一、需求描述
在K8S
集群上通过部署Nginx
服务发布前端项目,其中:
- 前端项目发布文件通过
PV
和PVC
存储在NFS
上实现多Pod
持久化和共享 - 将
Nginx
服务配置文件存储至K8S
的configmap
中 - 将阿里云证书文件存储至
K8S
的secret
中 - 通过
Ingress
设置证书,并将Nginx
服务暴露到集群外部
二、创建NFS存储
创建NFS
存储主要是为了给Nginx
服务提供稳定的后端存储,当Nginx
的Pod
重启或迁移、扩容后,依然能获得原先的数据。这里,我们先要先创建NFS
,然后通过使用PV
为Nginx
挂载一个远程的NFS
路径。
2.1 安装配置NFS服务端
由于硬件资源有限,我在k8s-master
上搭建。执行如下命令安装NFS
和rpcbind
:
yum -y install nfs-utils rpcbind
其中,NFS
依靠远程过程调用(RPC
)在客户端和服务器端路由请求,因此需要安装rpcbind
服务。
执行命令 vim /etc/exports
,创建 exports 文件,文件内容如下:
/root/nfs_root/ *(insecure,rw,sync,no_root_squash)
执行以下命令,启动 nfs 服务
# 创建共享目录,如果要使用自己的目录,请替换本文档中所有的 /root/nfs_root/
mkdir /root/nfs_root
systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
检查配置是否生效
exportfs
# 输出结果如下所示
/root/nfs_root /root/nfs_root
2.2 安装配置NFS客户端
注意事项:
- 如:服务器端防火墙开启,需开放
111
、662
、875
、892
、2049
的tcp / udp
访问,否则远端客户无法连接。
我在k8s-work1
上执行以下命令安装 NFS
客户端所需的软件包
yum install -y nfs-utils
执行以下命令检查 NFS
服务器端是否有设置共享目录
# showmount -e $(nfs服务器的IP)
showmount -e 192.168.0.50
# 输出结果如下所示
Export list for 192.168.0.50
/root/nfs_root *
执行以下命令挂载 NFS
服务器上的共享目录到本机路径 /root/nfsmount
mkdir /root/nfsmount
# mount -t nfs $(nfs服务器的IP):/root/nfs_root /root/nfsmount
mount -t nfs 192.168.0.50:/root/nfs_root /root/nfsmount
# 写入一个测试文件
echo "hello nfs server" > /root/nfsmount/nginx/html/test.txt
在 NFS
服务器上执行以下命令,验证文件写入成功
cat /root/nfs_root/test.txt
通过以下方式进行开机自动挂载
vi /etc/rc.local
mount -t nfs 192.168.0.50:/root/nfs_root /root/nfsmount
三、Nginx配置写入configmap
Nginx
配置文件default.conf
:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name localhost;
ssl_certificate /etc/nginx/ssl/10900597_nginx.kcfurs.com_nginx/nginx.kcfurs.com.pem;
ssl_certificate_key /etc/nginx/ssl/10900597_nginx.kcfurs.com_nginx/nginx.kcfurs.com.key;
location / {
try_files $uri $uri/ =404;
}
}
注意事项:
- 此处我的证书所在的
Pod
文件路径是/etc/nginx/ssl/10900597_nginx.kcfurs.com_nginx/
,需在创建Deployment
时与secret
进行挂载,详见下文5.1章节。
kubectl create configmap nginxconfigmap --from-file=default.conf
四、阿里云证书写入secret
证书来自阿里云,此处就不进行过多介绍。
cd /root/apps/nginx/10900597_nginx.kcfurs.com_nginx
kubectl create secret tls nginx.kcfurs.com --key nginx.kcfurs.com.key --cert nginx.kcfurs.com.pem
五、Deployment具体配置
5.1 完整配置文件
nginx-deployment.yaml
:
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
namespace: default
labels:
app: nginx
k8s.kuboard.cn/name: nginx
annotations: {}
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
creationTimestamp: null
labels:
app: nginx
annotations:
kubectl.kubernetes.io/restartedAt: '2023-08-17T16:50:05+08:00'
spec:
volumes:
- name: config-data
configMap:
name: nginxconfigmap
items:
- key: default.conf
path: default.conf
defaultMode: 420
- name: html-data
nfs:
server: 192.168.0.50
path: /root/nfs_root/nginx/html
- name: secret-data
secret:
secretName: nginx.kcfurs.com
items:
- key: tls.crt
path: nginx.kcfurs.com.pem
- key: tls.key
path: nginx.kcfurs.com.key
defaultMode: 420
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
resources: {}
volumeMounts:
- name: config-data
mountPath: /etc/nginx/conf.d/
- name: html-data
mountPath: /usr/share/nginx/html
- name: secret-data
mountPath: /etc/nginx/ssl/10900597_nginx.kcfurs.com_nginx
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
---
kind: Service
apiVersion: v1
metadata:
name: nginx
namespace: default
labels:
app: nginx
k8s.kuboard.cn/name: nginx
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
nodePort: 31290
- name: https
protocol: TCP
port: 443
targetPort: 443
nodePort: 32623
selector:
app: nginx
type: NodePort
sessionAffinity: ClientIP
externalTrafficPolicy: Cluster
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: nginx
namespace: default
labels:
app: nginx
k8s.kuboard.cn/name: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-ingress
tls:
- hosts:
- nginx.kcfurs.com
secretName: nginx.kcfurs.com
rules:
- host: nginx.kcfurs.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 443
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginxconfigmap
namespace: default
data:
default.conf: "server {\r\n listen 80 default_server;\r\n listen [::]:80 default_server ipv6only=on;\r\n\r\n listen 443 ssl;\r\n\r\n root /usr/share/nginx/html;\r\n index index.html;\r\n\r\n server_name localhost;\r\n ssl_certificate /etc/nginx/ssl/10900597_nginx.kcfurs.com_nginx/nginx.kcfurs.com.pem;\r\n ssl_certificate_key /etc/nginx/ssl/10900597_nginx.kcfurs.com_nginx/nginx.kcfurs.com.key;\r\n\r\n location / {\r\n try_files $uri $uri/ =404;\r\n }\r\n}"
---
kind: Secret
apiVersion: v1
metadata:
name: nginx.kcfurs.com
namespace: default
data:
tls.crt: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY5akNDQk42Z0F3SUJBZ0lRQ2VCY004N3E1VVNWY056RFFOTG1oekFOQmdrcWhraUc5dzBCQVFzRkFEQnUKTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1HQTFVRUNoTU1SR2xuYVVObGNuUWdTVzVqTVJrd0Z3WURWUVFMRXhCMwpkM2N1WkdsbmFXTmxjblF1WTI5dE1TMHdLd1lEVlFRREV5UkZibU55ZVhCMGFXOXVJRVYyWlhKNWQyaGxjbVVnClJGWWdWRXhUSUVOQklDMGdSekl3SGhjTk1qTXdPREUzTURBd01EQXdXaGNOTWpRd09ERTJNak0xT1RVNVdqQWIKTVJrd0Z3WURWUVFERXhCdVoybHVlQzVyWTJaMWNuTXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBd3paT1J4eGdMUFVrOS9NYnpFdXI3anBjc0pFUlJEMU0yeVo4SEtVV25oWVFwbHNDCi9XankzdEhaelExTnpOeHNiMnJ0WWh6UldlbHVEUmZidnliQjFMV3hQQXlIM1hyLzQ4ZEJHdkM4bGYwV25sTkQKVnZHc0VSelNnb2lmRTlKeEZ5NFJUbUltOVdDT0hSdTFKVVFreEp1QTZGSENHVTBlL1orZGp3aXdXSXlSdEpOVwo2NTRZVVBUaVFSa3NvQTlvMVlScVdVd1pFVTFUV2V3YjJELzN3TVJMUkEzZjEvdHdkZGsxREtJbUc5aVJyWEdWCm5WTVFBdERrYXZHbU4xTW5LZ3FoaFlBNzVGT1Y1ZVdGSHVGMlFReDA1RVhRYlFjam8wS2wrcG1oR3d3MFo5Z1YKTTB3NXZTMVRIMDR0RGEvNDJONmdKSG91M3EzM1VabFoyTEZWRlFJREFRQUJvNElDNFRDQ0F0MHdId1lEVlIwagpCQmd3Rm9BVWVOK1JrRi91M3F6MnhYWHIxVXhWVSs4a1NyWXdIUVlEVlIwT0JCWUVGRnh4Nm5qTitnTUNKRmlWCjBEMGRvMGhBY0RlSk1Cc0dBMVVkRVFRVU1CS0NFRzVuYVc1NExtdGpablZ5Y3k1amIyMHdEZ1lEVlIwUEFRSC8KQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBK0JnTlZIU0FFTnpBMQpNRE1HQm1lQkRBRUNBVEFwTUNjR0NDc0dBUVVGQndJQkZodG9kSFJ3T2k4dmQzZDNMbVJwWjJsalpYSjBMbU52CmJTOURVRk13Z1lBR0NDc0dBUVVGQndFQkJIUXdjakFrQmdnckJnRUZCUWN3QVlZWWFIUjBjRG92TDI5amMzQXUKWkdsbmFXTmxjblF1WTI5dE1Fb0dDQ3NHQVFVRkJ6QUNoajVvZEhSd09pOHZZMkZqWlhKMGN5NWthV2RwWTJWeQpkQzVqYjIwdlJXNWpjbmx3ZEdsdmJrVjJaWEo1ZDJobGNtVkVWbFJNVTBOQkxVY3lMbU55ZERBSkJnTlZIUk1FCkFqQUFNSUlCZndZS0t3WUJCQUhXZVFJRUFnU0NBVzhFZ2dGckFXa0Fkd0R1emRCazFkc2F6c1ZjdDUyMHpST2kKTW9kR2ZMenMzc05SU0ZsR2NSKzFtd0FBQVlvQ3BRWWJBQUFFQXdCSU1FWUNJUURJUlBxUmhOM3AwanJNVlV6Rgp1OTJwMTVZOVFtaVhYbmIrcHZZMjVUWmxvQUloQUtOMHFSemxYV1Fjam5XRCtDbGREc2FTUlpobitXY2g4TlRPCnNSVDJ0MUlHQUhZQVNMRGphOXFtUnpRUDVXb0MrcDB3Nnh4U0FjdFczU3lCMmJ1L3F6blloSE1BQUFHS0FxVUcKT1FBQUJBTUFSekJGQWlFQXV2bzUyekNPeEdnUlNxY0NXK0RDYTgxRjdEN0UyZklFWjVqSC9tZHMxT2tDSUZBSgpjaW5JNkNpZk8wVnc1OUk2M2lENW5wTjRPYXZVWnR2TlNVS0YzcWhSQUhZQTJyYS9heisxdGlLZm04SzdYR3ZvCmNKRnhiTHRSaElVMHZhUTlNRWpYKzZzQUFBR0tBcVVHRGdBQUJBTUFSekJGQWlBYVJyMk1xN0dGNGJqRlE4bzQKeEpuQkg2VWdJTWJSVnZwMTZDaVRxQVQ5ZmdJaEFLOXpxZG5ySTZJc0VOcWZpczRIOGtyMk4zYk40YXowTzdONAplZTk3NGx5ak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1RRM3YxY3dPMUVjUGJhRmxUcy9uNWo4eGtNSkhLCjJ3OWNEZ05QSWZROVNDYzdQVkJaUlV1azgvcldjbWlFeGMremdvc3lBM1IzNjh1cWVSQTVPU3V6MkpvREx1c0YKS1hlMUVyVmlxY1E0S1BzRXJsdUVwQjVKSXhXV2plM0Fpc0E3SGxKMEU1YkYrUXNnNEJmQnhzYXFYVllvM1R5UQpnTEo4Q2QvZWFIa0dqU09LUFZEQ2VvRmY1Z0ZRdjNTbndlQmZSMzFaN2FkcmVHVWtGSzNwa1pZNElSZFJ5V2hqCjlpU0RyZWIrc0NFZnhXM0FKaDdMaS83d00zZFRMRGRHTWRqTWo3bFEvbXRiY1hUNHNjTWR1S3JJS0QyamhyL3cKVDRTTUtHeHZWa0x3VGU2ZGJPUzV3K0V6R1JVMGJ6cFVEUnZyL2s5YU81WmVDcC9IUGl1S3ZCcEwKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRXFqQ0NBNUtnQXdJQkFnSVFEZUQvdGU1aXkyRVFuMkNNbk8xZTB6QU5CZ2txaGtpRzl3MEJBUXNGQURCaApNUXN3Q1FZRFZRUUdFd0pWVXpFVk1CTUdBMVVFQ2hNTVJHbG5hVU5sY25RZ1NXNWpNUmt3RndZRFZRUUxFeEIzCmQzY3VaR2xuYVdObGNuUXVZMjl0TVNBd0hnWURWUVFERXhkRWFXZHBRMlZ5ZENCSGJHOWlZV3dnVW05dmRDQkgKTWpBZUZ3MHhOekV4TWpjeE1qUTJOREJhRncweU56RXhNamN4TWpRMk5EQmFNRzR4Q3pBSkJnTlZCQVlUQWxWVApNUlV3RXdZRFZRUUtFd3hFYVdkcFEyVnlkQ0JKYm1NeEdUQVhCZ05WQkFzVEVIZDNkeTVrYVdkcFkyVnlkQzVqCmIyMHhMVEFyQmdOVkJBTVRKRVZ1WTNKNWNIUnBiMjRnUlhabGNubDNhR1Z5WlNCRVZpQlVURk1nUTBFZ0xTQkgKTWpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTzhVZjQ2aS9ucjdwa2dURHFuRQplU0lmQ0ZxdlBuVXEzYUYxdE1KNWhoOU1uTzZMbXQ1VWRIZkJHd0M5U2krWGpLMTJjalpneE9ic0w2Umcxbmp2Ck5oQU1KNEp1bk4wSkdHUkpHU2V2YkpzQTNzYzY4bmJQUXp1S3A1SmM4dnByeXAybXRzMzhwU0NYb3JQUitzY2gKUWlzS0E3T1NRMU1qY0ZOMGQ3dGJyY2VXRk5iemdMMmNzSlZRZW9nT0JHU2UvS1pFSVp3NmdYTEtlRmU3bXVwbgpOWUpST2kyaUMxMStIdUY3OWlBdHRNYzMyQ3Y2VU94aXhZLzNaVitMenBMbmtsRnE5OFhPUmd3a0lKTDFIdXZQCmhhOHl2YitXNkppc2xaSkwrSExGdGlkb3htSTdRbTNaeUlWNjZXNTMzRHNHRmltRkprejN5MEdlSFd1U1ZNYkkKbGZzQ0F3RUFBYU9DQVU4d2dnRkxNQjBHQTFVZERnUVdCQlI0MzVHUVgrN2VyUGJGZGV2VlRGVlQ3eVJLdGpBZgpCZ05WSFNNRUdEQVdnQlJPSWxRZ0dKWG00MjdtRC9yNnVSTHRCaGVQT1RBT0JnTlZIUThCQWY4RUJBTUNBWVl3CkhRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQklHQTFVZEV3RUIvd1FJTUFZQkFmOEMKQVFBd05BWUlLd1lCQlFVSEFRRUVLREFtTUNRR0NDc0dBUVVGQnpBQmhoaG9kSFJ3T2k4dmIyTnpjQzVrYVdkcApZMlZ5ZEM1amIyMHdRZ1lEVlIwZkJEc3dPVEEzb0RXZ000WXhhSFIwY0RvdkwyTnliRE11WkdsbmFXTmxjblF1ClkyOXRMMFJwWjJsRFpYSjBSMnh2WW1Gc1VtOXZkRWN5TG1OeWJEQk1CZ05WSFNBRVJUQkRNRGNHQ1dDR1NBR0cKL1d3QkFqQXFNQ2dHQ0NzR0FRVUZCd0lCRmh4b2RIUndjem92TDNkM2R5NWthV2RwWTJWeWRDNWpiMjB2UTFCVApNQWdHQm1lQkRBRUNBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBb0JzMWVDTEtha0x0VlJQRlJqQklKOUxKCkwwczhaV3VtOFU4LzFUTVZrUU1CbitDUGI1eG5DRDBHU0E2TC9WMFpGck1OcUJpcnJyNUIyNDFPZXNFQ3Z4SWkKOThiWjkwaDkrcS9YNWVNeU9EMzVmOFlUYUVNcGRuUUNuYXdJd2lIeDA2LzBCZmlUaitiL1hRaWgrbXF0M1pYZQp4TkNKcUtleGRpQjJJV0dTS2NnYWhQYWNXa2svQkFRRmlzS0lGWUVxSHpWOTc0UzNGQXovOExJZkQ1OHhuc0VOCkdmenlJRGtIM0pyd1laOGNhUFRmNlpYOU0xR3JJU044SG5XVHRkTkNIMnhFYWpSYS9oOVpCWGpVeUZLUXJHazIKbjJoY0xyZlpTYnluRUMvcFN3L0VUN0g1bld3Y2tqbUFKMWw5ZmNuYnFrVS9wZjZ1TVFtbmZsMEpRakpOU2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: >-
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd3paT1J4eGdMUFVrOS9NYnpFdXI3anBjc0pFUlJEMU0yeVo4SEtVV25oWVFwbHNDCi9XankzdEhaelExTnpOeHNiMnJ0WWh6UldlbHVEUmZidnliQjFMV3hQQXlIM1hyLzQ4ZEJHdkM4bGYwV25sTkQKVnZHc0VSelNnb2lmRTlKeEZ5NFJUbUltOVdDT0hSdTFKVVFreEp1QTZGSENHVTBlL1orZGp3aXdXSXlSdEpOVwo2NTRZVVBUaVFSa3NvQTlvMVlScVdVd1pFVTFUV2V3YjJELzN3TVJMUkEzZjEvdHdkZGsxREtJbUc5aVJyWEdWCm5WTVFBdERrYXZHbU4xTW5LZ3FoaFlBNzVGT1Y1ZVdGSHVGMlFReDA1RVhRYlFjam8wS2wrcG1oR3d3MFo5Z1YKTTB3NXZTMVRIMDR0RGEvNDJONmdKSG91M3EzM1VabFoyTEZWRlFJREFRQUJBb0lCQUI4TVNwdnR5L0FxbDFRbQpZdlAxenlVblBDbkxFT041R25tNm43L1FsQTNWdFpVMzRYeGJqbEZaTUJwNGRMalNFQjhTY3lvSktsVHlGeEpYCkNwalcrYm95b2J0S3hPczVqbXgwZXdybFlpRTY3VGVHUjY0UzV3cWJ1bkdQZURtblhWeFI4K2V6SGI0bU9zUXYKYlhxOVlWbXgzK2xUWTVzeGxHM0RUc1I2bmMyZldzSUtGZWtKTy9mbzJPczZ4UjFaelZoaTNQK1NoZ2grZGhDRgpRZHI5Vm1LQ3JpT3F0TktWeDMzV1A2NUMzcGpUTzdNZUt4TkFPa2R2NVNDcVFGTWlORFk5a3ZiYitzd0NSd1BkCksydk5rR0FsZnBkNWZ1SkNvN1FNancvUDFTaDFiQjRXNm14TGZueEk3WmxGekFRa3FlVkxVaHl5K0x1NWJHcG0Kb2NLWUZsc0NnWUVBNXArNW95RHpEZG9WYkV0Z0FTb0VrcDdHVkcxQVVjeFdGbXNhdDB0TmUza3hOallzeXhOegoycUozUUdjQ3ppWlp6NUdFbkVlUTU4WWxucXU5VmppSWgrK3pob1VEM3RQUlNSbndtekJkNFNEM3hSU2NaWjNNCnpLRis4QU5LOHVIVUp4RlFNR0txYUtaTkk1TnA4dFlYZFlvNEpxYmFLaStzbDBJYSthdzdxS2NDZ1lFQTJMRVgKaTV2VU1OdzJKaXpYNWVScW9MZkFJSDhsbk9EcjFCbDFVaC9saFZ1ekpEbEVuMk9LUmM2R3NtSlc0aFE1UnhlZQpZS2tTQm5Ob284OU9hMzR1MUlNT0dKOElsWm9FbWhWTTNqZWhEL0d6NE12d1ZsNlBEMks0Y29jYnE2QVM1Q0JRClpvSzBvcERxZXF1VGlvUm5Bdkl0VDRlWUpnVFRlQ2g0U3d2dkQrTUNnWUFGU3VVWHVVbmFwNGFXVmFSK1lsaDQKaE94SVE3bVdKdnBTeVdKemttYlV6cE15aTB1NzNWWnJUZzh1aXk2bFRId0RKM1BEb21EUThOc3NLUVRQVmJ6TQpZZFBjNG5DVVRJZ2hCVmRnT0Z2dkxyS0E4MWdqZk51V1ZwNXpJNkEwc3JvTHEzb0xvamdHN3NvV1p1dW5od0pDCjBFazVtZHFuM1RBNHlHdVdEejNQUVFLQmdIL1lhL1hZYUdhelpkYzhHZHp1Mk9JZHgyTGs0VUlmaWNQSGlXcDgKbXlRRktEbzA5NEc2YnJnazAxK25tVzhsVTIzWVIzN3NBVkNCQXJteTg2ZUQrUWswa1RxQmljVUo2N0VrNUFjdgpkdjA3TTA5cncwNlIxNEhTVXRSdlZpbjU5V3RXalZrTndKa3hPc1pKT0hFL0VLK3lSbjFubUtMRnNpWndhaGlNCjMrelZBb0dCQUw3cXdIbVdyTnpOY2lTVVlDb1ZualhxSVhlN0luZkw5TFVjRit1UnI3bm80WGlPT2VhcG9TenEKbEQ0cVNMQXplV2ZrcjFMOW8wS3hDQnhMSFlydWtQK0I2bkF4T1VsUER2NVNsd0ZZSVZPLzVPZ2VpMmRGV3RnMwptQ1ZBU0tzaDVmTkNPWXNEZGV2MmYwRUJsaGtCeE42ankxemFMWTVUSFN0bFJwWUZ2emtLCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
type: kubernetes.io/tls
注意事项:
- 本示例
Ingress
使用到ingressClassName: nginx-ingress
,基于Kuboard
提供的一种快速安装ingress-nginx
的方法。
5.2 知识点 Ingress SSL 终止
默认情况下,SSL
在ingress controller
中被终止,所以从controller
到pod
的所有流量都是没有TLS
(解密的流量)。
如果想要全程SSL
,你可以通过正在使用的ingress controller
添加支持的annotation
。例如,在本章(应用已配置好SSL
)示例Nginx ingress controller
里面,为了让SSL
流量到达应用,你可以使用nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
的annotation
。
重要知识:
- 更多关于
Ingress-Nginx Controller
配置示例,请见:https://kubernetes.github.io/ingress-nginx/examples/rewrite/
六、效果
6.1 通过ingress访问
- 本示例K8S集群安装在内网环境,通过部署在外网的
nps
服务和内网的npc
服务穿透至内网集群的nginx-ingress
端口。- 外网的
nps
服务外网端口9091
,对应ingress-nginx-controller
容器443
的外部访问端口31700
。- 注意外网部署
nps
服务的 安全策略 ,保证网络可达。
6.2 通过服务的nodePort访问
- 本示例K8S集群安装在内网环境,通过部署在外网的
nps
服务和内网的npc
服务穿透至内网集群的nodePort
端口。- 外网的
nps
服务外网端口8090
,对应nginx
服务443
的外部访问端口32623
。