From b31ae087108f9e29cfd68208f72a301e306481c9 Mon Sep 17 00:00:00 2001 From: Satnam Singh Date: Wed, 4 Mar 2015 16:21:14 -0800 Subject: [PATCH] Add documentation for redirect --- docs/accessing-the-cluster.md | 97 +++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/docs/accessing-the-cluster.md b/docs/accessing-the-cluster.md index d3f68985d3f..40c12e35554 100644 --- a/docs/accessing-the-cluster.md +++ b/docs/accessing-the-cluster.md @@ -77,3 +77,100 @@ https://104.197.5.247/api/v1beta1/proxy/services/kibana-logging/ The first time you access the cluster using a proxy address from a browser you will be prompted for a username and password which can also be found in the `User` and `Password` fields of the `kubernetes_auth` file. + +## Redirect +A `redirect` request on a service will return a HTTP redirect response which identifies a specific node that +can handle the request. Since the hostname that is returned is usually only accessible from inside the cluster +this feature is useful only for code running inside the cluster. Subsequent `redirect` calls to the same +resource may return different results e.g. when the service picks different replica nodes to serve the request. +This feature can be useful to short circuit calls to the proxy server by obtaining the address of a node on the +cluster which can be used for further requests which do not involve the proxy server. + +For example, the query below is run on +a GCE virtual machine `oban` that is running in the same project and GCE default network as the Kubernetes +cluster. The `-L` flag tells curl to follow the redirect information returned by the redirect call. + +``` +satnam@oban:~$ curl -L -k -u admin:4mty0Vl9nNFfwLJz https://104.197.5.247/api/v1beta1/redirect/services/elasticsearch-logging/ +{ + "status" : 200, + "name" : "Skin", + "cluster_name" : "kubernetes_logging", + "version" : { + "number" : "1.4.4", + "build_hash" : "c88f77ffc81301dfa9dfd81ca2232f09588bd512", + "build_timestamp" : "2015-02-19T13:05:36Z", + "build_snapshot" : false, + "lucene_version" : "4.10.3" + }, + "tagline" : "You Know, for Search" +} +``` + +We can examine the actual redirect header: + +``` +satnam@oban:~$ curl -v -k -u admin:4mty0Vl9nNFfwLJz https://104.197.5.247/api/v1beta1/redirect/services/elasticsearch-logging/ +* About to connect() to 104.197.5.247 port 443 (#0) +* Trying 104.197.5.247... +* connected +* Connected to 104.197.5.247 (104.197.5.247) port 443 (#0) +* successfully set certificate verify locations: +* CAfile: none + CApath: /etc/ssl/certs +* SSLv3, TLS handshake, Client hello (1): +* SSLv3, TLS handshake, Server hello (2): +* SSLv3, TLS handshake, CERT (11): +* SSLv3, TLS handshake, Server key exchange (12): +* SSLv3, TLS handshake, Server finished (14): +* SSLv3, TLS handshake, Client key exchange (16): +* SSLv3, TLS change cipher, Client hello (1): +* SSLv3, TLS handshake, Finished (20): +* SSLv3, TLS change cipher, Client hello (1): +* SSLv3, TLS handshake, Finished (20): +* SSL connection using ECDHE-RSA-AES256-GCM-SHA384 +* Server certificate: +* subject: CN=kubernetes-master +* start date: 2015-03-04 19:40:24 GMT +* expire date: 2025-03-01 19:40:24 GMT +* issuer: CN=104.197.5.247@1425498024 +* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. +* Server auth using Basic with user 'admin' +> GET /api/v1beta1/redirect/services/elasticsearch-logging/ HTTP/1.1 +> Authorization: Basic YWRtaW46M210eTBWbDluTkZmd0xKeg== +> User-Agent: curl/7.26.0 +> Host: 104.197.5.247 +> Accept: */* +> +* additional stuff not fine transfer.c:1037: 0 0 +* HTTP 1.1 or later with persistent connection, pipelining supported +< HTTP/1.1 307 Temporary Redirect +< Server: nginx/1.2.1 +< Date: Thu, 05 Mar 2015 00:14:45 GMT +< Content-Type: text/plain; charset=utf-8 +< Content-Length: 0 +< Connection: keep-alive +< Location: http://10.244.2.7:9200 +< +* Connection #0 to host 104.197.5.247 left intact +* Closing connection #0 +* SSLv3, TLS alert, Client hello (1): + +``` + +This shows that the request to `https://104.197.5.247/api/v1beta1/redirect/services/elasticsearch-logging/` is redirected to `http://10.244.2.7:9200`. +If we examine the pods on the cluster we can see that `http://10.244.2.7` is the address of a pod that is running the Elasticsearch service. + + +``` +$ kubectl get pods +POD IP CONTAINER(S) IMAGE(S) HOST LABELS STATUS CREATED +elasticsearch-logging-controller-gziey 10.244.2.7 elasticsearch-logging kubernetes/elasticsearch:1.0 kubernetes-minion-hqhv.c.kubernetes-satnam2.internal/104.154.33.252 kubernetes.io/cluster-service=true,name=elasticsearch-logging Running 5 hours +kibana-logging-controller-ls6k1 10.244.1.9 kibana-logging kubernetes/kibana:1.1 kubernetes-minion-h5kt.c.kubernetes-satnam2.internal/146.148.80.37 kubernetes.io/cluster-service=true,name=kibana-logging Running 5 hours +kube-dns-oh43e 10.244.1.10 etcd quay.io/coreos/etcd:v2.0.3 kubernetes-minion-h5kt.c.kubernetes-satnam2.internal/146.148.80.37 k8s-app=kube-dns,kubernetes.io/cluster-service=true,name=kube-dns Running 5 hours + kube2sky kubernetes/kube2sky:1.0 + skydns kubernetes/skydns:2014-12-23-001 +monitoring-heapster-controller-fplln 10.244.0.4 heapster kubernetes/heapster:v0.8 kubernetes-minion-2il2.c.kubernetes-satnam2.internal/130.211.155.16 kubernetes.io/cluster-service=true,name=heapster,uses=monitoring-influxdb Running 5 hours +monitoring-influx-grafana-controller-0133o 10.244.3.4 influxdb kubernetes/heapster_influxdb:v0.3 kubernetes-minion-kmin.c.kubernetes-satnam2.internal/130.211.173.22 kubernetes.io/cluster-service=true,name=influxGrafana Running 5 hours + grafana kubernetes/heapster_grafana:v0.4 +```