
 requests:
   cpu: 500m
   memory: 512Mi

grafana.ini:
  app_mode: test
  paths:
    data: /var/lib/grafana/
    logs: /var/log/grafana
    plugins: /var/lib/grafana/plugins
    provisioning: /etc/grafana/provisioning
    temp_data_lifetime: 24h
  server:
    protocol: https
    domain: grafana.example.com
    enforce_domain: false
    root_url: https://grafana.example.com/
    serve_from_sub_path: false
    cert_file: /var/lib/grafana/cert/dev.crt
    cert_key: /var/lib/grafana/cert/dev.key
  database:
    type: postgres
    host: database-hostname
    name: grafana
    user: grafana
    password: ${grafana_eks_postgres_password}
    ssl_mode: disable
  security:
    cookie_secure: true
    allow_embedding: true
    strict_transport_security: true
    strict_transport_security_max_age_seconds: 31536000
    strict_transport_security_preload: true
    strict_transport_security_subdomains: true
    x_content_type_options: true
    x_xss_protection: true
  smtp:
    enabled: true
    host: email-smtp.ap-south-1.amazonaws.com:25
    user: ${grafana_smtp_username}
    password: ${grafana_smtp_password}
    #skip_verify = true
    from_address: [email protected]
    from_name: test

readinessProbe:
  httpGet:
    path: /api/health
    port: 3000
    scheme: HTTPS
livenessProbe:
  httpGet:
    path: /api/health
    port: 3000
    scheme: HTTPS
  initialDelaySeconds: 60
  timeoutSeconds: 30
  failureThreshold: 10

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    route53mapper: enabled
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
  labels:
    app: grafana
  path: /
  pathType: ImplementationSpecific
  hosts:
    - grafana.example.com
helm upgrade --install grafana grafana/grafana --version 6.32.6 --set image.tag=8.5.2 --set persistence.enabled=true --set persistence.type=statefulset --set persistence.storageClassName=gp2

helm upgrade --install grafana grafana/grafana --version 6.32.6 -f values.taml

nginx as load balancer in kubernetes with htpasswd

nginx-kibana-deplyment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-kibana-deployment
  labels:
    app: nginx-kibana
    env: prod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-kibana
      env: prod
  template:
    metadata:
      labels:
        app: nginx-kibana
        env: prod
    spec:
      containers:
      - name: nginx-container
        image: nginx
        imagePullPolicy: IfNotPresent
        resources:
          requests:
            memory: "128Mi"
            cpu: "200m"
          limits:
            memory: "256Mi"
            cpu: "200m"
        volumeMounts:
          - name: nginx-conf
            mountPath: /etc/nginx/nginx.conf
            subPath: nginx.conf
          - name: nginx-admin-htpasswd
            mountPath: /etc/nginx/admin-htpasswd
            subPath: admin-htpasswd
        ports:
        - containerPort: 80
      volumes:
        - name: nginx-conf
          configMap:
           name: nginx-conf
        - name: nginx-admin-htpasswd
          configMap:
           name: nginx-admin-htpasswd
---
kind: Service
apiVersion: v1
metadata:
  name: nginx-kibana-service
  labels:
    app: nginx-kibana
    env: prod
spec:
  selector:
    app: nginx-kibana
    env: prod
  ports:
  - name: kibana-ui
    protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30081
  type: NodePort

nginx.conf

events { }
http 
{
    upstream kibana 
    {
        server 192.168.0.183:30063;
        server 192.168.0.184:30063;
        server 192.168.0.185:30063;
    }

    server 
    {
    listen 80;
    location / {
        auth_basic           "kibana admin";
        auth_basic_user_file /etc/nginx/admin-htpasswd;
        proxy_pass http://kibana;
    }
    }
}

Create admin-htpasswd auth file with htpasswd for admin user.

yum install httpd-tools

htpasswd -c admin-htpasswd admin

-Create config maps in kubernetes for above files
( nginx.conf, admin-htpasswd )

kubectl create configmap nginx-conf --from-file nginx.conf

kubectl create configmap nginx-admin-htpasswd --from-file admin-htpasswd

Nginx as load Balancer in centos7 with passive helth check

yum install epel-release

yum install nginx
systemctl start nginx
systemctl enable nginx

vi /etc/nginx/nginx.conf

events { }

http {
    upstream api {
        #least_conn; #other options are also available
        server 192.168.0.57:6443;
        server 192.168.0.93:6443 weight=3;
        server 192.168.0.121:6443 max_fails=3 fail_timeout=30;
    }

    server {
        listen 8888 ssl;
        ssl_certificate     test.crt;
        ssl_certificate_key test.key;
        location / {
            proxy_pass https://api;
        }

   server {
        listen 80 default;
        location / {
            proxy_pass https://api;
        }
    }
}

Loadbalancing algorithm:

least_conn
ip_hash
weight=5
max_fails and fail_timeout

More on : http://nginx.org/en/docs/http/load_balancing.html#nginx_load_balancing_health_checks