一、前言
1、service的缺点
service的工作模式:userspace(基于iptables的)、iptables、ipvs,无论是哪一种工作模式,都是四层调度器。
四层调度器的缺点在于:只是工作在OSI网络模型的第四层,因此如果用户访问的是https请求,service将束手无策。
那么针对这种https请求,Kubernetes集群有两种处理方案:
【1】、方案一:client——>调度器——>node节点(多个node节点)——>service——>能够提供https请求的Pod——该Pod称为ingress controller(通常就是一个拥有七层调度和代理能力的应用程序)——>后端提供服务的Pod(多个Pod)。
- 该方案的缺点是:要经过好几次调度,效率低下,所以,就有了方案二。
【2】方案二:client——>调度器——>能够提供https请求的Pod(该Pod共享node的网络命名空间)——>后端提供服务的Pod(多个Pod)。
- 该方案的缺点:因为能够提供https请求的Pod要共享node的网络命名空间,所以需要在每一个node节点上都部署一个,能够提供https请求的Pod。而client访问时,只访问一个“能够提供https请求的Pod”,因此,只能部署一个“能够提供https请求的Pod”,所以,这时候就有了方案三。
【3】、方案三:client——>能够提供https请求的Pod(使用DaemonSet控制器来控制该Pod,且该Pod共享node的网络命名空间。)——>后端提供服务的Pod(多个Pod)。
- 能够提供https请求的Pod所提供的服务有四种【1】、HAproxy(最不受欢迎);【2】、Nginx;【3】、Traefik;【4】、Envoy。
这里以nginx为例:如果后端提供服务的Pod有分类:有一些Pod提供A服务,有一些Pod提供B服务,那么该怎么办呢?此时就需要有service资源,service资源通过标签选择器将Pod进行分类。那么该怎么区分不同的client请求,来调度到不同的Pod上呢?有两种方法:【1】、不同的主机名对应不同的服务;【2】、不同的url路径对应不同的服务。那么,此时又会引来另外一个问题:后端提供服务的Pod是随时会发生变化的,那么一旦后端提供服务的Pod信息发生了变化该怎么办呢?要依赖ingress资源。ingress资源中既要定义一个前端(上面如何区分不同的client请求),也要定义一个后端(后端提供服务的Pod的信息),ingress资源其实就是为ingress controller提供一些信息(这些信息既包括前端信息,又包括后端信息)。ingress其实可以直接注入到ingress controller当中,ingress会监视着service所提供的Pod资源的信息,一旦service所选择的Pod资源的信息发生变化,ingress就会监视到,并将监视到的信息生成配置信息,注入到ingress controller中,并且还能触发ingress controller这个Pod的容器中的主进程发生重载。
二、部署ingress controller和ingress的过程
[root@master manifests]# kubectl explain ingress.spec.rules #前端信息
host <string> #不同的主机名对应不同的服务(即虚拟主机)
http <Object> #不同的url路径对应不同的服务
[root@master manifests]# kubectl explain ingress.spec.backend #后端信息
serviceName <string> #service的名字
servicePort <string> #service的端口
1、部署一个服务
(1)配置:用来接入外部流量的NodePort类型的Service + ingress controller—参考地址:https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md
[root@master ~]# vim /etc/hosts #在该文件中添加下面的内容,否则可能会出现问题"The connection to the server raw.githubusercontent.com was refused - did you specify the right host or port?"
199.232.28.133 raw.githubusercontent.com
[root@master ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.35.0/deploy/static/provider/baremetal/deploy.yaml #下载deploy.yaml文件
[root@master ~]# vim deploy.yaml #将仓库k8s.gcr.io/ingress-nginx/controller:v0.35.0@sha256:fc4979d8b8443a831c9789b5155cded454cb7de737a8b727bc2ba0106d2eae8b修改为scofield/ingress-nginx-controller:v0.35.0(为了解决k8s.gcr.io不能访问的问题)
[root@master ~]# kubectl apply -f deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx unchanged
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission unchanged
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
[root@master ingress]# kubectl get deploy -n ingress-nginx #生成了ngress-nginx-controller这个Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
ingress-nginx-controller 1/1 1 1 66m
[root@master ingress]# kubectl get pods -n ingress-nginx #生成了ingress-nginx-controller-df78455c8-8jvbf这个Pod
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-d7lg9 0/1 Completed 0 66m
ingress-nginx-admission-patch-rx6b2 0/1 Completed 1 66m
ingress-nginx-controller-df78455c8-8jvbf 1/1 Running 0 66m
[root@master ingress]# kubectl get svc -n ingress-nginx #生成了ingress-nginx-controller这个service(service的80端口映射到node的31614端口,service的443端口映射到node的32412端口)
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.102.37.108 <none> 80:31614/TCP,443:32412/TCP 67m
ingress-nginx-controller-admission ClusterIP 10.106.209.174 <none> 443/TCP 67m(2)配置:ingress要管理的后端服务Pod + 识别后端服务的Service
[root@master ~]# cd manifests/
[root@master manifests]# mkdir ingress
[root@master manifests]# cd ingress/
[root@master ingress]# vim deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
[root@master ingress]# kubectl apply -f deploy-demo.yaml
[root@master ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 20d
myapp ClusterIP 10.108.99.130 <none> 80/TCP 111s
[root@master ingress]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-deploy-559ff5c66-9gx7t 1/1 Running 0 118s
myapp-deploy-559ff5c66-n6r8j 1/1 Running 0 118s
myapp-deploy-559ff5c66-xz65k 1/1 Running 0 118s(3)配置ingress
[root@master ingress]# kubectl describe svc myapp
Name: myapp
Namespace: default
Labels: <none>
Annotations: Selector: app=myapp,release=canary
Type: ClusterIP
IP: 10.108.99.130
Port: http 80/TCP
TargetPort: 80/TCP
Endpoints: 10.244.1.85:80,10.244.2.94:80,10.244.2.95:80
Session Affinity: None
Events: <none>
[root@master ingress]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations: #这里的annotations是不能省略的,用来指定ingress对应的ingress controller是nginx类型的,而不是HAproxy、Nginx或Traefik
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.magedu.com
http:
paths:
- path:
backend:
serviceName: myapp #这里的serviceName是上面的service的名字
servicePort: 80 #这里的servicePort是上面的service的端口
[root@master ingress]# kubectl apply -f ingress-myapp.yaml #报下面的错误
Error from server (InternalError): error when creating "ingress-myapp.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1beta1/ingresses?timeout=30s: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
#解决方法如下:无视webhooks
[root@master ~]# kubectl get ValidatingWebhookConfiguration/ingress-nginx-admission -n ingress-nginx
NAME WEBHOOKS AGE
ingress-nginx-admission 1 2d20h
[root@master ~]# kubectl edit ValidatingWebhookConfiguration/ingress-nginx-admission -n ingress-nginx
######下面是edit界面中的某一段
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJPRENCM3FBREFnRUNBaEJOUUROWnBJcXR3TTJzaDg3YVVrSlpNQW9HQ0NxR1NNNDlCQU1DTUFBd0lCY04KTWpBd05URTVNVEl3TlRJMVdoZ1BNakV5TURBME1qVXhNakExTWpWYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVRDcWRWOWdVTm5yelY0Umg5NlIxYkl6R3lzQjE3UHJzc21CNDBGQjRPYU5MR28yMGwzCjJHYVpaTHNtN1dzblJva2FRcWpMOSs3NlBUQVBRSm9KS3BrYW96Z3dOakFPQmdOVkhROEJBZjhFQkFNQ0FnUXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBS0JnZ3Foa2pPUFFRRApBZ05KQURCR0FpRUE4K1A1WGlyOFgzREJEK1IvN2lIVWxzNXg3TW1UdjVMN1VzQzBJM3N2WmM4Q0lRQ2JSMUNpCkVOdEJ6N21CNU9KWG50RmdDblJLRkxjUVkxeWJ6bDVwTnlyZkZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /extensions/v1beta1/ingresses
port: 443
failurePolicy: Fail ##################改成Ignore
matchPolicy: Exact
name: validate.nginx.ingress.kubernetes.io
#然后重新部署ingress-myapp.yaml文件
[root@master ingress]# kubectl apply -f ingress-myapp.yaml
[root@master ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> myapp.magedu.com 10.0.2.3 80 9m25s
[root@master ingress]# kubectl describe ingress ingress-myapp
Name: ingress-myapp
Namespace: default
Address: 10.0.2.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
myapp.magedu.com
myapp:80 (10.244.1.87:80,10.244.2.96:80,10.244.2.97:80)
Annotations: kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 9m9s nginx-ingress-controller Ingress default/ingress-myapp
Normal UPDATE 8m52s nginx-ingress-controller Ingress default/ingress-myapp
#ingress一旦创建完成,就会注入到ingress-controller当中去,也就是说,会自动转换为nginx的配置文件。下面来查看一下。
[root@master ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-d7lg9 0/1 Completed 0 28h
ingress-nginx-admission-patch-rx6b2 0/1 Completed 1 28h
ingress-nginx-controller-df78455c8-8jvbf 1/1 Running 1 28h
[root@master ingress]# kubectl exec -it ingress-nginx-controller-df78455c8-8jvbf -n ingress-nginx -- /bin/sh
/etc/nginx $ ls
fastcgi.conf koi-utf modsecurity owasp-modsecurity-crs uwsgi_params.default
fastcgi.conf.default koi-win modules scgi_params win-utf
fastcgi_params lua nginx.conf scgi_params.default
fastcgi_params.default mime.types nginx.conf.default template
geoip mime.types.default opentracing.json uwsgi_params
/etc/nginx $ cat nginx.conf
...
## start server myapp.magedu.com
server {
server_name myapp.magedu.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp";
set $service_port "80";
set $location_path "/";q(4)测试
#分别在master、node01和node02节点上,添加域名myapp.magedu.com的解析。值得注意的是:nginx是基于域名myapp.magedu.com进行转发的,所以必须配置解析,通过IP地址是访问不到的。
[root@master ~]# vim /etc/hosts
10.0.2.3 node01 myapp.magedu.com
10.0.2.4 node02 myapp.magedu.com
[root@node01 ~]# vim /etc/hosts
10.0.2.3 node01 myapp.magedu.com
10.0.2.4 node02 myapp.magedu.com
[root@node02 ~]# vim /etc/hosts
10.0.2.3 node01 myapp.magedu.com
10.0.2.4 node02 myapp.magedu.com
#分别在master、node01和node02节点上测试:可以看到自动轮询,这是nginx配置文件中的定义
[root@master ingress]# while true; do curl myapp.magedu.com:31614/hostname.html; sleep 3; done
myapp-deploy-559ff5c66-wllw7
myapp-deploy-559ff5c66-8rcgw
myapp-deploy-559ff5c66-wllw7
myapp-deploy-559ff5c66-vrwts
[root@node01 ~]# while true; do curl myapp.magedu.com:31614/hostname.html; sleep 3; done
myapp-deploy-559ff5c66-wllw7
myapp-deploy-559ff5c66-8rcgw
myapp-deploy-559ff5c66-wllw7
myapp-deploy-559ff5c66-vrwts
[root@node02 ~]# while true; do curl myapp.magedu.com:31614/hostname.html; sleep 3; done
myapp-deploy-559ff5c66-8rcgw
myapp-deploy-559ff5c66-vrwts
myapp-deploy-559ff5c66-wllw7
[root@master ingress]# kubectl get pods #上面看到的结果正是这三个Pod的名字
NAME READY STATUS RESTARTS AGE
myapp-deploy-559ff5c66-8rcgw 1/1 Running 0 132m
myapp-deploy-559ff5c66-vrwts 1/1 Running 0 132m
myapp-deploy-559ff5c66-wllw7 1/1 Running 0 132m
2、部署两个服务
(1)配置:ingress要管理的后端服务Pod + 识别后端服务的Service(在1的基础上增加tomcat的相关service资源和pod资源)
[root@master ingress]# vim tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.32-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
[root@master ingress]# kubectl apply -f tomcat-deploy.yaml
[root@master ingress]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-deploy-559ff5c66-8rcgw 1/1 Running 1 6h22m
myapp-deploy-559ff5c66-vrwts 1/1 Running 1 6h22m
myapp-deploy-559ff5c66-wllw7 1/1 Running 1 6h22m
tomcat-deploy-6c57d89947-92d7z 1/1 Running 0 5m17s
tomcat-deploy-6c57d89947-fpnvh 1/1 Running 0 5m17s
tomcat-deploy-6c57d89947-mq6cr 1/1 Running 0 5m17s
[root@master ingress]# kubectl exec tomcat-deploy-6c57d89947-92d7z -- netstat -antulpe #查看一下tomcat服务是不是监听在8080端口和8009端口
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1/java
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 1/java
(2)配置ingress(在1的基础上增加tomcat相关的ingress资源)
- 这里可以不单独写一个ingress的配置文件ingress-tomcat.yaml,而是直接写入到ingress-myapp.yaml文件中
[root@master ingress]# vim ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master ingress]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/ingress-tomcat created
[root@master ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> myapp.magedu.com 10.0.2.3 80 2m12s
ingress-tomcat <none> tomcat.magedu.com 80 52s
[root@master ingress]# kubectl describe ingress ingress-tomcat
Name: ingress-tomcat
Namespace: default
Address: 10.0.2.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
tomcat.magedu.com
tomcat:8080 (10.244.1.95:8080,10.244.1.96:8080,10.244.2.108:8080)
Annotations: kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 55s nginx-ingress-controller Ingress default/ingress-tomcat
Normal UPDATE 4s nginx-ingress-controller Ingress default/ingress-tomcat
#ingress一旦创建完成,就会注入到ingress-controller当中去,也就是说,会自动转换为nginx的配置文件。下面来查看一下。
[root@master ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-d7lg9 0/1 Completed 0 47h
ingress-nginx-admission-patch-rx6b2 0/1 Completed 1 47h
ingress-nginx-controller-df78455c8-8jvbf 1/1 Running 3 47h
[root@master ingress]# kubectl exec -it ingress-nginx-controller-df78455c8-8jvbf -n ingress-nginx -- /bin/sh
/etc/nginx $ cat nginx.conf
## start server myapp.magedu.com #前面设置的域名myapp.magedu.com
server {
server_name myapp.magedu.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp";
set $service_port "80";
set $location_path "/";
## start server tomcat.magedu.com #这次设置的域名tomcat.magedu.com
server {
server_name tomcat.magedu.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "ingress-tomcat";
set $service_name "tomcat";
set $service_port "8080";
set $location_path "/";(3)测试
#分别在master、node01和node02节点上,添加域名tomcat.magedu.com的解析。值得注意的是:nginx是基于域名tomcat.magedu.com进行转发的,所以必须配置解析,通过IP地址是访问不到的。
[root@master ~]# vim /etc/hosts
10.0.2.3 node01 myapp.magedu.com tomcat.magedu.com
10.0.2.4 node02 myapp.magedu.com tomcat.magedu.com
[root@node01 ~]# vim /etc/hosts
10.0.2.3 node01 myapp.magedu.com tomcat.magedu.com
10.0.2.4 node02 myapp.magedu.com tomcat.magedu.com
[root@node02 ~]# vim /etc/hosts
10.0.2.3 node01 myapp.magedu.com tomcat.magedu.com
10.0.2.4 node02 myapp.magedu.com tomcat.magedu.com
[root@master ~]# curl tomcat.magedu.com:31614
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/8.5.32</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</head>
...
[root@node01 ~]# curl tomcat.magedu.com:31614
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/8.5.32</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</head>
...
[root@node02 ~]# curl tomcat.magedu.com:31614
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/8.5.32</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</head>
...
3、设置访问的方式为https
- https的虚拟主机:nginx上虚拟主机需要是ssl虚拟主机(需要证书和私钥,并且证书和私钥必须是特定格式的才可以提供给ingress)
(1)创建一个证书和私钥,并且将其作为独特的对象(secret)
#1、创建私钥和证书
[root@master ~]# openssl genrsa -out tls.key 2048 #创建私钥
Generating RSA private key, 2048 bit long modulus
...............................+++
...........................+++
e is 65537 (0x10001)
[root@master ~]# ls tls.key
tls.key
[root@master ~]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=Devops/CN=tomcat.magedu.com #创建自签证书。最后的CN=tomcat.magedu.com非常重要(用来指定证书中包含的名字,应该与域名保持一致)
[root@master ~]# ls tls.crt
tls.crt
#2、因为上面的证书是不能直接注入到ingress-controller中使用的,所以需要先将其转换为特殊格式(seret——标准的k8s对象),secret可以直接注入到Pod中,被ingress-controller所引用的。
[root@master ~]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-779gg kubernetes.io/service-account-token 3 27d
tomcat-ingress-secret kubernetes.io/tls 2 9s
[root@master ~]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1245 bytes
tls.key: 1675 bytes
(2)设置一个可工作为tls格式的tomcat
[root@master ~]# kubectl explain ingress.spec
tls <[]Object>
[root@master ~]# kubectl explain ingress.spec.tls
hosts <[]string>
secretName <string>
[root@master ingress]# vim ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.magedu.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master ingress]# kubectl apply -f ingress-tomcat-tls.yaml
[root@master ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> myapp.magedu.com 10.0.2.3 80 2m12s
ingress-tomcat <none> tomcat.magedu.com 80 52s
ingress-tomcat-tls <none> tomcat.magedu.com 10.0.2.3 80, 443 58s
[root@master ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> myapp.magedu.com,tomcat.magedu.com 10.0.2.3 80 5d1h
ingress-tomcat-tls <none> tomcat.magedu.com 10.0.2.3 80, 443 58s
[root@master ingress]# kubectl describe ingress ingress-tomcat-tls
Name: ingress-tomcat-tls
Namespace: default
Address: 10.0.2.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
tomcat-ingress-secret terminates tomcat.magedu.com
Rules:
Host Path Backends
---- ---- --------
tomcat.magedu.com
tomcat:8080 (10.244.1.98:8080,10.244.1.99:8080,10.244.2.109:8080)
Annotations: kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 101s nginx-ingress-controller Ingress default/ingress-tomcat-tls
Normal UPDATE 90s nginx-ingress-controller Ingress default/ingress-tomcat-tls
[root@master ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-d7lg9 0/1 Completed 0 7d1h
ingress-nginx-admission-patch-rx6b2 0/1 Completed 1 7d1h
ingress-nginx-controller-df78455c8-8jvbf 1/1 Running 4 7d1h
(3)测试
[root@master ingress]# kubectl get svc -n ingress-nginx #使用32412端口访问
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.102.37.108 <none> 80:31614/TCP,443:32412/TCP 7d2h
ingress-nginx-controller-admission ClusterIP 10.106.209.174 <none> 443/TCP 7d2h
[root@node01 ~]# curl https://tomcat.magedu.com:32412
...
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@node01 ~]# curl https://tomcat.magedu.com:32412 --insecure #使用-k或是--insecure参数即可
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/8.5.32</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</head>
...
791
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
