1.为什么需要ingress
k8s可以通过NodePort /LoadBalancer暴露服务,但这种方式会暴露过多端口,使服务器安全性降低(一般只暴露80/433两个端口即可),另外如果nginx直接配置反向代理到k8s服务比较麻烦,使用ingress可以简化nginx配置。
2. 基本原理理解
externalLB为k8s外部LB,如F5硬LB等;IngressController相当于部署在K8S内部的Nginx服务,该服务通过NodePort方式暴露为外面可以访问的Service(80/443两个端口),而修改IngressController这个Nginx服务的反向代理配置则是通过ingress这些K8S资源来进行。
3.部署ingress(参考https://www.cnblogs.com/panwenbin-logs/p/9915927.html)
1. github 获取 资源描述文件,该yaml核心就是nginx-ingress-controller这个Deployment
2.安装nginx-ingress-controller
kubectl apply -f mandatory.yaml
注意:mandatory.yaml里的两个镜像不翻Q应该拉取不到,需要替换为另两个镜像
sed -i 's#k8s.gcr.io/defaultbackend-amd64#registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64#g' mandatory.yaml
sed -i 's#quay.io/kubernetes-ingress-controller/nginx-ingress-controller#registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller#g' mandatory.yaml
3.nginx-ingress-controller暴露为Service
kubectl apply -f xxx.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 32080 #http
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 32443 #https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
5.部署一个业务系统demo
kubectl apply -f tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
port: 8080
targetPort: 8080
- name: ajp
port: 8009
targetPort: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:7-alpine
ports:
- name: httpd
containerPort: 8080
- name: ajp
containerPort: 8009
6.配置ingress,相当于配置Nginx反向代理,将ingressController的http请求转发到tomcat
kubectl apply -f ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernets.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
.7.测试
1.检查相关资源是否就绪
kubectl get svc,deploy,pod,ingress --all-namespaces -o wide
2.本地测试
curl -i 127.0.0.1:32080
2.配置域名映射(C:\Windows\System32\drivers\etc\hosts)
192.168.154.134 tomcat.magedu.com
3.浏览器访问
http://tomcat.magedu.com:32080
8.创建https证书
1.创建证书,注意域名要和服务的域名一致
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.magedu.com
2.创建secret
kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
9.配置ingress,相当于配置Nginx反向代理,将ingressController的https请求转发到tomcat
kubectl apply -f ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernets.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.magedu.com #与secret证书的域名需要保持一致
secretName: tomcat-ingress-secret #secret证书的名称
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080