k8s之ingress反向代理pod

Ingress controller

 

Nginx -->后來改造

Traefik -->也是用於微服務

Envoy  -->微服務

 

Ingress資源

 

目前使用0.17.1版本ingress-nginx

ingress定義  后端pod發生變化，service就變化，service變化ingress就發生變化,ingress再把變化注入到ingress-nginx-controller主容器的nginx的backend反向代理配置且重載配置文件使之能夠動態改變反向代理配置

kubectl explain ingress

kubectl explain ingress.spec

kubectl explain ingress.spec.rules

kubectl explain ingress.spec.rules.http

 

kubectl explain ingress.spec.backend 關聯后端

 

在github上下載ingress nginx

yum install git -y

kubectl create namespace env 創建名稱空間

kubectl get ns

 

kubectl delete ns env 刪除名稱空間

 

需要用到的文件

namespace.yaml

rbac.yaml

with-rbac.yaml

configmap.yaml

udp-services-configmap.yaml

tcp-services-configmap.yaml

 

下載鏡像:

docker pull googlecontainer/defaultbackend:1.4

docker tag docker.io/googlecontainer/defaultbackend:1.4 gcr.io/google_containers/defaultbackend:1.4

docker pullibmcom/nginx-ingress-controller:0.23.0

 

 

1.先創建namespace

kubectl apply -f namespace.yaml 

然后其他一起創建

kubectl create -f ./

 

2.或者使用一鍵部署

kubectl create -f mandatory.yaml

 

 

查詢是否在下載ingress鏡像

kubectl get pods -n ingress-nginx

 

 

kubectl explain ingress.spec

 

cp deploy-demo.yaml ../ingress-nginx/

vim deploy-demo.yaml

apiVersion: v1

kind: Service

metadata:

  name: myapp-service

  namespace: default

spec:

  selector:

    app: myapp

    release: canary

  ports:

  - name: http

    targetPort: 80 容器端口

    port: 80 service端口

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: myapp-deploy 控制器名

  namespace: default

spec:

  replicas: 3 3個副本

  selector:

    matchLabels: 匹配標簽

      app: myapp

      release: canary

  template:

    metadata:

      labels: 定義pod標簽

        app: myapp

        release: canary

    spec:

      containers:

      - name: myapp 容器名

        image: ikubernetes/myapp:v2

        ports:

        - name: http

          containerPort: 80 容器端口

                            

kubectl apply -f deploy-demo.yaml 先創建pods和svc

kubectl get pods

kubectl get svc

kubectl describe pods nginx-ingress-controller-589b9b8c9d-7mkng -n ingress-nginx  查看為什么下載不成功 -n 指定名稱空間

 

 

創建 service-nodeport

cat service-nodeport.yaml

apiVersion: v1

kind: Service

metadata:

  name: ingress-nginx

  namespace: ingress-nginx 名稱空間

  labels:

    app.kubernetes.io/name: ingress-nginx

    app.kubernetes.io/part-of: ingress-nginx

spec:

  type: NodePort service類型為nodeport

  ports:

  - name: http

    nodePort: 30080  node端口

    port: 80  service端口

    targetPort: 80 pod端口

    protocol: TCP

  - name: https

    nodePort: 30443

    port: 443

    targetPort: 443

    protocol: TCP

  selector: 指定ingress-ningx-controller 主容器標簽

    app: ingress-nginx

  

kubectl apply -f service-nodeport.yaml

kubectl get svc -n ingress-nginx   查詢創建是否成功

 

開放服務 創建ingress控制把服務放出去,同步pod的nginx配置文件

vim ingress-myapp.yaml

apiVersion: extensions/v1beta1

kind: Ingress 類型

metadata:

  name: ingress-myapp

  namespace: default

  annotations:

    kubernetes.io/ingress.class: "nginx" 指定的控制器類ingress 叫 nginx 生成匹配規則

 

spec:

  rules: 規則

  - host: myapp.baidu.com 指定外部訪問的host域名

    http:

     paths: 轉發路徑

     - path:

       backend: 指定backend反向代理

         serviceName: myapp-service  轉發的service

         servicePort: 80   轉發的service port

 

kubectl apply -f service-nodeport.yaml

查詢創建是否成功

kubectl get ingress

查看詳細信息

kubectl describe ingresses

 

創建成功，自動注入ingress-nginx-controller主容器,即自動轉換成nginx配置文件

 

進入ingress-nginx-controller 檢查

kubectl exec  -n ingress-nginx -it  nginx-ingress-controller-5dc4979fb6-nfvvt -- /bin/sh

cat nginx.conf 看是否已經寫入配置信息

 

訪問測試:

node綁定 hosts

https://myapp.com:30080     

 

ssl證書:

openssl genrsa -out tls.key 2048

私鑰:tls.key

 

openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=devops/CN=myapp.com

自簽證書:tls.crt

 

 kubectl create secret tls myapp-ingress-secret --cert=tls.crt --key=tls.key

注入到k8s

 

kubectl get secrets

查詢是否創建secret

 

kubectl describe secrets myapp-ingress-secret

 

kubectl explain ingress.spec

kubectl explain ingress.spec.tls

 

cp ingress-myapp.yaml ingress-myapp-tls.yaml

vim ingress-myapp-tls.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: ingress-myapp-tls

  namespace: default

  annotations:

    kubernetes.io/ingress.class: "nginx"

spec:

  tls:

  - hosts:

    - myapp.baidu.com

    secretName: myapp-ingress-secret

  rules:

  - host: myapp.baidu.com

    http:

     paths:

     - path:

       backend:

         serviceName: myapp-service

         servicePort: 80

 

創建ingress

kubectl apply -f ingress-myapp-tls.yaml

kubectl get ingress

 

kubectl describe ingress  ingress-myapp-tls

 

查看主容器配置文件，有443監聽

kubectl exec  -n ingress-nginx -it  nginx-ingress-controller-5dc4979fb6-nfvvt -- /bin/sh

結果:listen 443  ssl http2;

 

訪問測試:

node綁定 hosts

https://myapp.com:30443              

 

數據流向 外部--> service_nodeport --> service --> pod_network

Ingress控制ingress-ningx-controller主容器進行反向代理