Ingress
官方文档:https://kubernetes.github.io/ingress-nginx/
Ingress 应用场景
待补充
Ingress 工作原理
待补充
Ingress 部署
1. 下载相关yaml文件
项目地址:https://github.com/kubernetes/ingress-nginx/
由于当前Github上版本与学习时授课版本不同,所以导致实验各种异常。 后来知道授课版本的commit后,将所需的文件都拉了下来,然后打了个tar包,下载使用即可
# wget http://123.206.25.230:/tarball/ingress-nginx-deploy.tar.gz
# tar xf ingress-nginx-deploy.tar.gz
2. 开始创建相关资源
创建ingress-nginx命名空间
# kubectl apply -f namespace.yaml
namespace/ingress-nginx created
批量部署其他资源
# cd ingress-nginx-deploy/
# kubectl apply -f .
configmap/nginx-configuration created
deployment.extensions/default-http-backend created
service/default-http-backend created
namespace/ingress-nginx configured
deployment.extensions/default-http-backend unchanged
service/default-http-backend unchanged
configmap/nginx-configuration unchanged
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.extensions/nginx-ingress-controller created
namespace/ingress-nginx configured
serviceaccount/nginx-ingress-serviceaccount unchanged
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole configured
role.rbac.authorization.k8s.io/nginx-ingress-role unchanged
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding unchanged
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding configured
service/ingress-nginx created
configmap/tcp-services unchanged
configmap/udp-services unchanged
deployment.extensions/nginx-ingress-controller unchanged
等待ingress-nginx空间的Pods创建完毕
# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-846b65fb5f-fdljl 1/1 Running 0 45m
nginx-ingress-controller-d658896cd-4npnf 1/1 Running 0 45m
访问ingress-nginx访问,服务这个是接入集群外部流量的入口,ingress-nginx定义规则如下
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app: ingress-nginx
访问ingress-nginx服务,能到这个信息说明,ingress调度器已经正常工作啦,但是还没有配置后端,所以这些信息是上面那个default-http-backend-xxx名称的Pod返回的
# curl http://node002:30080/
default backend - 404
3. 创建测试服务(nginx)
---
apiVersion: v1
kind: Service
metadata:
name: myapp-svc
labels:
app: myapp
release: stable
spec:
selector:
app: myapp
release: stable
type: ClusterIP
ports:
- name: myapp
port: 80
protocol: TCP
targetPort: app-port
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 3
revisionHistoryLimit: 3
selector:
matchLabels:
app: myapp
release: stable
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
name: myapp-container
namespace: default
labels:
app: myapp
release: stable
spec:
containers:
- name: myapp-container
image: ikubernetes/myapp:v1
ports:
- name: app-port
containerPort: 80
protocol: TCP
执行创建
# kubectl apply -f service-clusterip-demo.yaml
4. 配置Ingress规则
# cat ingress-demo.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
# 使用nginx类型的ingress控制器生成对应规则
kubernetes.io/ingress.class: "nginx"
spec:
rules:
# 虚拟主机的域名
- host: myapp.lotusching.top
http:
paths:
- backend:
# Service名称
serviceName: myapp-svc
# servicePort可以是端口号或者service端口名称
servicePort: myapp
应用ingress配置规则
# kubectl apply -f ingress-demo.yaml
ingress.extensions/ingress-myapp created
查看nginx规则生成
# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-846b65fb5f-fdljl 1/1 Running 0 1h
nginx-ingress-controller-d658896cd-4npnf 1/1 Running 0 1h
# kubectl exec -n ingress-nginx -it nginx-ingress-controller-d658896cd-4npnf -- /bin/sh
$ cd /etc/nginx/
$ cat nginx.conf
...
upstream default-myapp-svc-80 {
least_conn;
keepalive 32;
server 10.244.1.46:80 max_fails=0 fail_timeout=0;
server 10.244.2.137:80 max_fails=0 fail_timeout=0;
server 10.244.2.136:80 max_fails=0 fail_timeout=0;
}
...
server {
server_name myapp.lotusching.top ;
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
location / {
...
proxy_pass http://default-myapp-svc-80;
...
}
}
...
测试访问,注意域名解析,要不使用真实域名,要不使用hosts解析
# curl http://myapp.lotusching.top:30080/
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@node001 mainifest]# curl http://myapp.lotusching.top:30080/hostname.html
myapp-deploy-6f96c5bb-fx5hs
[root@node001 mainifest]# curl http://myapp.lotusching.top:30080/hostname.html
myapp-deploy-6f96c5bb-fmnm8
[root@node001 mainifest]# curl http://myapp.lotusching.top:30080/hostname.html
myapp-deploy-6f96c5bb-h26lc
5. 部署测试Tomcat
部署Tomcat服务 清单文件
---
apiVersion: v1
kind: Service
metadata:
name: tomcat
labels:
app: tomcat
release: stable
spec:
selector:
app: tomcat
release: stable
type: ClusterIP
ports:
- name: tomcat
port: 8080
protocol: TCP
targetPort: app-port
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
revisionHistoryLimit: 3
selector:
matchLabels:
app: tomcat
release: stable
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
name: tomcat-container
namespace: default
labels:
app: tomcat
release: stable
spec:
containers:
- name: tomcat-container
image: tomcat:8-alpine
ports:
- name: app-port
containerPort: 8080
protocol: TCP
创建对应资源
# kubectl apply -f service-tomcat-demo.yaml
service/tomcat created
ingress规则配置文件
# cat ingress-tomcat-demo.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.lotusching.top
http:
paths:
- backend:
serviceName: tomcat
servicePort: tomcat
应用ingress配置规则
# kubectl apply -f ingress-tomcat-demo.yaml
ingress.extensions/ingress-tomcat created
获取ingess信息
# kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.lotusching.top 80 47m
ingress-tomcat tomcat.lotusching.top 80 8m
6. Ingress代理HTTPS请求
创建私钥及自签证书
# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
..+++
e is 65537 (0x10001)
# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.lotusching.top
# ls
tls.crt tls.key
新建secret资源导入私钥证书
# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
查看secret信息
# kubectl get secret
NAME TYPE DATA AGE
default-token-j7vw2 kubernetes.io/service-account-token 3 7d
tomcat-ingress-secret kubernetes.io/tls 2 1m
# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1306 bytes
tls.key: 1675 bytes
编写Ingress规则配置清单
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts: ["tomcat.lotusching.top"]
secretName: tomcat-ingress-secret
rules:
- host: tomcat.lotusching.top
http:
paths:
- backend:
serviceName: tomcat
servicePort: tomcat
应用ingress规则清单
# kubectl apply -f ingress-tomcat-tls-demo.yaml
ingress.extensions/ingress-tomcat created
查看自动生成的ingress-nginx配置
...
## start server tomcat.lotusching.top
server {
server_name tomcat.lotusching.top ;
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
...
# PEM sha: 855cee1588c8840ee6d7714b2bfda343a1e65c77
ssl_certificate /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_certificate_key /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_trusted_certificate /etc/ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
...
}
...