最近学习k8s遇到很多问题,建了一个qq群:153144292,交流devops、k8s、docker等
一、什么是Ingress?
从前面的学习,我们可以了解到Kubernetes暴露服务的方式目前只有三种:LoadBlancer Service、ExternalName、NodePort Service、Ingress;
而我们需要将集群内服务提供外界访问就会产生以下几个问题:
1、Pod 漂移问题
2、端口管理问题
3、域名分配及动态更新问题
Ingress 简单的理解就是你原来需要改 Nginx 配置,然后配置各种域名对应哪个 Service,现在把这个动作
抽象出来,变成一个 Ingress 对象,你可以用 yaml 创建,每次不要去改 Nginx 了,直接改 yaml 然后创
建/更新就行了;那么问题来了:”Nginx 该怎么处理?”
Ingress Controller 这东西就是解决 “Nginx 的处理方式” 的;Ingress Controoler 通过与 Kubernetes API
交互,动态的去感知集群中 Ingress 规则变化,然后读取他,按照他自己模板生成一段 Nginx 配置,再写到
Nginx Pod 里,最后 reload 一下,
实际上Ingress也是Kubernetes API的标准资源类型之一,它其实就是一组基于DNS名称(host)或URL路径把请
求转发到指定的Service资源的规则。用于将集群外部的请求流量转发到集群内部完成的服务发布。我们需要明白的
是,Ingress资源自身不能进行“流量穿透”,仅仅是一组规则的集合,这些集合规则还需要其他功能的辅助,比如监
听某套接字,然后根据这些规则的匹配进行路由转发,这些能够为Ingress资源监听套接字并将流量转发的组件就是
Ingress Controller。
PS:Ingress 控制器不同于Deployment 控制器的是,Ingress控制器不直接运行为kube-controller-manager的
一部分,它仅仅是Kubernetes集群的一个附件,类似于CoreDNS,需要在集群上单独部署。
为了7层访问的需要。绕过service直接访问到pod,当然service这里用作分组的,调度的时候直达pod。
nginx
Traefik
Envoy
Ingress资源:前端Ingress、后端Ingress-Controller
Ingress也是标准的k8s资源。
=========================
二、如何创建Ingress资源
Ingress资源时基于HTTP虚拟主机或URL的转发规则,需要强调的是,这是一条转发规则。它在资源配置清单中的spec字
段中嵌套了rules、backend和tls等字段进行定义。如下示例中定义了一个Ingress资源,其包含了一个转发规则:将发往
myapp.magedu.com的请求,代理给一个名字为myapp的Service资源。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.magedu.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
Ingress 中的spec字段是Ingress资源的核心组成部分,主要包含以下3个字段:
rules:用于定义当前Ingress资源的转发规则列表;由rules定义规则,或没有匹配到规则时,所有的流量会转发到由backend定义的默认后端。
backend:默认的后端用于服务那些没有匹配到任何规则的请求;定义Ingress资源时,必须要定义backend或rules两者之一,该字段用于让负载均衡器指定一个全局默认的后端。
tls:TLS配置,目前仅支持通过默认端口443提供服务,如果要配置指定的列表成员指向不同的主机,则需要通过SNI TLS扩展机制来支持该功能。
backend对象的定义由2个必要的字段组成:serviceName和servicePort,分别用于指定流量转发的后端目标Service资源名称和端口。
rules对象由一系列的配置的Ingress资源的host规则组成,这些host规则用于将一个主机上的某个URL映射到相关后端Service对象,其定义格式如下:
spec:
rules:
- hosts: <string>
http:
paths:
- path:
backend:
serviceName: <string>
servicePort: <string>
需要注意的是,.spec.rules.host属性值,目前暂不支持使用IP地址定义,也不支持IP:Port的格式,该字段留空,代表着通配所有主机名。
tls对象由2个内嵌的字段组成,仅在定义TLS主机的转发规则上使用。
hosts: 包含 于 使用 的 TLS 证书 之内 的 主机 名称 字符串 列表, 因此, 此处 使用 的 主机 名 必须 匹配 tlsSecret 中的 名称。
secretName: 用于 引用 SSL 会话 的 secret 对象 名称, 在 基于 SNI 实现 多 主机 路 由 的 场景 中, 此 字段 为 可选。
========================
三、Ingress资源类型
Ingress的资源类型有以下4种:
1、单Service资源型Ingress
2、基于URL路径进行流量转发
3、基于主机名称的虚拟主机
4、TLS类型的Ingress资源
1、单Service资源型Ingress
暴露单个服务的方法有多种,如NodePort、LoadBanlancer等等,当然也可以使用Ingress来进行暴露单个服务,
只需要为Ingress指定default backend即可,如下示例:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
spec:
backend:
serviceName: my-svc
servicePort: 80
Ingress控制器会为其分配一个IP地址接入请求流量,并将其转发至后端my-svc
书上这块举例,只是说明。
=========================
四、Ingress Nginx部署
使用Ingress功能步骤:
1、安装部署ingress controller Pod
2、部署后端服务
3、部署ingress-nginx service
4、部署ingress
从前面的描述我们知道,Ingress 可以使用 yaml 的方式进行创建,从而得知 Ingress 也是标准的 K8S 资源,其定义的方式,
也可以使用 explain 进行查看:
[root@master ingress-nginx]# kubectl explain ingress
KIND: Ingress
VERSION: extensions/v1beta1
DESCRIPTION:
Ingress is a collection of rules that allow inbound connections to reach
the endpoints defined by a backend. An Ingress can be configured to give
services externally-reachable urls, load balance traffic, terminate SSL,
offer name based virtual hosting etc.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
spec <Object>
Spec is the desired state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
status <Object>
Status is the current state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
1、下载ingress相关的yaml
ingress-nginx在github上的地址:https://github.com/kubernetes/ingress-nginx
可以直接下载所有工程包
也可以
[root@master ingress-nginx]# for file in namespace.yaml configmap.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml udp-services-configmap.yaml default-backend.yaml;do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/$file;done
-rw-r--r-- 1 root root 199 Sep 29 22:45 configmap.yaml #configmap用于为nginx从外部注入配置的
-rw-r--r-- 1 root root 1583 Sep 29 22:45 default-backend.yaml #配置默认后端服务
-rw-r--r-- 1 root root 69 Sep 29 22:45 namespace.yaml #创建独立的名称空间
-rw-r--r-- 1 root root 2866 Sep 29 22:45 rbac.yaml #rbac用于集群角色授权
这里尴尬,版本好像不太一样,书上推荐是是下载一个自动的
[root@master ingress-nginx]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
[root@master ingress-nginx]# kubectl get pod -n ingress-nginx -w
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-797b884cbc-qjk9p 0/1 ContainerCreating 0 9m26s
这里貌似尴尬了
[root@master ingress-nginx]# kubectl describe pods nginx-ingress-controller-797b884cbc-whphv -n ingress-nginx
。。。。。。。。。。。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m33s default-scheduler Successfully assigned ingress-nginx/nginx-ingress-controller-797b884cbc-whphv to node01
Normal Pulling 2m32s kubelet, node01 pulling image "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0"
这里比较慢,第二天早上到公司一看可以了
[root@master ~]# kubectl get pod -n ingress-nginx -w
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-797b884cbc-whphv 1/1 Running 0 23h
这里跟网上其他同学的不太一样,有的这里结果是两个pod,一个backend,新版本说是没必要
2、部署后端服务
(1)查看ingress的配置清单选项
[root@master ingress-nginx]# kubectl explain ingress.spec
KIND: Ingress
VERSION: extensions/v1beta1
RESOURCE: spec <Object>
DESCRIPTION:
Spec is the desired state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
IngressSpec describes the Ingress the user wishes to exist.
FIELDS:
backend <Object>
A default backend capable of servicing requests that don't match any rule.
At least one of 'backend' or 'rules' must be specified. This field is
optional to allow the loadbalancer controller or defaulting logic to
specify a global default.
rules <[]Object>
A list of host rules used to configure the Ingress. If unspecified, or no
rule matches, all traffic is sent to the default backend.
tls <[]Object>
TLS configuration. Currently the Ingress only supports a single TLS port,
443. If multiple members of this list specify different hosts, they will be
multiplexed on the same port according to the hostname specified through
the SNI TLS extension, if the ingress controller fulfilling the ingress
supports SNI.
(2)部署后端服务
[root@master ingress-nginx]# cd ../mainfests/
[root@master mainfests]# mkdir ingress && cd ingress
[root@master ingress]# cp ../deploy-demo.yaml .
[root@master ingress]# vim deploy-demo.yaml
#创建service为myapp
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
#创建后端服务的pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-backend-pod
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
[root@master manifests]# kubectl apply -f deploy-demo.yaml
service/myapp created
deployment.apps/myapp-backend-pod created
(3)查看新建的后端服务pod
[root@master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-httpget-pod 1/1 Running 1 8d
myapp-backend-pod-69dc8c7655-pqwk8 1/1 Running 0 24s
myapp-backend-pod-69dc8c7655-sgpw6 1/1 Running 0 24s
myapp-backend-pod-69dc8c7655-v4jvx 1/1 Running 0 24s
myapp-deploy-69dc8c7655-jkkwv 1/1 Running 0 3d7h
myapp-deploy-69dc8c7655-q97jc 1/1 Running 0 3d7h
myapp-deploy-69dc8c7655-sldk8 1/1 Running 0 3d7h
myapp-deploy-69dc8c7655-v9dvc 1/1 Running 0 3d7h
myapp-deploy-69dc8c7655-x5qth 1/1 Running 0 3d7h
nginx-7849c4bbcd-dscjr 1/1 Running 0 11d
nginx-7849c4bbcd-vdd45 1/1 Running 0 11d
nginx-7849c4bbcd-wrvks 1/1 Running 0 11d
nginx-deploy-84cbfc56b6-mjcw5 1/1 Running 0 11d
3、部署ingress-nginx service
通过ingress-controller对外提供服务,现在还需要手动给ingress-controller建立一个service,接收集群外部流量。方法如下:
(1)下载ingress-controller的yaml文件
[root@k8s-master ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
[root@k8s-master ingress]# vim service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
(2)创建ingress-controller的service,并测试访问
[root@master ingress]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
[root@master manifests]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.103.46.45 <none> 80:30080/TCP,443:30443/TCP 17s
此时访问:http://10.249.6.101:30080/
此时应该是404 ,调度器是正常工作的,但是后端服务没有关联
这时候我们查看ingress配置
kubectl -n ingress-nginx exec nginx-ingress-controller-797b884cbc-whphv -- cat /etc/nginx/nginx.conf
4、部署ingress
(1)编写ingress的配置清单
[root@k8s-master ingress]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1 #api版本
kind: Ingress #清单类型
metadata: #元数据
name: ingress-myapp #ingress的名称
namespace: default #所属名称空间
annotations: #注解信息
kubernetes.io/ingress.class: "nginx"
spec: #规格
rules: #定义后端转发的规则
- host: myapp.magedu.com #通过域名进行转发
http:
paths:
- path: #配置访问路径,如果通过url进行转发,需要修改;空默认为访问的路径为"/"
backend: #配置后端服务
serviceName: myapp
servicePort: 80
[root@master ~]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.magedu.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
[root@master ~]# kubectl apply -f ingress-myapp.yaml
ingress.extensions/ingress-myapp created
[root@master ~]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.magedu.com 80 7s
(2)查看ingress-myapp的详细信息
[root@master ~]# kubectl describe ingress ingress-myapp
Name: ingress-myapp
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
myapp.magedu.com
myapp:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"ingress-myapp","namespace":"default"},"spec":{"rules":[{"host":"myapp.magedu.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 14s nginx-ingress-controller Ingress default/ingress-myapp
[root@master ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-797b884cbc-whphv 1/1 Running 0 24h
(3)进入nginx-ingress-controller进行查看是否注入了nginx的配置
[root@master ~]# kubectl -n ingress-nginx exec nginx-ingress-controller-797b884cbc-whphv -- cat /etc/nginx/nginx.conf 直接看或者,
[root@master ingress]# kubectl exec -n ingress-nginx -it nginx-ingress-controller-797b884cbc-whphv -- /bin/bash 进容器看
## start server myapp.magedu.com
server {
server_name myapp.magedu.com ;
listen 80;
set $proxy_upstream_name "-";
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp";
set $service_port "80";
set $location_path "/";
rewrite_by_lua_block {
balancer.rewrite()
}
......
(4)修改本地host文件,进行访问
10.249.6.101 myapp.magedu.com
10.249.6.102 myapp.magedu.com
http://myapp.magedu.com:30080/
这里我到nginx里改了一下,看效果
四、增加tomcat服务
(1)编写tomcat的配置清单文件
[root@master ingress]# cp deploy-demo.yaml tomcat-demo.yaml
[root@master manifests]# cat tomcat-demo.yaml
#创建service为myapp
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
---
#创建后端服务的pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-backed
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.34-jre8-alpine
ports:
- name: http
containerPort: 8080
name: ajp
containerPort: 8009
[root@master manifests]# kubectl apply -f tomcat-demo.yaml
service/tomcat created
deployment.apps/tomcat-backed create
[root@master manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
liveness-httpget-pod 1/1 Running 1 8d
myapp-backend-pod-69dc8c7655-pqwk8 1/1 Running 0 36m
myapp-backend-pod-69dc8c7655-sgpw6 1/1 Running 0 36m
myapp-backend-pod-69dc8c7655-v4jvx 1/1 Running 0 36m
myapp-deploy-69dc8c7655-jkkwv 1/1 Running 0 3d8h
myapp-deploy-69dc8c7655-q97jc 1/1 Running 0 3d8h
myapp-deploy-69dc8c7655-sldk8 1/1 Running 0 3d8h
myapp-deploy-69dc8c7655-v9dvc 1/1 Running 0 3d8h
myapp-deploy-69dc8c7655-x5qth 1/1 Running 0 3d8h
nginx-7849c4bbcd-dscjr 1/1 Running 0 11d
nginx-7849c4bbcd-vdd45 1/1 Running 0 11d
nginx-7849c4bbcd-wrvks 1/1 Running 0 11d
nginx-deploy-84cbfc56b6-mjcw5 1/1 Running 0 12d
tomcat-backed-64d5bc78f7-b9tlh 1/1 Running 0 16s 这里
tomcat-backed-64d5bc78f7-lv844 1/1 Running 0 16s
tomcat-backed-64d5bc78f7-s62j8 1/1 Running 0 16s
(2)进入tomcat的pod中进行查看是否监听8080和8009端口,并查看tomcat的svc
[root@master manifests]# kubectl exec tomcat-backed-64d5bc78f7-s62j8 -- netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
[root@master manifests]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
myapp ClusterIP 10.104.235.133 <none> 80/TCP 37m
tomcat ClusterIP 10.106.171.107 <none> 8080/TCP 76s 这里
(3)编写tomcat的ingress规则,并创建ingress资源
[root@master ingress]# cp ingress-myapp.yaml ingress-tomcat.yaml
[root@master manifests]# cat ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master manifests]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/tomcat created
(4)查看ingress具体信息
[root@master manifests]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.magedu.com 80 20m
tomcat tomcat.magedu.com 80 13s
[root@master manifests]# kubectl describe ingress
Name: ingress-myapp
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
myapp.magedu.com
myapp:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"ingress-myapp","namespace":"default"},"spec":{"rules":[{"host":"myapp.magedu.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 20m nginx-ingress-controller Ingress default/ingress-myapp
Name: tomcat
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
tomcat.magedu.com
tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat","namespace":"default"},"spec":{"rules":[{"host":"tomcat.magedu.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 52s nginx-ingress-controller Ingress default/tomcat
[root@master manifests]# kubectl -n ingress-nginx exec nginx-ingress-controller-797b884cbc-whphv -- cat /etc/nginx/nginx.conf
## start server tomcat.magedu.com
server {
server_name tomcat.magedu.com ;
listen 80;
set $proxy_upstream_name "-";
location / {
set $namespace
(5)测试访问:
http://tomcat.magedu.com:30080/
(6)总结
从前面的部署过程中,可以再次进行总结部署的流程如下:
①下载Ingress-controller相关的YAML文件,并给Ingress-controller创建独立的名称空间;
②部署后端的服务,如myapp,并通过service进行暴露;
③部署Ingress-controller的service,以实现接入集群外部流量;
④部署Ingress,进行定义规则,使Ingress-controller和后端服务的Pod组进行关联。
四、构建TLS站点
(1)准备证书
[root@master manifests]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
............+++
e is 65537 (0x10001)
[root@master manifests]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.magedu.com
(2)生成secret
[root@master manifests]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master manifests]# kubectl get secret
NAME TYPE DATA AGE
default-token-6q28w kubernetes.io/service-account-token 3 13d
tomcat-ingress-secret kubernetes.io/tls 2 11s
[root@master manifests]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1294 bytes
tls.key: 1675 bytes
(3)创建ingress
[root@master ingress]# kubectl explain ingress.spec
[root@master ingress]# kubectl explain ingress.spec.tls
[root@master ingress]# cp ingress-tomcat.yaml ingress-tomcat-tls.yaml
[root@master ingress]# vim ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.magedu.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master manifests]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/ingress-tomcat-tls created
[root@master manifests]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.magedu.com 80 36m
ingress-tomcat-tls tomcat.magedu.com 80, 443 14s
tomcat tomcat.magedu.com 80 16m
[root@master manifests]# kubectl describe ingress ingress-tomcat-tls
Name: ingress-tomcat-tls
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
tomcat-ingress-secret terminates tomcat.magedu.com
Rules:
Host Path Backends
---- ---- --------
tomcat.magedu.com
tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"ingress-tomcat-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.magedu.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.magedu.com"],"secretName":"tomcat-ingress-secret"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 36s nginx-ingress-controller Ingress default/ingress-tomcat-tls
[root@master manifests]# kubectl -n ingress-nginx exec nginx-ingress-controller-797b884cbc-whphv -- cat /etc/nginx/nginx.conf
## start server tomcat.magedu.com
server {
server_name tomcat.magedu.com ;
listen 80;
set $proxy_upstream_name "-";
listen 443 ssl http2;
# PEM sha: ac83987fb8efa18962bab408394545be53133d84
ssl_certificate /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_certificate_key /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
[root@master manifests]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.magedu.com 80 38m
ingress-tomcat-tls tomcat.magedu.com 80, 443 2m47s
tomcat tomcat.magedu.com 80 18m
[root@master manifests]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.103.46.45 <none> 80:30080/TCP,443:30443/TCP 55m
(4)访问测试:
https://tomcat.magedu.com:30443
358
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
