Ingress使用示例

Ingress概念介绍

      service只能做四层代理 无法做七层代理(如https服务)
      lvs只能根据第四层的数据进行转发 无法对七层协议数据进行调度

      Ingress Controller
            拥有七层代理的Pod程序

      Ingress资源
         1.首先通过无头service动态关联符合标签选择器选择的后端Pod
         2.Ingress动态的把service关联的pod地址注入到前端配置upstream中    同时触发主程序重新加载最新的配置文件

         pod变化 > service变化 > Ingress变化 > Ingress Control注入配置

Ingress反代到后端的web服务器

  1.部署后端pod

Ingress使用示例
apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp
    release: canary
  ports:
  - name: http
    targetPort: 80
    port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deploy
  namespace:  default
apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp
    release: canary
  ports:
  - name: http
    targetPort: 80
    port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deploy
  namespace:  default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      -  name: myapp
         image: ikubernetes/myapp:v2
         ports:
         - name: http
           containerPort: 80
ngx-deploy.yaml

  2.创建ingress资源

Ingress使用示例
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myapp.yxh.com
    http:
      paths:
      - path:
        backend:
          serviceName: myapp
          servicePort: 80                    
ingress-myapp.yaml

  3.创建ingress controller的pod

Ingress使用示例
[root@k8s-master ingress]# kubectl get pod -n ingress-nginx
NAME                                        READY     STATUS             RESTARTS   AGE         3d
nginx-ingress-controller-7d4c999994-pn6wt   1/1       Running            0          3d

service_nodeport是用来给ingress-controller接入集群外部流量的
ingress-controller就是一个运行nginx的pod
service_nodeport就是nginx pod的service


ingress-controller 的pod是由在git上下载的nginx-ingress中的yaml文件创建的
View Code

 4.创建service_nodeport配置

Ingress使用示例
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
    nodePort: 30080
  - name: https
    port: 443
    targetPort: 443
    nodePort: 30443
    protocol: TCP
  selector:
    app: ingress-nginx
service_nodeport.yaml

 5.修改hosts文件

Ingress使用示例
# localhost name resolution is handled within DNS itself.
#    127.0.0.1       localhost
#    ::1             localhost
192.168.11.141      myapp.yxh.com
192.168.11.141      tomcat.yxh.com
View Code

6.浏览器访问

Ingress使用示例

 

Ingress实现tomcat的https反代

  1.部署tomcat pod

Ingress使用示例
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetPort: 8080
    port: 8080
  - name: ajp
    targetPort: 8009
    port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace:  default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      -  name:  tomcat
         image: tomcat:8.5.32-jre8-alpine
         ports:
         - name: http
           containerPort: 8080
         - name: ajp
           containerPort: 8009
tomcat-deploy.yaml

 2.创建ssl证书

Ingress使用示例
生成自签名证书
 [root@k8s-master ingress]# openssl genrsa -out tls.key 2048 
Generating RSA private key, 2048 bit long modulus
.................................................................+++
...........................................................................................................+++
e is 65537 (0x10001)
[root@k8s-master ingress]# openssl req -new -x509 -key tls.key -out tls.out -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.yxh.com
CN的设置必须和访问的域名设置为一样的

[root@k8s-master ingress]# ls
ingress-myapp.yaml          ngx-deploy.yaml        tls.key  tomcat
ingress-nginx-nginx-0.13.0  service_nodeport.yaml  tls.out

把生成的证书转换成secret资源对象
[root@k8s-master ingress]# kubectl create tls tomcat-ingress-cert --cert=tls.crt  --key=tls.key

[root@k8s-master ingress]# kubectl get secret
NAME                    TYPE                                  DATA      AGE
default-token-n87jl     kubernetes.io/service-account-token   3         244d
tomcat-ingress-secret   kubernetes.io/tls                     2         1h
创建证书

3.创建tomact ssl  ingress资源

Ingress使用示例
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.yxh.com
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.yxh.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080
ingress-tomcat-tls.yaml

4.创建tomcat http ingress资源

Ingress使用示例
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: tomcat.yxh.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080
ingress-tomcat.yaml

 

5.实现原理

    执行kubectl apply|delete -f  ingress-tomcat-tls.yaml的时候 都会把设置自动更新到ingress-controller的nginx的主配置文件中 并且能够立即生效

    ingress-controller相当于一个ssl会话卸载器  客户端发送请求给controller必须时https协议 但是由controller把请求转发到集群内部的tomcat pod

    的时候 使用的却是http协议

    ingress_nginx_controller的配置          # find /etc -name nginx.conf       /etc/nginx/nginx.conf

    kubectl exec -n ingress-nginx -ti nginx-ingress-controller-7d4c999994-pn6wt -- /bin/sh

    kubectl logs -n ingress-nginx nginx-ingress-controller-7d4c999994-pn6wt |grep error

Ingress使用示例
    ## start server tomcat.yxh.com
    server {
        server_name tomcat.yxh.com ;
        
        listen 80;
        
        listen [::]:80;
        
        set $proxy_upstream_name "-";
        
        listen 443  ssl http2;
        
        listen [::]:443  ssl http2;
        
        # PEM sha: 8d7a91d9f8445a2e44ca5cef9dcea2c9bf8e7141
        ssl_certificate                         /ingress-controller/ssl/default-tomcat-ingress-secret.pem;
        ssl_certificate_key                     /ingress-controller/ssl/default-tomcat-ingress-secret.pem;
        
        ssl_trusted_certificate                 /ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem;
        ssl_stapling                  
nginx.conf

6.最终效果

Ingress使用示例

 

上一篇:元素显示v-show


下一篇:条件与循环