释放双眼,带上耳机,听听看~!
目录
-
Kubernetes之(十一)Ingress和Ingress Controller
-
概念
- Ingress资源类型
-
单Service资源型Ingress
- Ingress Nginx部署
-
部署Ingress controller
* 配置ingress后端服务
* 部署ingress-nginx service
* 部署Ingress
* 增加tomcat服务
* 总结-
构建TLS站点
-
Kubernetes之(十一)Ingress和Ingress Controller
概念
通常情况下,service和pod的IP仅可在集群内部访问。集群外部的请求需要通过负载均衡转发到service在Node上暴露的NodePort上,然后再由kube-proxy将其转发给相关的Pod。
NodePort 方式暴露服务面临问题是,服务一旦多起来,NodePort 在每个节点上开启的端口会及其庞大,而且难以维护;这时,我们可以能否使用一个Nginx直接对内进行转发呢?众所周知的是,Pod与Pod之间是可以互相通信的,而Pod是可以共享宿主机的网络名称空间的,也就是说当在共享网络名称空间时,Pod上所监听的就是Node上的端口。那么这又该如何实现呢?简单的实现就是使用 DaemonSet 在每个 Node 上监听 80,然后写好规则,因为 Nginx 外面绑定了宿主机 80 端口(就像 NodePort),本身又在集群内,那么向后直接转发到相应 Service IP就行了。
但是新的问题出现:当每次有新服务加入时怎么办。此时 Ingress 出现了,如果不算上面的Nginx,Ingress 包含两大组件:Ingress Controller 和 Ingress。
Ingress就是为进入集群的请求提供路由规则的集合,如下图所示
Ingress可以给service提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些Ingress规则,集群管理员需要部署一个Ingress controller,它监听Ingress和service的变化,并根据规则配置负载均衡并提供访问入口。
Ingress也是Kubernetes API的标准资源类型之一,它其实就是一组基于DNS名称(host)或URL路径把请求转发到指定的Service资源的规则。用于将集群外部的请求流量转发到集群内部完成的服务发布。我们需要明白的是,Ingress资源自身不能进行“流量穿透”,仅仅是一组规则的集合,这些集合规则还需要其他功能的辅助,比如监听某套接字,然后根据这些规则的匹配进行路由转发,这些能够为Ingress资源监听套接字并将流量转发的组件就是Ingress Controller。
Ingress 控制器不同于Deployment 控制器的是,Ingress控制器不直接运行为kube-controller-manager的一部分,它仅仅是Kubernetes集群的一个附件,类似于CoreDNS,需要在集群上单独部署。
创建Ingress资源
Ingress资源时基于HTTP虚拟主机或URL的转发规则,需要强调的是,这是一条转发规则。它在资源配置清单中的spec字段中嵌套了rules、backend和tls等字段进行定义。如下示例中定义了一个Ingress资源,其包含了一个转发规则:将发往myapp.magedu.com的请求,代理给一个名字为myapp的Service资源。
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2kind: Ingress
3metadata:
4 name: ingress-myapp
5 namespace: default
6 annotations:
7 kubernetes.io/ingress.class: "nginx"
8spec:
9 rules:
10 - host: myapp.magedu.com
11 http:
12 paths:
13 - path:
14 backend:
15 serviceName: myapp
16 servicePort: 80
17
Ingress 中的spec字段是Ingress资源的核心组成部分,主要包含以下3个字段:
- rules:用于定义当前Ingress资源的转发规则列表;由rules定义规则,或没有匹配到规则时,所有的流量会转发到由backend定义的默认后端。
- backend:默认的后端用于服务那些没有匹配到任何规则的请求;定义Ingress资源时,必须要定义backend或rules两者之一,该字段用于让负载均衡器指定一个全局默认的后端。
- tls:TLS配置,目前仅支持通过默认端口443提供服务,如果要配置指定的列表成员指向不同的主机,则需要通过SNI TLS扩展机制来支持该功能
backend对象的定义由2个必要的字段组成:serviceName和servicePort,分别用于指定流量转发的后端目标Service资源名称和端口。
rules对象由一系列的配置的Ingress资源的host规则组成,这些host规则用于将一个主机上的某个URL映射到相关后端Service对象,其定义格式如下:
2
3
4
5
6
7
8
9
10
2 rules:
3 - hosts: <string>
4 http:
5 paths:
6 - path:
7 backend:
8 serviceName: <string>
9 servicePort: <string>
10
需要注意的是,.spec.rules.host属性值,目前暂不支持使用IP地址定义,也不支持IP:Port 的格式,该字段留空,代表着通配所有主机名。
tls对象由2个内嵌的字段组成,仅在定义TLS主机的转发规则上使用。
- **hosts:**包含于使用的TLS证书之内的主机名称字符串列表,因此,此处使用的主机名必须匹配tlsSecret中的名称。
- secretName: 用于引用SSL会话的secret对象名称,在 基于SNI实现多主机路由的场景中,此字段为可选。
Ingress资源类型
Ingress的资源类型有以下4种:
- 单Service资源型Ingress
- 基于URL路径进行流量转发
- 基于主机名称的虚拟主机
- TLS类型的Ingress资源
单Service资源型Ingress
暴露单个服务的方法有多种,如NodePort、LoadBanlancer等等,当然也可以使用Ingress来进行暴露单个服务,只需要为Ingress指定default backend即可,如下示例:
2
3
4
5
6
7
8
9
2kind: Ingress
3metadata:
4 name: my-ingress
5spec:
6 backend:
7 serviceName: my-svc
8 servicePort: 80
9
Ingress控制器会为其分配一个IP地址接入请求流量,并将其转发至后端my-svc
Ingress Nginx部署
使用Ingress功能步骤:
1、安装部署ingress controller Pod
2、部署后端服务
3、部署ingress-nginx service
4、部署ingress
Ingress 也是标准的 K8S 资源,其定义的方式,也可以使用 explain 进行查看:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
2KIND: Ingress
3VERSION: extensions/v1beta1
4
5DESCRIPTION:
6 Ingress is a collection of rules that allow inbound connections to reach
7 the endpoints defined by a backend. An Ingress can be configured to give
8 services externally-reachable urls, load balance traffic, terminate SSL,
9 offer name based virtual hosting etc.
10
11FIELDS:
12 apiVersion <string>
13 APIVersion defines the versioned schema of this representation of an
14 object. Servers should convert recognized schemas to the latest internal
15 value, and may reject unrecognized values. More info:
16 https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
17
18 kind <string>
19 Kind is a string value representing the REST resource this object
20 represents. Servers may infer this from the endpoint the client submits
21 requests to. Cannot be updated. In CamelCase. More info:
22 https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
23
24 metadata <Object>
25 Standard object's metadata. More info:
26 https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
27
28 spec <Object>
29 Spec is the desired state of the Ingress. More info:
30 https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
31
32 status <Object>
33 Status is the current state of the Ingress. More info:
34 https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
35
部署Ingress controller
此处使用ingress-nginx 0.17.1版本,未使用最新的master
下载ingress相关yaml
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2[root@master manifests]# cd ingress-nginx
3[root@master manifests]# for file in namespace.yaml configmap.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml udp-services-configmap.yaml default-backend.yaml;do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/$file;done
4
5[root@master ingress-nginx]# ll
6总用量 476
7[root@master ingress-nginx]# ll
8总用量 28
9-rw-r--r-- 1 root root 134 4月 1 17:19 configmap.yaml #configmap用于为nginx从外部注入配置的
10-rw-r--r-- 1 root root 1216 4月 1 17:20 default-backend.yaml #配置默认后端服务
11-rw-r--r-- 1 root root 68 4月 1 17:19 namespace.yaml #创建独立的名称空间
12-rw-r--r-- 1 root root 2390 4月 1 17:19 rbac.yaml #rbac用于集群角色授权
13-rw-r--r-- 1 root root 94 4月 1 17:19 tcp-services-configmap.yaml
14-rw-r--r-- 1 root root 94 4月 1 17:20 udp-services-configmap.yaml
15-rw-r--r-- 1 root root 2174 4月 1 17:20 with-rbac.yaml
16
创建ingress-nginx名称空间
2
3
4
5
6
7
8
9
10
2---
3apiVersion: v1
4kind: Namespace
5metadata:
6 name: ingress-nginx
7
8[root@master ingress-nginx]# kubectl apply -f namespace.yaml
9namespace/ingress-nginx created
10
创建ingress controller的pod
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2[root@master ingress-nginx]# vim default-backend.yaml
3 #image: gcr.io/google_containers/defaultbackend:1.4
4 image: xiaobai20201/defaultbackend-amd64:1.5
5
6[root@master ingress-nginx]# kubectl apply -f .
7configmap/nginx-configuration created
8deployment.extensions/default-http-backend created
9service/default-http-backend created
10namespace/ingress-nginx unchanged
11serviceaccount/nginx-ingress-serviceaccount created
12clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
13role.rbac.authorization.k8s.io/nginx-ingress-role created
14rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
15clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
16configmap/tcp-services created
17configmap/udp-services created
18deployment.extensions/nginx-ingress-controller created
19
查看结果
2
3
4
5
2NAME READY STATUS RESTARTS AGE
3default-http-backend-788bdcf46f-7b5ds 1/1 Running 0 24s
4nginx-ingress-controller-7db86988c8-jmv72 1/1 Running 0 3m50s
5
配置ingress后端服务
查看配置清单:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2KIND: Ingress
3VERSION: extensions/v1beta1
4
5RESOURCE: spec <Object>
6
7DESCRIPTION:
8 Spec is the desired state of the Ingress. More info:
9 https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
10
11 IngressSpec describes the Ingress the user wishes to exist.
12
13FIELDS:
14 backend <Object> #定义后端主机
15
16 rules <[]Object> #定义规则
17
18 tls <[]Object>
19
20
部署:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
2[root@master ingress]# vim deploy-demo.yaml
3apiVersion: v1
4kind: Service
5metadata:
6 name: myapp
7 namespace: default
8spec:
9 selector:
10 app: myapp
11 release: canary
12 ports:
13 - name: http
14 targetPort: 80
15 port: 80
16---
17apiVersion: apps/v1
18kind: Deployment
19metadata:
20 name: myapp-backend-pod
21 namespace: default
22spec:
23 replicas: 3
24 selector:
25 matchLabels:
26 app: myapp
27 release: canary
28 template:
29 metadata:
30 labels:
31 app: myapp
32 release: canary
33 spec:
34 containers:
35 - name: myapp
36 image: ikubernetes/myapp:v2
37 ports:
38 - name: http
39 containerPort: 80
40
查看部署结果
2
3
4
5
6
7
8
9
10
11
12
13
14
2NAME READY STATUS RESTARTS AGE
3pod/filebeat-ds-h8rwk 1/1 Running 0 18h
4pod/filebeat-ds-kzhxw 1/1 Running 0 18h
5pod/myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 78s
6pod/myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 78s
7pod/myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 78s
8pod/readiness-httpget-pod 1/1 Running 0 3d16h
9
10NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
11service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d16h
12service/myapp ClusterIP 10.100.41.152 <none> 80/TCP 7m47s
13service/myapp-headless ClusterIP None <none> 80/TCP 16h
14
部署ingress-nginx service
通过ingress-controller对外提供服务,现在还需要手动给ingress-controller建立一个service,接收集群外部流量。
下载ingress-controller的yaml文件
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
3[root@master ingress]# vim service-nodeport.yaml
4apiVersion: v1
5kind: Service
6metadata:
7 name: ingress-nginx
8 namespace: ingress-nginx
9spec:
10 type: NodePort
11 ports:
12 - name: http
13 port: 80
14 targetPort: 80
15 protocol: TCP
16 nodePort: 31111 #默认是随机端口,此处指定
17 - name: https
18 port: 443
19 targetPort: 443
20 protocol: TCP
21 nodePort: 31443 #默认是随机端口,此处指定
22 selector:
23 app: ingress-nginx
24
查看部署结果
2
3
4
5
6
7
2service/ingress-nginx created
3[root@master ingress]# kubectl get svc -n ingress-nginx
4NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
5default-http-backend ClusterIP 10.98.233.231 <none> 80/TCP 33m
6ingress-nginx NodePort 10.103.142.142 <none> 80:31111/TCP,443:31443/TCP 8s
7
此时尝试访问10.0.0.10:31111 应该是404,因为调度器工作正常,但是后端服务还没有关联
部署Ingress
编写清单
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2apiVersion: extensions/v1beta1
3kind: Ingress
4metadata:
5 name: myapp-ingress #ingress的名称
6 namespace: default #所属名称空间
7 annotations: #注解信息
8 kubernetes.io/ingress.class: "nginx"
9spec:
10 rules: #定义后端转发的规则
11 - host: myapp.white.com #通过域名进行转发
12 http:
13 paths:
14 - path: #配置访问路径,如果通过url进行转发,需要修改;空默认为访问的路径为根"/"
15 backend: #配置后端服务
16 serviceName: myapp
17 servicePort: 80
18
创建后查看结果:
2
3
4
5
6
2ingress.extensions/myapp-ingress created
3[root@master ingress]# kubectl get ingress
4NAME HOSTS ADDRESS PORTS AGE
5myapp-ingress myapp.white.com 80 12s
6
查看myapp-ingress的详细信息
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2Name: myapp-ingress
3Namespace: default
4Address:
5Default backend: default-http-backend:80 (<none>)
6Rules:
7 Host Path Backends
8 ---- ---- --------
9 myapp.white.com
10 myapp:80 (<none>)
11Annotations:
12 kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"myapp-ingress","namespace":"default"},"spec":{"rules":[{"host":"myapp.white.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
13
14 kubernetes.io/ingress.class: nginx
15Events:
16 Type Reason Age From Message
17 ---- ------ ---- ---- -------
18 Normal CREATE 62s nginx-ingress-controller Ingress default/myapp-ingress
19[root@master ingress]#
20
进入nginx-ingress-controller进行查看是否注入了nginx的配置
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
2NAME READY STATUS RESTARTS AGE
3default-http-backend-788bdcf46f-7b5ds 1/1 Running 0 41m
4nginx-ingress-controller-7db86988c8-jmv72 1/1 Running 0 45m
5
6[root@master ingress]# kubectl exec -it nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh
7$ cat nginx.conf
8......
9 upstream default-myapp-80 { #自动配置负载均衡到后端pod
10 least_conn;
11
12 keepalive 32;
13
14 server 10.244.1.44:80 max_fails=0 fail_timeout=0;
15 server 10.244.2.49:80 max_fails=0 fail_timeout=0;
16 server 10.244.2.48:80 max_fails=0 fail_timeout=0;
17
18 }
19......
20 ## start server myapp.white.com
21 server {
22 server_name myapp.white.com ;
23
24 listen 80;
25
26 listen [::]:80;
27
28 set $proxy_upstream_name "-";
29
30 location / {
31
32 set $namespace "default";
33 set $ingress_name "myapp-ingress";
34 set $service_name "myapp";
35 set $service_port "80";
36 set $location_path "/";
37
38 rewrite_by_lua_block {
39
40 }
41...
42
修改本地host文件 访问
10.0.0.10 master myapp.white.com
10.0.0.11 node01 myapp.white.com
10.0.0.12 node02 myapp.white.com
增加tomcat服务
编写清单
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
2apiVersion: v1
3kind: Service
4metadata:
5 name: tomcat
6 namespace: default
7spec:
8 selector:
9 app: tomcat
10 release: canary
11 ports:
12 - name: http
13 targetPort: 8080
14 port: 8080
15 - name: ajp
16 targetPort: 8009
17 port: 8009
18
19---
20
21apiVersion: apps/v1
22kind: Deployment
23metadata:
24 name: tomcat-deploy
25 namespace: default
26spec:
27 replicas: 3
28 selector:
29 matchLabels:
30 app: tomcat
31 release: canary
32 template:
33 metadata:
34 labels:
35 app: tomcat
36 release: canary
37 spec:
38 containers:
39 - name: tomcat
40 image: tomcat:8.5-alpine
41 ports:
42 - name: http
43 containerPort: 8080
44 - name: ajp
45 containerPort: 8009
46
编写tomcat的ingress规则,并创建ingress资源
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2apiVersion: extensions/v1beta1
3kind: Ingress
4metadata:
5 name: tomcat-ingress
6 namespace: default
7 annotations:
8 kubernetes.io/ingress.class: "nginx"
9spec:
10 rules:
11 - host: tomcat.white.com
12 http:
13 paths:
14 - path:
15 backend:
16 serviceName: tomcat
17 servicePort: 8080
18
执行
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3[root@master ingress]# kubectl get pods
4NAME READY STATUS RESTARTS AGE
5filebeat-ds-h8rwk 1/1 Running 0 19h
6filebeat-ds-kzhxw 1/1 Running 0 19h
7myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 62m
8myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 62m
9myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 62m
10readiness-httpget-pod 1/1 Running 0 3d17h
11tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 44s
12tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 44s
13tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 44s
14
15[root@master ingress]# kubectl get svc
16NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
17kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d17h
18myapp ClusterIP 10.100.41.152 <none> 80/TCP 70m
19myapp-headless ClusterIP None <none> 80/TCP 17h
20tomcat ClusterIP 10.107.88.118 <none> 8080/TCP,8009/TCP 3m4s
21
查看tomcat-deploy是否监听8080和8009
2
3
4
5
6
7
2Active Internet connections (only servers)
3Proto Recv-Q Send-Q Local Address Foreign Address State
4tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
5tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
6tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
7
创建ingress资源
2
3
4
5
6
7
2ingress.extensions/tomcat-ingress created
3[root@master ingress]# kubectl get ingress
4NAME HOSTS ADDRESS PORTS AGE
5myapp-ingress myapp.white.com 80 45m
6tomcat-ingress tomcat.white.com 80 5s
7
查看tomcat-ingress详细信息
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2Name: tomcat-ingress
3Namespace: default
4Address:
5Default backend: default-http-backend:80 (<none>)
6Rules:
7 Host Path Backends
8 ---- ---- --------
9 tomcat.white.com
10 tomcat:8080 (<none>)
11Annotations:
12 kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
13
14 kubernetes.io/ingress.class: nginx
15Events:
16 Type Reason Age From Message
17 ---- ------ ---- ---- -------
18 Normal CREATE 71s nginx-ingress-controller Ingress default/tomcat-ingress
19
修改本地host文件映射后测试访问
10.0.0.10 master myapp.white.com tomcat.white.com
10.0.0.11 node01 myapp.white.com tomcat.white.com
10.0.0.12 node02 myapp.white.com tomcat.white.com
总结
从前面的部署过程中,可以再次进行总结部署的流程如下:
- 下载Ingress-controller相关的YAML文件,并给Ingress-controller创建独立的名称空间;
- 部署后端的服务,如myapp,并通过service进行暴露;
- 部署Ingress-controller的service,以实现接入集群外部流量;
- 部署Ingress,进行定义规则,使Ingress-controller和后端服务的Pod组进行关联。
构建TLS站点
准备证书
2
3
4
5
6
7
8
9
10
2Generating RSA private key, 2048 bit long modulus
3......+++
4.....................................................+++
5e is 65537 (0x10001)
6[root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Guangdong/L=Zhongshan/O=DevOps/CN=tomcat.white.com
7[root@master ingress]# ls
8deploy-demo.yaml ingress-tomcat.yaml tls.crt tomcat-deploy.yaml
9ingress-myapp.yaml service-nodeport.yaml tls.key
10
此时生成的证书不能直接被nginx的pod调用,需要转换成secret(领一个标准的kubernetes对象)
生成secret
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2secret/tomcat-ingress-secret created
3[root@master ingress]# kubectl get secret
4NAME TYPE DATA AGE
5default-token-dqd2f kubernetes.io/service-account-token 3 5d18h
6tomcat-ingress-secret kubernetes.io/tls 2 11s
7[root@master ingress]# kubectl describe secret tomcat-ingress-secret
8Name: tomcat-ingress-secret
9Namespace: default
10Labels: <none>
11Annotations: <none>
12
13Type: kubernetes.io/tls
14
15Data
16====
17tls.crt: 1302 bytes
18tls.key: 1679 bytes
19
创建ingress
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
2[root@master ~]# kubectl explain ingress.spec.tls.
3
4apiVersion: extensions/v1beta1
5kind: Ingress
6metadata:
7 name: tomcat-ingress-tls
8 namespace: default
9 annotations:
10 kubernetes.io/ingress.class: "nginx"
11spec:
12 tls:
13 - hosts:
14 - tomcat.white.com
15 secretName: tomcat-ingress-secret
16 rules:
17 - host: tomcat.white.com
18 http:
19 paths:
20 - path:
21 backend:
22 serviceName: tomcat
23 servicePort: 8080
24
25[root@master ingress]# kubectl apply -f ingress-tomcat-tls.yaml
26ingress.extensions/tomcat-ingress-tls created
27[root@master ingress]# kubectl get ingress
28NAME HOSTS ADDRESS PORTS AGE
29myapp-ingress myapp.white.com 80 61m
30tomcat-ingress tomcat.white.com 80 16m
31tomcat-ingress-tls tomcat.white.com 80, 443 25s
32
33
34#查看描述
35[root@master ingress]# kubectl describe ingress tomcat-ingress-tls
36Name: tomcat-ingress-tls
37Namespace: default
38Address:
39Default backend: default-http-backend:80 (<none>)
40TLS:
41 tomcat-ingress-secret terminates tomcat.white.com
42Rules:
43 Host Path Backends
44 ---- ---- --------
45 tomcat.white.com
46 tomcat:8080 (<none>)
47Annotations:
48 kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.white.com"],"secretName":"tomcat-ingress-secret"}]}}
49
50 kubernetes.io/ingress.class: nginx
51Events:
52 Type Reason Age From Message
53 ---- ------ ---- ---- -------
54 Normal CREATE 107s nginx-ingress-controller Ingress default/tomcat-ingress-tls
55
进入pod内查看
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2$ cat nginx.conf
3······
4upstream default-tomcat-8080 {
5 least_conn;
6
7 keepalive 32;
8
9 server 10.244.1.45:8080 max_fails=0 fail_timeout=0;
10 server 10.244.2.51:8080 max_fails=0 fail_timeout=0;
11 server 10.244.2.50:8080 max_fails=0 fail_timeout=0;
12
13 }
14······
15 ## start server _
16 server {
17 server_name _ ;
18
19 listen 80 default_server backlog=511;
20
21 listen [::]:80 default_server backlog=511;
22
23 set $proxy_upstream_name "-";
24
25 listen 443 default_server backlog=511 ssl http2;
26
27 listen [::]:443 default_server backlog=511 ssl http2;
28
29 # PEM sha: 07ee66d47cf4e5ef25baa6f91d62296e05243cfe
30 ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;
31 ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;
32......
33
客户端访问31443查看
由于证书问题,提示不安全,但是可以访问https 443端口。
