目錄
Kubernetes之(十一)Ingress和Ingress Controller
概念
通常情況下,service和pod的IP僅可在集群內部訪問。集群外部的請求需要通過負載均衡轉發到service在Node上暴露的NodePort上,然后再由kube-proxy將其轉發給相關的Pod。
NodePort 方式暴露服務面臨問題是,服務一旦多起來,NodePort 在每個節點上開啟的端口會及其龐大,而且難以維護;這時,我們可以能否使用一個Nginx直接對內進行轉發呢?眾所周知的是,Pod與Pod之間是可以互相通信的,而Pod是可以共享宿主機的網絡名稱空間的,也就是說當在共享網絡名稱空間時,Pod上所監聽的就是Node上的端口。那么這又該如何實現呢?簡單的實現就是使用 DaemonSet 在每個 Node 上監聽 80,然后寫好規則,因為 Nginx 外面綁定了宿主機 80 端口(就像 NodePort),本身又在集群內,那么向后直接轉發到相應 Service IP就行了。
但是新的問題出現:當每次有新服務加入時怎么辦。此時 Ingress 出現了,如果不算上面的Nginx,Ingress 包含兩大組件:Ingress Controller 和 Ingress。
Ingress就是為進入集群的請求提供路由規則的集合,如下圖所示
Ingress可以給service提供集群外部訪問的URL、負載均衡、SSL終止、HTTP路由等。為了配置這些Ingress規則,集群管理員需要部署一個Ingress controller,它監聽Ingress和service的變化,並根據規則配置負載均衡並提供訪問入口。
Ingress也是Kubernetes API的標准資源類型之一,它其實就是一組基於DNS名稱(host)或URL路徑把請求轉發到指定的Service資源的規則。用於將集群外部的請求流量轉發到集群內部完成的服務發布。我們需要明白的是,Ingress資源自身不能進行“流量穿透”,僅僅是一組規則的集合,這些集合規則還需要其他功能的輔助,比如監聽某套接字,然后根據這些規則的匹配進行路由轉發,這些能夠為Ingress資源監聽套接字並將流量轉發的組件就是Ingress Controller。
Ingress 控制器不同於Deployment 控制器的是,Ingress控制器不直接運行為kube-controller-manager的一部分,它僅僅是Kubernetes集群的一個附件,類似於CoreDNS,需要在集群上單獨部署。
創建Ingress資源
Ingress資源時基於HTTP虛擬主機或URL的轉發規則,需要強調的是,這是一條轉發規則。它在資源配置清單中的spec字段中嵌套了rules、backend和tls等字段進行定義。如下示例中定義了一個Ingress資源,其包含了一個轉發規則:將發往myapp.magedu.com的請求,代理給一個名字為myapp的Service資源。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.magedu.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
Ingress 中的spec字段是Ingress資源的核心組成部分,主要包含以下3個字段:
- rules:用於定義當前Ingress資源的轉發規則列表;由rules定義規則,或沒有匹配到規則時,所有的流量會轉發到由backend定義的默認后端。
- backend:默認的后端用於服務那些沒有匹配到任何規則的請求;定義Ingress資源時,必須要定義backend或rules兩者之一,該字段用於讓負載均衡器指定一個全局默認的后端。
- tls:TLS配置,目前僅支持通過默認端口443提供服務,如果要配置指定的列表成員指向不同的主機,則需要通過SNI TLS擴展機制來支持該功能
backend對象的定義由2個必要的字段組成:serviceName和servicePort,分別用於指定流量轉發的后端目標Service資源名稱和端口。
rules對象由一系列的配置的Ingress資源的host規則組成,這些host規則用於將一個主機上的某個URL映射到相關后端Service對象,其定義格式如下:
spec:
rules:
- hosts: <string>
http:
paths:
- path:
backend:
serviceName: <string>
servicePort: <string>
需要注意的是,.spec.rules.host屬性值,目前暫不支持使用IP地址定義,也不支持IP:Port 的格式,該字段留空,代表着通配所有主機名。
tls對象由2個內嵌的字段組成,僅在定義TLS主機的轉發規則上使用。
- hosts:包含於使用的TLS證書之內的主機名稱字符串列表,因此,此處使用的主機名必須匹配tlsSecret中的名稱。
- secretName: 用於引用SSL會話的secret對象名稱,在 基於SNI實現多主機路由的場景中,此字段為可選。
Ingress資源類型
Ingress的資源類型有以下4種:
- 單Service資源型Ingress
- 基於URL路徑進行流量轉發
- 基於主機名稱的虛擬主機
- TLS類型的Ingress資源
單Service資源型Ingress
暴露單個服務的方法有多種,如NodePort、LoadBanlancer等等,當然也可以使用Ingress來進行暴露單個服務,只需要為Ingress指定default backend即可,如下示例:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
spec:
backend:
serviceName: my-svc
servicePort: 80
Ingress控制器會為其分配一個IP地址接入請求流量,並將其轉發至后端my-svc
Ingress Nginx部署
使用Ingress功能步驟:
1、安裝部署ingress controller Pod
2、部署后端服務
3、部署ingress-nginx service
4、部署ingress
Ingress 也是標准的 K8S 資源,其定義的方式,也可以使用 explain 進行查看:
[root@master ~]# kubectl explain ingress
KIND: Ingress
VERSION: extensions/v1beta1
DESCRIPTION:
Ingress is a collection of rules that allow inbound connections to reach
the endpoints defined by a backend. An Ingress can be configured to give
services externally-reachable urls, load balance traffic, terminate SSL,
offer name based virtual hosting etc.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
spec <Object>
Spec is the desired state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
status <Object>
Status is the current state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
部署Ingress controller
此處使用ingress-nginx 0.17.1版本,未使用最新的master
下載ingress相關yaml
[root@master manifests]# mkdir ingress-nginx
[root@master manifests]# cd ingress-nginx
[root@master manifests]# for file in namespace.yaml configmap.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml udp-services-configmap.yaml default-backend.yaml;do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/$file;done
[root@master ingress-nginx]# ll
總用量 476
[root@master ingress-nginx]# ll
總用量 28
-rw-r--r-- 1 root root 134 4月 1 17:19 configmap.yaml #configmap用於為nginx從外部注入配置的
-rw-r--r-- 1 root root 1216 4月 1 17:20 default-backend.yaml #配置默認后端服務
-rw-r--r-- 1 root root 68 4月 1 17:19 namespace.yaml #創建獨立的名稱空間
-rw-r--r-- 1 root root 2390 4月 1 17:19 rbac.yaml #rbac用於集群角色授權
-rw-r--r-- 1 root root 94 4月 1 17:19 tcp-services-configmap.yaml
-rw-r--r-- 1 root root 94 4月 1 17:20 udp-services-configmap.yaml
-rw-r--r-- 1 root root 2174 4月 1 17:20 with-rbac.yaml
創建ingress-nginx名稱空間
[root@master ingress-nginx]# cat namespace.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
[root@master ingress-nginx]# kubectl apply -f namespace.yaml
namespace/ingress-nginx created
創建ingress controller的pod
#由於國內網絡防火牆問題導致無法正常拉取k8s.grc.io倉庫中拉取所需鏡像文件,需要修改配置文件,修改鏡像地址
[root@master ingress-nginx]# vim default-backend.yaml
#image: gcr.io/google_containers/defaultbackend:1.4
image: xiaobai20201/defaultbackend-amd64:1.5
[root@master ingress-nginx]# kubectl apply -f .
configmap/nginx-configuration created
deployment.extensions/default-http-backend created
service/default-http-backend created
namespace/ingress-nginx unchanged
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
configmap/tcp-services created
configmap/udp-services created
deployment.extensions/nginx-ingress-controller created
查看結果
[root@master ingress-nginx]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-788bdcf46f-7b5ds 1/1 Running 0 24s
nginx-ingress-controller-7db86988c8-jmv72 1/1 Running 0 3m50s
配置ingress后端服務
查看配置清單:
[root@master ~]# kubectl explain ingress.spec.
KIND: Ingress
VERSION: extensions/v1beta1
RESOURCE: spec <Object>
DESCRIPTION:
Spec is the desired state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
IngressSpec describes the Ingress the user wishes to exist.
FIELDS:
backend <Object> #定義后端主機
rules <[]Object> #定義規則
tls <[]Object>
部署:
[root@master ingress-nginx]# cd ../ && mkdir ingress && cd ingress
[root@master ingress]# vim deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-backend-pod
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
查看部署結果
[root@master ingress]# kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
pod/filebeat-ds-h8rwk 1/1 Running 0 18h
pod/filebeat-ds-kzhxw 1/1 Running 0 18h
pod/myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 78s
pod/myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 78s
pod/myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 78s
pod/readiness-httpget-pod 1/1 Running 0 3d16h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d16h
service/myapp ClusterIP 10.100.41.152 <none> 80/TCP 7m47s
service/myapp-headless ClusterIP None <none> 80/TCP 16h
部署ingress-nginx service
通過ingress-controller對外提供服務,現在還需要手動給ingress-controller建立一個service,接收集群外部流量。
下載ingress-controller的yaml文件
[root@master ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/provider/baremetal/service-nodeport.yaml
[root@master ingress]# vim service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 31111 #默認是隨機端口,此處指定
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 31443 #默認是隨機端口,此處指定
selector:
app: ingress-nginx
查看部署結果
[root@master ingress]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
[root@master ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-http-backend ClusterIP 10.98.233.231 <none> 80/TCP 33m
ingress-nginx NodePort 10.103.142.142 <none> 80:31111/TCP,443:31443/TCP 8s
此時嘗試訪問10.0.0.10:31111 應該是404,因為調度器工作正常,但是后端服務還沒有關聯
部署Ingress
編寫清單
[root@master ingress]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress #ingress的名稱
namespace: default #所屬名稱空間
annotations: #注解信息
kubernetes.io/ingress.class: "nginx"
spec:
rules: #定義后端轉發的規則
- host: myapp.white.com #通過域名進行轉發
http:
paths:
- path: #配置訪問路徑,如果通過url進行轉發,需要修改;空默認為訪問的路徑為根"/"
backend: #配置后端服務
serviceName: myapp
servicePort: 80
創建后查看結果:
[root@master ingress]# kubectl apply -f ingress-myapp.yaml
ingress.extensions/myapp-ingress created
[root@master ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.white.com 80 12s
查看myapp-ingress的詳細信息
[root@master ingress]# kubectl describe ingress myapp-ingress
Name: myapp-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
myapp.white.com
myapp:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"myapp-ingress","namespace":"default"},"spec":{"rules":[{"host":"myapp.white.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 62s nginx-ingress-controller Ingress default/myapp-ingress
[root@master ingress]#
進入nginx-ingress-controller進行查看是否注入了nginx的配置
[root@master ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-788bdcf46f-7b5ds 1/1 Running 0 41m
nginx-ingress-controller-7db86988c8-jmv72 1/1 Running 0 45m
[root@master ingress]# kubectl exec -it nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh
$ cat nginx.conf
......
upstream default-myapp-80 { #自動配置負載均衡到后端pod
least_conn;
keepalive 32;
server 10.244.1.44:80 max_fails=0 fail_timeout=0;
server 10.244.2.49:80 max_fails=0 fail_timeout=0;
server 10.244.2.48:80 max_fails=0 fail_timeout=0;
}
......
## start server myapp.white.com
server {
server_name myapp.white.com ;
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
location / {
set $namespace "default";
set $ingress_name "myapp-ingress";
set $service_name "myapp";
set $service_port "80";
set $location_path "/";
rewrite_by_lua_block {
}
...
修改本地host文件 訪問
10.0.0.10 master myapp.white.com
10.0.0.11 node01 myapp.white.com
10.0.0.12 node02 myapp.white.com
增加tomcat服務
編寫清單
[root@master ingress]# vim tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
編寫tomcat的ingress規則,並創建ingress資源
[root@master ingress]# vim ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.white.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
執行
[root@master ingress]# kubectl apply -f tomcat-deploy.yaml
[root@master ingress]# kubectl get pods
NAME READY STATUS RESTARTS AGE
filebeat-ds-h8rwk 1/1 Running 0 19h
filebeat-ds-kzhxw 1/1 Running 0 19h
myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 62m
myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 62m
myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 62m
readiness-httpget-pod 1/1 Running 0 3d17h
tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 44s
tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 44s
tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 44s
[root@master ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d17h
myapp ClusterIP 10.100.41.152 <none> 80/TCP 70m
myapp-headless ClusterIP None <none> 80/TCP 17h
tomcat ClusterIP 10.107.88.118 <none> 8080/TCP,8009/TCP 3m4s
查看tomcat-deploy是否監聽8080和8009
[root@master ingress]# kubectl exec -it tomcat-deploy-5f554cd88d-7gzc7 -- netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
創建ingress資源
[root@master ingress]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/tomcat-ingress created
[root@master ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.white.com 80 45m
tomcat-ingress tomcat.white.com 80 5s
查看tomcat-ingress詳細信息
[root@master ingress]# kubectl describe ingress tomcat-ingress
Name: tomcat-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
tomcat.white.com
tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 71s nginx-ingress-controller Ingress default/tomcat-ingress
修改本地host文件映射后測試訪問
10.0.0.10 master myapp.white.com tomcat.white.com
10.0.0.11 node01 myapp.white.com tomcat.white.com
10.0.0.12 node02 myapp.white.com tomcat.white.com
總結
從前面的部署過程中,可以再次進行總結部署的流程如下:
- 下載Ingress-controller相關的YAML文件,並給Ingress-controller創建獨立的名稱空間;
- 部署后端的服務,如myapp,並通過service進行暴露;
- 部署Ingress-controller的service,以實現接入集群外部流量;
- 部署Ingress,進行定義規則,使Ingress-controller和后端服務的Pod組進行關聯。
構建TLS站點
准備證書
[root@master ingress]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
.....................................................+++
e is 65537 (0x10001)
[root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Guangdong/L=Zhongshan/O=DevOps/CN=tomcat.white.com
[root@master ingress]# ls
deploy-demo.yaml ingress-tomcat.yaml tls.crt tomcat-deploy.yaml
ingress-myapp.yaml service-nodeport.yaml tls.key
此時生成的證書不能直接被nginx的pod調用,需要轉換成secret(領一個標准的kubernetes對象)
生成secret
[root@master ingress]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress]# kubectl get secret
NAME TYPE DATA AGE
default-token-dqd2f kubernetes.io/service-account-token 3 5d18h
tomcat-ingress-secret kubernetes.io/tls 2 11s
[root@master ingress]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1302 bytes
tls.key: 1679 bytes
創建ingress
[root@master ingress]# vim ingress-tomcat-tls.yaml
[root@master ~]# kubectl explain ingress.spec.tls.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.white.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.white.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master ingress]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/tomcat-ingress-tls created
[root@master ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.white.com 80 61m
tomcat-ingress tomcat.white.com 80 16m
tomcat-ingress-tls tomcat.white.com 80, 443 25s
#查看描述
[root@master ingress]# kubectl describe ingress tomcat-ingress-tls
Name: tomcat-ingress-tls
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
tomcat-ingress-secret terminates tomcat.white.com
Rules:
Host Path Backends
---- ---- --------
tomcat.white.com
tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.white.com"],"secretName":"tomcat-ingress-secret"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 107s nginx-ingress-controller Ingress default/tomcat-ingress-tls
進入pod內查看
[root@master ingress]# kubectl exec -it nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh
$ cat nginx.conf
······
upstream default-tomcat-8080 {
least_conn;
keepalive 32;
server 10.244.1.45:8080 max_fails=0 fail_timeout=0;
server 10.244.2.51:8080 max_fails=0 fail_timeout=0;
server 10.244.2.50:8080 max_fails=0 fail_timeout=0;
}
······
## start server _
server {
server_name _ ;
listen 80 default_server backlog=511;
listen [::]:80 default_server backlog=511;
set $proxy_upstream_name "-";
listen 443 default_server backlog=511 ssl http2;
listen [::]:443 default_server backlog=511 ssl http2;
# PEM sha: 07ee66d47cf4e5ef25baa6f91d62296e05243cfe
ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;
ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;
......
客戶端訪問31443查看
由於證書問題,提示不安全,但是可以訪問https 443端口。
參考資料
https://www.cnblogs.com/linuxk
馬永亮. Kubernetes進階實戰 (雲計算與虛擬化技術叢書)
Kubernetes-handbook-jimmysong-20181218