资料
Ingress-Nginx github网址: https://github.com/kubernetes/inress-nginx
Ingress-Nginx 官方网址: https://kubernetes.github.io/ingress-nginx/
Nginx以NodePort的形式去跟Pod交互
原理
Store监听 方式是以Pod的形式向我们APiServer发起连接进行监听,如果发生了一些新的数据写入会写入到循环队列里去(updatteChannel),NginxController会监听到updaetChannel里的事件发生一次循环后会更新一个事件写入到同步队列(syncQueue)等待被协程 去更改配置文件,协程会定期的从队列里拉取它需要执行添加的任务,如果有直接修改的任务,会直通到协程(两个协程之间通信)收取到所有要更新的数据会判断是否重载写入数据的方案,还是等待添加,如果有 的话 会写入到nginx主配置文件重新载入我们的数据,不需要的话直接发送构造post即可,最后会以nginx模块去运行
安装
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml
kubectl get pod -n ingress-nginx # 查看
才用Node Port形式(裸金属推荐)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
kubectl get svc -n ingress-nginx # 查看
docker save -o 文件名.tar 镜像 # 将镜像保存为文件
Ingress HTTP代理访问
deployment、Service、ingress yaml文件
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
template:
metadata:
labels:
name: nginx-dm
spec:
containers:
- name: nginx
image: goulinux/myapp:v1
imagePullPolicy: IfNotPersent
ports:
continerPort: 80
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: nginx
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-test
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
Ingress HTTPS代理访问
deployment、Service、ingress yaml文件
创建证书及cert存储方式
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj
“/CN=nginxsvc/O=nginxsvc”
kubectl create secret tls tls-secret --key tls.key --cert tls.cr
apiVersion: extensions/v1betav1
kind: Deployment
metadata:
name: deployment3
spec:
replicas: 2 # 副本数
selector:
matchLabels:
app: nginx3
template:
metadata:
labels:
name: nginx3
spec:
conteiners:
name: nginx3
image: guolinux/myapp:v3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
apiVersion: v1
kind: Service
metadata:
name: svc-3
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx3
Ingress-nginx
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https
spec:
tls:
- hosts:
- foo.bar.com
secretName: tls-secret # secret 保存的名称
rules:
- host: foo.bar.com
http:
paths:- path: /
backend:
serviceName: svc-3
servicePort: 80
- path: /
Nginx进行BasicAuth
yum -y install httpd
htpsswd -c auth foo # auth为文件 。foo为用户名
kubectl create secret generic basic-auth --from-file=auth
apiVersion: extensions/v1beta1
kind:Ingress
metadata:
name: ingress-with-outh
annotaions:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingeress.kubernetes.io/auth-realm: ‘Authentication Required - foo’
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: svc-4
servicePort: 80
Nginx进行重写
名称描述值 nginx.ingress.kubernetes.io/rewrite-target必须重定向的目标uri串nginx.ingress.kubernetes.io/ssl-redirect指定位置部分是否仅可访问ssl(当ssh证书包含时默认为True)布尔nginx.ingress.kubernetes.io/force-ssl-redirect即使ingress未启用TLS,也强制重定向到SSL布尔nginx.ingress.kubernetes.io/app-root定义Controller必须重定向到应用程序的跟,如果它在’/'上下文中串nginx.inress.kubernetes.io/use-regex指定ingress路径定义上是否使用正则表达式布尔
apiVersion: extensions/v1betav1
kind: Ingress
metadata:
name: ingress-nginx
annotaions: nginx.ingress.kubernetes.io/rewrite-target: http://foo.bar.com:31975/hostname.html
spec:
rules:
- host: foo2.bar.com
patchs: - path: /
backend:
serviceName: svc-1
servicePort: 80
Huprox 配置起来没有nginx更简单,official site没有nginx性能高只能达到80%左右