k8s-Ingress
<p>[TOC]</p>
<h4>容器集群系列-nginx-ingress(五)</h4>
<h5>nginx ingress介绍</h5>
<blockquote>
<p>github :<a href="https://github.com/kubernetes/ingress-nginx">https://github.com/kubernetes/ingress-nginx</a>
官网 :<a href="https://kubernetes.github.io/ingress-nginx/">https://kubernetes.github.io/ingress-nginx/</a></p>
</blockquote>
<ul>
<li>ingress-nginx是ingress中的一种,如下图为实现原理;</li>
</ul>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=77bdc1af8db21843723e6163e94f76eb" alt="" /></p>
<h5>nginx ingress部署</h5>
<ul>
<li>从官网拉取yaml进行部署,镜像使用国内的仓库;</li>
</ul>
<pre><code class="language-bash"># https://kubernetes.github.io/ingress-nginx/deploy/
# 选择nodeport方案
# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml
# 获取镜像到本地私有仓库(访问外网环境差的时候)
# mv deploy.yaml nginx-ingress.yaml
egrep image nginx-ingress.yaml
--
k8s.gcr.io/ingress-nginx/controller:v1.1.2
k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
# 因为镜像是国外的,拉不到就改为国内的阿里仓库
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.2
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
# 推到私有仓库
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.2 10.0.0.13:5000/nginx-ingress-controller:v1.1.2
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1 10.0.0.13:5000/kube-webhook-certgen:v1.1.1
docker push 10.0.0.13:5000/nginx-ingress-controller:v1.1.2
docker push 10.0.0.13:5000/kube-webhook-certgen:v1.1.1</code></pre>
<ul>
<li>修改yaml文件镜像地址为私有仓库地址,如下图;</li>
</ul>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=87db7d099c33df6033f89b92a8491a93" alt="" /></p>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=94ee23883ea49636ae114ad2e0524060" alt="" /></p>
<ul>
<li>执行部署创建</li>
</ul>
<pre><code class="language-bash"># 确保ingress-nginx-controller分配了端口和IP,且为nodeport模式
kubectl create -f nginx-ingress.yaml
kubectl -n ingress-nginx get pod
kubectl -n ingress-nginx get svc</code></pre>
<h5>nginx ingress转发</h5>
<ul>
<li>通过http方式实现对service的转发,对集群外而言只需要访问到域名即可;</li>
</ul>
<pre><code class="language-yaml"># https://kubernetes.io/docs/concepts/services-networking/ingress/
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-http
annotations:
kubernetes.io/ingress.class: "nginx"
namespace: default
spec:
rules:
- host: "nginx.yc.com"
http:
paths:
# 要去后端存在请求的前缀路径接口
- path: /
pathType: Prefix
backend:
service:
name: svcnginx
port:
number: 80
- path: /api/
pathType: Prefix
backend:
service:
name: svc01
port:
number: 8080
# 如果后端没有/gw/的接口则报404
- path: /gw/
pathType: Prefix
backend:
service:
name: svc01
port:
number: 8080
---
apiVersion: v1
kind: Service
metadata:
name: svcnginx
namespace: default
spec:
type: ClusterIP
selector:
app: nginx
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: 10.0.0.11:5000/nginx:stable
ports:
- containerPort: 80</code></pre>
<pre><code class="language-yaml">apiVersion: v1
kind: Service
metadata:
name: svc01
namespace: default
spec:
type: ClusterIP
selector:
app: tomcat
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: tomcat
image: 10.0.0.11:5000/tomcat:jre11
ports:
- containerPort: 8080</code></pre>
<ul>
<li>通过https方式实现对service的转发,</li>
</ul>
<pre><code class="language-bash"># 创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt \
-subj "/C=CN/ST=TEST/L=TEST/O=test/OU=main/CN=*.example.com/emailAddress=root@localhost.com"
# 创建secret
kubectl create secret tls tls-secret --key tls.key --cert tls.crt</code></pre>
<pre><code class="language-yaml"># 在ingress调用secret对象
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-example-ingress
spec:
tls:
- hosts:
- https-example.foo.com
secretName: tls-secret
rules:
- host: https-example.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service1
port:
number: 80</code></pre>
<ul>
<li>对需要访问的资源进行auth认证,类似nginx的基础认证一样;</li>
</ul>
<pre><code class="language-bash"># 添加用户,这里admin是用户名,auth是认证文件
yum -y install httpd
htpasswd -c auth admin
# 生成secret,这里basic-auth是名称
kubectl create secret generic basic-auth --from-file=auth</code></pre>
<pre><code class="language-bash"># 修改yaml配置,annotations部分配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-http
annotations:
nginx.ingress.kubernetes.io/auth-type: basic # 基础认证类型
nginx.ingress.kubernetes.io/auth-secret: basic-auth # 读取secret对象
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required Password' # 说明信息
kubernetes.io/ingress.class: "nginx"
namespace: default
spec:
...</code></pre>