This repo provides a containerized NGINX that supports watching for configuration file changes from Kubernetes Secrets or ConfigMaps.
The primary motivation for this NGINX configuration was to support dynamically updating LetsEncrypt TLS certificates from kube-cert-manager within Kubernetes.
An Ingress controller is an application that monitors Ingress resources via the Kubernetes API and updates the configuration of a load balancer in case of any changes.
While the Kubernetes community is slowly moving towards leveraging Ingress as the primary L7 load balancer, I've consistently run into situations that require a customized NGINX configuration or where the Ingress controllers are missing key features.
To support those instances, I utilize this NGINX Deployment to dynamically handle TLS & ConfigMap changes while still enabling a completely customized config.
As you can see in the Dockerfile:
- Alpine NGINX base image (nginx:1.10-alpine) to support http2
- dumb-init as the PID 1
- nginx-reload.sh as the init script
- Expose NGINX health stub on port 8080
The key configuration parameter is the environment variable, WATCH_PATHS
. nginx-reload.sh uses inotifywait
to watch the paths defined in WATCH_PATHS
for changes, additions, or deletions of files. When a change is identified, nginx -t
is run to ensure that the new configuration is valid, and if it is, then NGINX is reloaded using nginx -s reload
.
If the configuration is not valid, NGINX is not reloaded - it will continue to use the last valid configuration.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: gateway
name: gateway
spec:
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
template:
metadata:
labels:
app: gateway
spec:
containers:
- image: rosskukulinski/nginx-kubernetes-reload:v2.0.0
imagePullPolicy: Always
name: gateway
ports:
- containerPort: 80
protocol: TCP
- containerPort: 8080
protocol: TCP
env:
- name: WATCH_PATHS
value: "/etc/nginx /etc/nginx-ssl/jenkins/"
volumeMounts:
- mountPath: /etc/nginx/
name: gateway-config
- mountPath: /etc/nginx-ssl/jenkins/
name: jenkins-tls
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 1
restartPolicy: Always
volumes:
- name: gateway-config
configMap:
name: gateway-config
- name: jenkins-tls
secret:
secretName: jenkins-tls
This Docker image has been pre-loaded with support for nginx-badbot-blocker.
Blacklist.conf has already been loaded, you should apply your whitelist-ips and whitelist-domains accordingly.
I'd love to hear your feedback! If you have any suggestions or experience issues with this NGINX configuration, please create an issue or send a pull request on Github. You can contact me directly via ross@kukulinski.com.