Ingress概念介紹
service只能做四層代理 無法做七層代理(如https服務)
lvs只能根據第四層的數據進行轉發 無法對七層協議數據進行調度
Ingress Controller
擁有七層代理的Pod程序
Ingress資源
1.首先通過無頭service動態關聯符合標簽選擇器選擇的后端Pod
2.Ingress動態的把service關聯的pod地址注入到前端配置upstream中 同時觸發主程序重新加載最新的配置文件
pod變化 > service變化 > Ingress變化 > Ingress Control注入配置
Ingress反代到后端的web服務器
1.部署后端pod
apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: selector: app: myapp release: canary ports: - name: http targetPort: 80 port: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: default apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: selector: app: myapp release: canary ports: - name: http targetPort: 80 port: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: default spec: replicas: 3 selector: matchLabels: app: myapp release: canary template: metadata: labels: app: myapp release: canary spec: containers: - name: myapp image: ikubernetes/myapp:v2 ports: - name: http containerPort: 80
2.創建ingress資源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-myapp namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: myapp.yxh.com http: paths: - path: backend: serviceName: myapp servicePort: 80
3.創建ingress controller的pod
[root@k8s-master ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE 3d nginx-ingress-controller-7d4c999994-pn6wt 1/1 Running 0 3d service_nodeport是用來給ingress-controller接入集群外部流量的 ingress-controller就是一個運行nginx的pod service_nodeport就是nginx pod的service ingress-controller 的pod是由在git上下載的nginx-ingress中的yaml文件創建的
4.創建service_nodeport配置
apiVersion: v1 kind: Service metadata: name: ingress-nginx namespace: ingress-nginx spec: type: NodePort ports: - name: http port: 80 targetPort: 80 protocol: TCP nodePort: 30080 - name: https port: 443 targetPort: 443 nodePort: 30443 protocol: TCP selector: app: ingress-nginx
5.修改hosts文件
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 192.168.11.141 myapp.yxh.com 192.168.11.141 tomcat.yxh.com
6.瀏覽器訪問
Ingress實現tomcat的https反代
1.部署tomcat pod
apiVersion: v1 kind: Service metadata: name: tomcat namespace: default spec: selector: app: tomcat release: canary ports: - name: http targetPort: 8080 port: 8080 - name: ajp targetPort: 8009 port: 8009 --- apiVersion: apps/v1 kind: Deployment metadata: name: tomcat-deploy namespace: default spec: replicas: 3 selector: matchLabels: app: tomcat release: canary template: metadata: labels: app: tomcat release: canary spec: containers: - name: tomcat image: tomcat:8.5.32-jre8-alpine ports: - name: http containerPort: 8080 - name: ajp containerPort: 8009
2.創建ssl證書
生成自簽名證書 [root@k8s-master ingress]# openssl genrsa -out tls.key 2048 Generating RSA private key, 2048 bit long modulus .................................................................+++ ...........................................................................................................+++ e is 65537 (0x10001) [root@k8s-master ingress]# openssl req -new -x509 -key tls.key -out tls.out -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.yxh.com CN的設置必須和訪問的域名設置為一樣的 [root@k8s-master ingress]# ls ingress-myapp.yaml ngx-deploy.yaml tls.key tomcat ingress-nginx-nginx-0.13.0 service_nodeport.yaml tls.out 把生成的證書轉換成secret資源對象 [root@k8s-master ingress]# kubectl create tls tomcat-ingress-cert --cert=tls.crt --key=tls.key [root@k8s-master ingress]# kubectl get secret NAME TYPE DATA AGE default-token-n87jl kubernetes.io/service-account-token 3 244d tomcat-ingress-secret kubernetes.io/tls 2 1h
3.創建tomact ssl ingress資源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-tomcat-tls namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - tomcat.yxh.com secretName: tomcat-ingress-secret rules: - host: tomcat.yxh.com http: paths: - path: backend: serviceName: tomcat servicePort: 8080
4.創建tomcat http ingress資源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-tomcat namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: tomcat.yxh.com http: paths: - path: backend: serviceName: tomcat servicePort: 8080
5.實現原理
執行kubectl apply|delete -f ingress-tomcat-tls.yaml的時候 都會把設置自動更新到ingress-controller的nginx的主配置文件中 並且能夠立即生效
ingress-controller相當於一個ssl會話卸載器 客戶端發送請求給controller必須時https協議 但是由controller把請求轉發到集群內部的tomcat pod
的時候 使用的卻是http協議
ingress_nginx_controller的配置 # find /etc -name nginx.conf /etc/nginx/nginx.conf
kubectl exec -n ingress-nginx -ti nginx-ingress-controller-7d4c999994-pn6wt -- /bin/sh
kubectl logs -n ingress-nginx nginx-ingress-controller-7d4c999994-pn6wt |grep error
## start server tomcat.yxh.com server { server_name tomcat.yxh.com ; listen 80; listen [::]:80; set $proxy_upstream_name "-"; listen 443 ssl http2; listen [::]:443 ssl http2; # PEM sha: 8d7a91d9f8445a2e44ca5cef9dcea2c9bf8e7141 ssl_certificate /ingress-controller/ssl/default-tomcat-ingress-secret.pem; ssl_certificate_key /ingress-controller/ssl/default-tomcat-ingress-secret.pem; ssl_trusted_certificate /ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem; ssl_stapling
6.最終效果
