k8s-Ingress

<p>[TOC]</p> <h4>容器集群系列-nginx-ingress(五)</h4> <h5>nginx ingress介绍</h5> <blockquote> <p>github ：<a href="https://github.com/kubernetes/ingress-nginx">https://github.com/kubernetes/ingress-nginx</a> 官网 ：<a href="https://kubernetes.github.io/ingress-nginx/">https://kubernetes.github.io/ingress-nginx/</a></p> </blockquote> <ul> <li>ingress-nginx是ingress中的一种，如下图为实现原理；</li> </ul> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=77bdc1af8db21843723e6163e94f76eb" alt="" /></p> <h5>nginx ingress部署</h5> <ul> <li>从官网拉取yaml进行部署，镜像使用国内的仓库；</li> </ul> <pre><code class="language-bash"># https://kubernetes.github.io/ingress-nginx/deploy/ # 选择nodeport方案 # kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml # 获取镜像到本地私有仓库(访问外网环境差的时候) # mv deploy.yaml nginx-ingress.yaml egrep image nginx-ingress.yaml -- k8s.gcr.io/ingress-nginx/controller:v1.1.2 k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 # 因为镜像是国外的，拉不到就改为国内的阿里仓库 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1 # 推到私有仓库 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.2 10.0.0.13:5000/nginx-ingress-controller:v1.1.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1 10.0.0.13:5000/kube-webhook-certgen:v1.1.1 docker push 10.0.0.13:5000/nginx-ingress-controller:v1.1.2 docker push 10.0.0.13:5000/kube-webhook-certgen:v1.1.1</code></pre> <ul> <li>修改yaml文件镜像地址为私有仓库地址，如下图；</li> </ul> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=87db7d099c33df6033f89b92a8491a93" alt="" /></p> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=94ee23883ea49636ae114ad2e0524060" alt="" /></p> <ul> <li>执行部署创建</li> </ul> <pre><code class="language-bash"># 确保ingress-nginx-controller分配了端口和IP，且为nodeport模式 kubectl create -f nginx-ingress.yaml kubectl -n ingress-nginx get pod kubectl -n ingress-nginx get svc</code></pre> <h5>nginx ingress转发</h5> <ul> <li>通过http方式实现对service的转发，对集群外而言只需要访问到域名即可；</li> </ul> <pre><code class="language-yaml"># https://kubernetes.io/docs/concepts/services-networking/ingress/ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-http annotations: kubernetes.io/ingress.class: "nginx" namespace: default spec: rules: - host: "nginx.yc.com" http: paths: # 要去后端存在请求的前缀路径接口 - path: / pathType: Prefix backend: service: name: svcnginx port: number: 80 - path: /api/ pathType: Prefix backend: service: name: svc01 port: number: 8080 # 如果后端没有/gw/的接口则报404 - path: /gw/ pathType: Prefix backend: service: name: svc01 port: number: 8080 --- apiVersion: v1 kind: Service metadata: name: svcnginx namespace: default spec: type: ClusterIP selector: app: nginx ports: - name: http port: 80 protocol: TCP targetPort: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: app namespace: default spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: 10.0.0.11:5000/nginx:stable ports: - containerPort: 80</code></pre> <pre><code class="language-yaml">apiVersion: v1 kind: Service metadata: name: svc01 namespace: default spec: type: ClusterIP selector: app: tomcat ports: - name: http port: 8080 protocol: TCP targetPort: 8080 --- apiVersion: apps/v1 kind: Deployment metadata: name: tomcat namespace: default spec: replicas: 1 selector: matchLabels: app: tomcat template: metadata: labels: app: tomcat spec: containers: - name: tomcat image: 10.0.0.11:5000/tomcat:jre11 ports: - containerPort: 8080</code></pre> <ul> <li>通过https方式实现对service的转发，</li> </ul> <pre><code class="language-bash"># 创建证书 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt \ -subj "/C=CN/ST=TEST/L=TEST/O=test/OU=main/CN=*.example.com/emailAddress=root@localhost.com" # 创建secret kubectl create secret tls tls-secret --key tls.key --cert tls.crt</code></pre> <pre><code class="language-yaml"># 在ingress调用secret对象 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-example-ingress spec: tls: - hosts: - https-example.foo.com secretName: tls-secret rules: - host: https-example.foo.com http: paths: - path: / pathType: Prefix backend: service: name: service1 port: number: 80</code></pre> <ul> <li>对需要访问的资源进行auth认证，类似nginx的基础认证一样；</li> </ul> <pre><code class="language-bash"># 添加用户,这里admin是用户名,auth是认证文件 yum -y install httpd htpasswd -c auth admin # 生成secret,这里basic-auth是名称 kubectl create secret generic basic-auth --from-file=auth</code></pre> <pre><code class="language-bash"># 修改yaml配置，annotations部分配置 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-http annotations: nginx.ingress.kubernetes.io/auth-type: basic # 基础认证类型 nginx.ingress.kubernetes.io/auth-secret: basic-auth # 读取secret对象 nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required Password' # 说明信息 kubernetes.io/ingress.class: "nginx" namespace: default spec: ...</code></pre>