部署一个Ingress 支持http https
环境信息:
节点 | IP |
---|---|
master | 192.168.1.111 |
node1 | 192.168.1.112 |
node2 | 192.168.1.113 |
(1)在gitlab上下载yaml文件,并创建部署
gitlab ingress-nginx项目:https://github.com/kubernetes/ingress-nginx
ingress 安装指南:https://kubernetes.github.io/ingress-nginx/deploy/
准备工作
创建工作目录
mkdir ingress-nginx
cd ingress-nginx
下载需要境像(所有节点)
docker pull yxmu2006/nginx-ingress-controller:0.23.0
部署deployment service
下载deploy
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
下载svc
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
改名:
mv mandatory.yaml ingress-controller.yaml
修改ingress-controller.yaml
vi ingress-controller.yaml
将镜像路径改为自已的docker hub的镜像 事前已翻墙放到自己的镜像库了
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0
改为
image: yxmu2006/nginx-ingress-controller:0.23.0
修改svc端口为30080 30443
# 添加两条nodePort的记录
[root@master ingress-nginx]# vi service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
- name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
部署ingress-controller 和 SVC
kubectl apply -f ingress-controller.yaml
kubectl apply -f service-nodeport.yaml
检查安装结果
[root@master ingress-nginx]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
[root@master ingress-nginx]# kubectl get all -n ingress-nginx
NAME READY STATUS RESTARTS AGE
pod/nginx-ingress-controller-76d745f8d8-8j9z4 1/1 Running 0 16m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx NodePort 10.97.14.54 <none> 80:30080/TCP,443:30443/TCP 6s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/nginx-ingress-controller 1/1 1 1 22m
NAME DESIRED CURRENT READY AGE
replicaset.apps/nginx-ingress-controller-76d745f8d8 1 1 1 22m
[root@master ingress-nginx]#
安装完成
部署 测试应用1:myapp
vi myapp.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
[root@master ingress-nginx]# kubectl apply -f myapp.yaml
service/myapp created
deployment.apps/myapp-deploy created
[root@master ingress-nginx]#
[root@master ingress-nginx]# kubectl get pods -l app=myapp -o wide --watch
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-deploy-6b56d98b6b-bbqzn 1/1 Running 0 4m59s 10.244.2.41 node2 <none> <none>
myapp-deploy-6b56d98b6b-ctm6j 1/1 Running 0 4m59s 10.244.2.43 node2 <none> <none>
myapp-deploy-6b56d98b6b-g2vht 1/1 Running 0 4m59s 10.244.1.58 node1 <none> <none>
创建测试应用2 ningx1.11 应用
[root@master ingress-nginx]# kubectl run nginx --image=nginx:1.11 --port=80 --labels="app=nginx" --replicas=2
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/nginx created
[root@master ingress-nginx]# kubectl expose deployment nginx --port=80 --target-port=80
service/nginx exposed
[root@master ingress-nginx]# kubectl get all -l app=nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/nginx-7cccd4bdff-8jjfh 1/1 Running 0 7m10s 10.244.1.59 node1 <none> <none>
pod/nginx-7cccd4bdff-xf68j 1/1 Running 0 7m10s 10.244.2.44 node2 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/nginx ClusterIP 10.104.206.121 <none> 80/TCP 47s app=nginx
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/nginx 2/2 2 2 7m10s nginx nginx:1.11 app=nginx
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
replicaset.apps/nginx-7cccd4bdff 2 2 2 7m10s nginx nginx:1.11 app=nginx,pod-template-hash=7cccd4bdff
[root@master ingress-nginx]#
创建 ingress_test.yaml,绑定后端myapp和nginx服务
myapp.test.com ------ myapp服务----- nginx.test.com ------ nginx服务
vi ingress_test.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
spec:
rules:
- host: myapp.test.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
namespace: default
spec:
rules:
- host: nginx.test.com
http:
paths:
- path:
backend:
serviceName: nginx
servicePort: 80
部署ingress_test.yaml
[root@master ingress-nginx]# kubectl apply -f ingress_test.yaml
ingress.extensions/ingress-myapp created
ingress.extensions/ingress-nginx created
[root@master ingress-nginx]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.test.com 80 26s
ingress-nginx nginx.test.com 80 26s
[root@master ingress-nginx]#
修改windows宿主机hosts
修改 win+R 输入system32 搜索cmd 右键以管理员身份运行 再执行 notepad 打开C:\Windows\System32\drivers\etc\hosts 添加以下内容: (根据实际情况修改,以下IP是我的两个node节点) tomcat的域名是接下来https测试要用一起加了
管理员权限的记事本打开C:\Windows\System32\drivers\etc\hosts 添加以下内容
192.168.1.112 myapp.test.com
192.168.1.113 myapp.test.com
192.168.1.112 nginx.test.com
192.168.1.113 nginx.test.com
192.168.1.112 tomcat.test.com
192.168.1.113 tomcat.test.com
测试host配置
C:\Windows\System32>ping nginx.test.com
正在 Ping nginx.test.com [192.168.1.112] 具有 32 字节的数据:
来自 192.168.1.112 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.1.112 的回复: 字节=32 时间<1ms TTL=64
192.168.1.112 的 Ping 统计信息:
数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
Control-C
^C
C:\Windows\System32>ping myapp.test.com
正在 Ping myapp.test.com [192.168.1.112] 具有 32 字节的数据:
来自 192.168.1.112 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.1.112 的回复: 字节=32 时间=1ms TTL=64
192.168.1.112 的 Ping 统计信息:
数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
浏览器访问:
HTTPS支持实战
创建证书、私钥和secret
创建证书
[root@master ingress-nginx]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................+++
................................................+++
e is 65537 (0x10001)
[root@master ingress-nginx]
创建私钥
[root@master ingress-nginx]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.test.com
[root@master ingress-nginx]# ll *.key *.crt
-rw-r--r-- 1 root root 1289 3月 6 22:53 tls.crt
-rw-r--r-- 1 root root 1679 3月 6 22:52 tls.key
创建secret
[root@master ingress-nginx]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress-nginx]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1289 bytes
tls.key: 1679 bytes
[root@master ingress-nginx]#
创建tomcat
[root@master ingress-nginx]# vim tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: tomcat
name: tomcat
namespace: default
spec:
selector:
app: tomcat
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: tomcat
image: tomcat:8.5.37-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
部署tomcat
[root@master ingress-nginx]# kubectl apply -f tomcat-deploy.yaml
service/tomcat created
deployment.apps/tomcat-deploy created
[root@master ingress-nginx]# kubectl get all -l app=tomcat
NAME READY STATUS RESTARTS AGE
pod/tomcat-f76797f8c-675lk 1/1 Running 0 82s
pod/tomcat-f76797f8c-ddjwt 1/1 Running 0 82s
pod/tomcat-f76797f8c-hcjz9 1/1 Running 0 82s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/tomcat ClusterIP 10.98.129.55 <none> 8080/TCP,8009/TCP 82s
NAME DESIRED CURRENT READY AGE
replicaset.apps/tomcat-f76797f8c 3 3 3 82s
[root@master ingress-nginx]#
创建ingress+https+tomcat
[root@master ingress-nginx]# vim ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
spec:
tls:
- hosts:
- tomcat.test.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.test.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master ingress-nginx]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/ingress-tomcat-tls created
[root@master ingress-nginx]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.test.com 80 51m
ingress-nginx nginx.test.com 80 51m
ingress-tomcat-tls tomcat.test.com 80, 443 5s
[root@master ingress-nginx]#