一、Ingress简介
- Ingress公开了从群集外部内服务的HTTP和HTTPS路由。流量路由由Ingress资源上定义的规则控制。
-
可以将Ingress配置为提供服务外部可访问的URL,负载平衡流量,终止SSL/TLS并提供基于名称的虚拟主机。Ingress负载流量入口,其通常有是作为一个负载均衡。
-
Ingress不会公开任意端口或协议。将HTTP和HTTPS以外的服务公开到internet时,通常使用Service.Type=NodePort或Service.Type=LoadBalancer类型的服务。
-
Ingress的http进入规则如下:
- 可选主机
- 路径列表
- 后端service和port名称组合
- k8s目前支持和维护的Ingress控制器有:
- GCE控制器
- nginx控制器
二、Ingress nginx
1.简介
为了使Ingress资源正常工作,集群必须运行一个Ingress Controller,这里推荐使用Ingress nginx的控制器。
2.克隆ingress nginx资源
[root@redis-cluser-01 data]# git clone https://github.com/kubernetes/ingress-nginx.git
#如果下载慢则可以仅下载一下几个部署文件
[root@redis-cluser-01 ingress]# for file in configmap.yaml mandatory.yaml namespace.yaml rbac.yaml with-rbac.yaml ;do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/${file}; done
3.部署ingress nginx
[root@redis-cluser-01 ingress]# kubectl apply -f namespace.yaml
namespace/ingress-nginx created
[root@redis-cluser-01 ingress]# kubectl apply -f ./
4.查看控制器pod信息
[root@redis-cluser-01 ingress]# kubectl get pod -n ingress-nginx
- 备注:其作用主要就是存储nginx转发规则,内部封装的就是一个nginx
5.Ingress控制器service介绍
- service用来代理后端的ingress nginx控制器pod
-
应用图如下:
6.安装ingress控制器service
[root@redis-cluser-01 ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml
[root@redis-cluser-01 ingress]# vim service-nodeport.yaml //添加如下内容:
[root@redis-cluser-01 ingress]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
三、配置后端pod
- 第二步为ingress-nginx控制器及service相关配置,与本身的pod应用无关。
-
配置pod及service提供http服务
[root@redis-cluser-01 nginx]# vim nginx.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-app
namespace: default
spec:
selector:
app: ingress-app
release: canary
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: ingress-app
spec:
replicas: 3
template:
metadata:
labels:
app: ingress-app
release: canary
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
[root@redis-cluser-01 nginx]# kubectl apply -f nginx.yaml
service/ingress-app created
deployment.apps/ingress-app created
- 备注:以上环境配置完毕后需要配置ingress规则,让请求通过ingress控制器转发至后端pod
四、Ingress规则配置
1.配置Ingress规则
[root@redis-cluser-01 nginx]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.g6p.cn
http:
paths:
- path:
backend:
serviceName: ingress-app
servicePort: 80
- 备注:这里最关键的一点是serviceName: ingress-app ingress-app表示域名服务对应第三步的service名称
- annotations该参数说明nginx也是非常重要的
[root@redis-cluser-01 nginx]# kubectl apply -f ingress-myapp.yaml
ingress.extensions/ingress-myapp created
2.查看Ingress控制器pod内容
[root@redis-cluser-01 ingress]# kubectl exec -it -n ingress-nginx nginx-ingress-controller-dfc844959-77qbr bash
3.访问测试
五、添加tomcat应用(绑定证书)
1.部署后端web服务
[root@redis-cluser-01 ssl]# vim deploy-tomcat.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
port: 8080
targetPort: 8080
- name: ajp
port: 8009
targetPort: 8009
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: tomcat-deploy
spec:
replicas: 3
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
[root@redis-cluser-01 ssl]# kubectl apply -f deploy-tomcat.yaml
service/tomcat created
deployment.apps/tomcat-deploy created
2. 定义ingress规则
[root@redis-cluser-01 ssl]# vim ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.g6p.cn
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@redis-cluser-01 ssl]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/ingress-tomcat created
3. 测试访问
六、配置证书
1. 配置私钥
[root@redis-cluser-01 cert]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
..............................................................................+++
e is 65537 (0x10001)
2. 配置证书
[root@redis-cluser-01 cert]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.g6p.cn
3. 转换secret
[root@redis-cluser-01 cert]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
4. 绑定证书
[root@redis-cluser-01 ssl]# vim ingress-tomcat.yaml //修改ingress规则
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.g6p.cn
secretName: tomcat-ingress-secret
rules:
- host: tomcat.g6p.cn
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
5.测试
- 注意:配置完证书后80会自动跳转至https,但是端口是30443所以跳转失败,目前没有解决思路
留言