Ingress概念介绍
service只能做四层代理 无法做七层代理(如https服务)
lvs只能根据第四层的数据进行转发 无法对七层协议数据进行调度
Ingress Controller
拥有七层代理的Pod程序
Ingress资源
1.首先通过无头service动态关联符合标签选择器选择的后端Pod
2.Ingress动态的把service关联的pod地址注入到前端配置upstream中 同时触发主程序重新加载最新的配置文件
pod变化 > service变化 > Ingress变化 > Ingress Control注入配置
Ingress反代到后端的web服务器
1.部署后端pod
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
ngx-deploy.yaml
2.创建ingress资源
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.yxh.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
ingress-myapp.yaml
3.创建ingress controller的pod
[root@k8s-master ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE 3d nginx-ingress-controller-7d4c999994-pn6wt 1/1 Running 0 3d service_nodeport是用来给ingress-controller接入集群外部流量的 ingress-controller就是一个运行nginx的pod service_nodeport就是nginx pod的service ingress-controller 的pod是由在git上下载的nginx-ingress中的yaml文件创建的View Code
4.创建service_nodeport配置
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app: ingress-nginx
service_nodeport.yaml
5.修改hosts文件
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 192.168.11.141 myapp.yxh.com 192.168.11.141 tomcat.yxh.comView Code
6.浏览器访问
Ingress实现tomcat的https反代
1.部署tomcat pod
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.32-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
tomcat-deploy.yaml
2.创建ssl证书
生成自签名证书 [root@k8s-master ingress]# openssl genrsa -out tls.key 2048 Generating RSA private key, 2048 bit long modulus .................................................................+++ ...........................................................................................................+++ e is 65537 (0x10001) [root@k8s-master ingress]# openssl req -new -x509 -key tls.key -out tls.out -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.yxh.com CN的设置必须和访问的域名设置为一样的 [root@k8s-master ingress]# ls ingress-myapp.yaml ngx-deploy.yaml tls.key tomcat ingress-nginx-nginx-0.13.0 service_nodeport.yaml tls.out 把生成的证书转换成secret资源对象 [root@k8s-master ingress]# kubectl create tls tomcat-ingress-cert --cert=tls.crt --key=tls.key [root@k8s-master ingress]# kubectl get secret NAME TYPE DATA AGE default-token-n87jl kubernetes.io/service-account-token 3 244d tomcat-ingress-secret kubernetes.io/tls 2 1h创建证书
3.创建tomact ssl ingress资源
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.yxh.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.yxh.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
ingress-tomcat-tls.yaml
4.创建tomcat http ingress资源
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.yxh.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
ingress-tomcat.yaml
5.实现原理
执行kubectl apply|delete -f ingress-tomcat-tls.yaml的时候 都会把设置自动更新到ingress-controller的nginx的主配置文件中 并且能够立即生效
ingress-controller相当于一个ssl会话卸载器 客户端发送请求给controller必须时https协议 但是由controller把请求转发到集群内部的tomcat pod
的时候 使用的却是http协议
ingress_nginx_controller的配置 # find /etc -name nginx.conf /etc/nginx/nginx.conf
kubectl exec -n ingress-nginx -ti nginx-ingress-controller-7d4c999994-pn6wt -- /bin/sh
kubectl logs -n ingress-nginx nginx-ingress-controller-7d4c999994-pn6wt |grep error
## start server tomcat.yxh.com
server {
server_name tomcat.yxh.com ;
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
listen 443 ssl http2;
listen [::]:443 ssl http2;
# PEM sha: 8d7a91d9f8445a2e44ca5cef9dcea2c9bf8e7141
ssl_certificate /ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_certificate_key /ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_trusted_certificate /ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem;
ssl_stapling
nginx.conf
6.最终效果