ingress-nginx
nginx采用内部服务nortport方式来暴露给外部用户,通过client建立连接,监听资源变化事件
IngressClass is a Kubernetes resource. See the description below. Its important because until now, a default install of the Ingress-NGINX controller did not require a ingressClass object. But from version 1.0.0 of the Ingress-NGINX Controller, a ingressclass object is required.
On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress object they must serve. The ingressClass field of a ingress object is the way to let the controller know about that.
Ingress
nginx+Apache+mysql,如果外部想要访问到Apache中,通过HTTPs方式进行连接,需要安装证书到svc中。
官方NodePort启动Ingress
NortPort方式去部署Ingress-Nginx,会产生一个SVC
使用K8S声明式方法提交ingress资源
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/baremetal/deploy.yaml
会产生一个Ingress-nginx-controllers(该例子为NortPort)
kubectl get svc -n ingress-nginx
ingress-nginx-controller NodePort 10.110.124.27 <none> 80:30169/TCP,443:32520/TCP 5m58s
Ingress实战
创建k8s secret方式代理deployment nginx
nginx deployment
vim nginx-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deploy
namespace: default
spec:
replicas: 2
selector:
matchLabels:
name: nginx
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
nginx svc(TCP)
vim nginx-svc-nortport.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
name: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
创建ingress(再hosts中添加域名后可以通过ingress-svc的端口号去访问nginx页面),根据backend去代理相应的svc
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https
spec:
tls:
- hosts:
- www3.vector.com
secretName: tls-secret
rules:
- host: www3.vector.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc-https
servicePort: 80
Ingress HTTPS 代理访问(需要创建密钥)
用openssl创建密钥
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt (创建secret对象)
创建ingress(再hosts中添加域名后可以通过ingress-svc的端口号去访问nginx页面),根据backend去代理相应的svc
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-test
spec:
rules:
- host: www1.vector.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
BasicAuth Ingress登录
创建用户密码并添加到k8s secret中
yum -y install httpd
htpasswd -c auth foo
kubectl create secret generic basic-auth --from-file=auth
创建basic-auth Ingress文件
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: www4.vector.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
Nginx Rewrite
You will need to make sure your Ingress targets exactly one Ingress controller by specifying the ingress.class annotation, and that you have an ingress controller running in your cluster.
Name | Description | Values |
---|---|---|
nginx.ingress.kubernetes.io/rewrite-target | Target URI where the traffic must be redirected | string |
nginx.ingress.kubernetes.io/ssl-redirect | Indicates if the location section is accessible SSL only (defaults to True when Ingress contains a Certificate) | bool |
nginx.ingress.kubernetes.io/force-ssl-redirect | Forces the redirection to HTTPS even if the Ingress is not TLS Enabled | bool |
nginx.ingress.kubernetes.io/app-root | Defines the Application Root that the Controller must redirect if it's in '/' context | string |
nginx.ingress.kubernetes.io/use-regex | Indicates if the paths defined on an Ingress use regular expressions | bool |
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: http://auth.vector.com:30169/
name: rewrite
namespace: default
spec:
rules:
- host: rewrite.vector.com
http:
paths:
- backend:
serviceName: rewrite-svc
servicePort: 80
path: /