Kubernetes-10：Ingress-nginx介紹及演示

Ingress介紹

 

Ingress是什么？

ingress 是除了 hostport  nodeport  clusterIP以及雲環境專有的負載均衡器外的訪問方式,官方提供了Nginx ingress controller。ingress-nginx本身就是nodeport模式

 

Ingress能做什么？

k8s中，不管是哪種類型的svc，不管是用iptables還是ipvs實現端口轉發實現負載均衡，也只是實現了四層的負載均衡，但是，如果有需求要進行七層負載均衡呢？比如你想將你的網站設置為https呢？Ingress就是來幫你解決此問題的。

 

Ingress工作原理及主要組成部分？

工作原理：

類似於Nginx，可以理解為在Ingress建立一個個映射規則，Ingress Controller通過監聽Ingress這個api對象里的規則並轉化為Nginx/HAporxy等的配置，然后對外部提供服務。

組成部分：

ingress controller：

核心是一個deployment，實現方式有很多種，比如Nignx、HAproxy、trafik、lstio，需要編寫的yaml有：Deployment、Service、ConfigMap、ServiceAccount(Auth)，其中Service類型可以是NodePort或者LoadBalance

ingress resources：這個是類型為ingress的k8s api對象，主要面向開發人員。

 

1、下載Ingress

### 進入官網下載
https://kubernetes.github.io/ingress-nginx/deploy/

里邊會有提示：

Using NodePort：

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.32.0/deploy/static/provider/baremetal/deploy.yaml
### 可以看到，本身就是一個yaml文件，可以先下載到本地

 

然后進行安裝：

### 查看yaml文件中用到了那個image，可以預先下載下來，所有node都要下載
[root@Centos8 ~]# grep image /usr/local/install-k8s/ingress/deploy.yaml 
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
          imagePullPolicy: IfNotPresent
          image: jettech/kube-webhook-certgen:v1.2.0
          imagePullPolicy: IfNotPresent
          image: jettech/kube-webhook-certgen:v1.2.0
          imagePullPolicy:

### 下載完畢后，直接執行構建命令
[root@Centos8 ingress]# kubectl apply -f deploy.yaml 
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created

ok，安裝完畢
可以看到，創建了一個ingress-nginx的namespace
ingress-nginx本身所有的規則全部放在ingress-nginx這個名稱空間下
例如：查看pod svc
[root@Centos8 k8sYaml]# kubectl get pod -n ingress-nginx
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create-lrsvp        0/1     Completed   0          10m
ingress-nginx-admission-patch-5hk9n         0/1     Completed   0          10m
ingress-nginx-controller-5575c6cd9d-2sblm   1/1     Running     0          32m

[root@Centos8 k8sYaml]# kubectl get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.107.76.91   <none>        80:30361/TCP,443:31087/TCP   114m
ingress-nginx-controller-admission   ClusterIP   10.96.12.12    <none>        443/TCP                      114m

可以看到ingress-nginx的svc的端口映射關系為：
80:30361/TCP,443:31087/TCP
后邊的所有測試，需訪問http則訪問30361端口，訪問https則訪問31087端口

 

2、創建Igress HTTP代理訪問

 

 （1）首先創建deployment、Pod

（2）其次創建SVC，通過SVC來綁定與Pod之間的連接

（3）然后創建ingress，實現svc與ingress的綁定

（4）最后外網通過訪問ingress映射到SVC再到具體的Pod

最后注意：ingress是通過域名進行實現轉發的，所以在測試的時候不要忘記將所有用到的域名及ip加入到hosts文件中

 

（1）創建Deployment與svc

### www1的創建
vim svc-deployment1.yml
...
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-http1
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp1
        image: hub.vfancloud.com/test/myapp:v1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: ingress-svc1
  namespace: default
spec:
  type: ClusterIP
  selector:
    app: myapp
  ports:
  - name: http
    port: 80
    targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress1
spec:
  rules:
  - host: www1.wuzi.com
    http:
      paths:
      - path: /
        backend:
          serviceName: ingress-svc1
          servicePort: 80
...

kubectl apply -f svc-deployment1.yml


vim svc-deployment2.yml
...
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-http2
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp2
  template:
    metadata:
      labels:
        app: myapp2
    spec:
      containers:
      - name: myapp2
        image: hub.vfancloud.com/test/myapp:v2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: ingress-svc2
  namespace: default
spec:
  type: ClusterIP
  selector:
    app: myapp2
  ports:
  - name: http
    port: 80
    targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress2
spec:
  rules:
  - host: www2.wuzi.com
    http:
      paths:
      - path: /
        backend:
          serviceName: ingress-svc2
          servicePort: 80
...

kubectl apply -f svc-deployment2.yml

 

兩個都構建完成，測試訪問：

http://www1.wuzi.com:30361

 

 

 http://www2.wuzi.com:30361

 

 

 一個v1版本，一個v2版本

 

 

4、Ingress HTTPS代理訪問

 

 

（1）創建https證書

mkdir https
cd https
## 創建私鑰key
[root@Centos8 https]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
...............................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

## 創建csr請求
[root@Centos8 https]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:vfan
Organizational Unit Name (eg, section) []:vfan
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

## 去除私鑰的連接密碼
[root@Centos8 https]# cp server.key{,.org}
[root@Centos8 https]# openssl rsa -in server.key.org -out server.key

## 生成證書文件
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

## 生成tls格式
[root@Centos8 https]# kubectl create secret tls tls-secret --key server.key --cert server.crt
secret/tls-secret created

 

（2）創建deployment、svc、ingress

vim ingress-https.yaml
...
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      name: in-https
  template:
    metadata:
      labels:
        name: in-https
    spec:
      containers:
      - name: in-https
        image: hub.vfancloud.com/test/myapp:v3
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: ingress-https
spec:
  selector:
    name: in-https
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-https
spec:
  tls:
  - hosts:
    - www3.wuzi.com
    secretName: tls-secret
  rules:
  - host: www3.wuzi.com
    http:
      paths:
      - path: /
        backend:
          serviceName: ingress-https
          servicePort: 80
...

[root@Centos8 https]# kubectl apply -f ingress-https.yaml 

[root@Centos8 https]# kubectl get ingress
NAME            HOSTS           ADDRESS           PORTS     AGE
ingress-https   www3.wuzi.com   192.168.152.253   80, 443   16m
ingress1        www1.wuzi.com   192.168.152.253   80        45m
ingress2        www2.wuzi.com   192.168.152.253   80        45m

 

測試訪問ingress https

注意，訪問的是svc的443相對應的端口

導航欄輸入：https://www3.wuzi.com:31087

 

 ok，訪問到了

 

 

5、Nginx進行BasicAuth

### 首先使用htpasswd命令創建BasicAuth用戶，切記，保存的文件名一定要是auth
[root@Centos8 auth]# htpasswd -c auth vfan
New password: 
Re-type new password: 
Adding password for user vfan

### 創建secret
[root@Centos8 auth]# kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created

### 創建yaml文件
vim auth.yaml
...
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-auth
spec:
  replicas: 3
  selector:
    matchLabels:
      name: auth
  template:
    metadata:
      labels:
        name: auth
    spec:
      containers:
      - name: ingress-auth
        image: hub.vfancloud.com/test/myapp:v4
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: svc-auth
spec:
  selector:
    name: auth
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - vfan'
spec:
  rules:
  - host: www4.wuzi.com
    http:
      paths:
      - path: /
        backend:
          serviceName: auth-svc
          servicePort: 80
...
[root@Centos8 auth]# kubectl apply -f auth.yaml

[root@Centos8 auth]# kubectl  get ingress
NAME            HOSTS           ADDRESS           PORTS     AGE
ingress-with-auth    www4.wuzi.com   192.168.152.253   80        94s
ingress-https   www3.wuzi.com   192.168.152.253   80, 443   33m
ingress1        www1.wuzi.com   192.168.152.253   80        62m
ingress2        www2.wuzi.com   192.168.152.253   80        62m

測試訪問：

http://www4.wuzi.com:30361/

 

 

6、Ingress-Nginx重寫

Name	Description	Values
nginx.ingress.kubernetes.io/rewrite-target	必須將流量重定向到的目標URI	string
nginx.ingress.kubernetes.io/ssl-redirect	指示位置部分是否僅可訪問SSL（Ingress包含證書時默認為True）	bool
nginx.ingress.kubernetes.io/force-ssl-redirect	即使未啟用TLS，也強制將重定向到HTTPS	bool
nginx.ingress.kubernetes.io/app-root	定義如果在“ /”上下文中，控制器必須重定向的應用程序根	string
nginx.ingress.kubernetes.io/use-regex	指示在Ingress上定義的路徑是否使用正則表達式	bool

示例：

將訪問www5.wuzi.com 訪問 / 目錄的流量全部轉發至https://www3.wuzi.com:31087

vim rewrite.yaml
...
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: https://www3.wuzi.com:31087
  name: rewrite
  namespace: default
spec:
  rules:
  - host: www5.wuzi.com
    http:
      paths:
      - backend:
          serviceName: ingress-svc1
          servicePort: 80
        path: /
...

[root@Centos8 rewrite]# kubectl create -f rewrite.yaml 
ingress.networking.k8s.io/rewrite created

[root@Centos8 rewrite]# kubectl get ingress 
NAME                HOSTS           ADDRESS           PORTS     AGE
ingress-https       www3.wuzi.com   192.168.152.253   80, 443   148m
ingress-with-auth   www4.wuzi.com   192.168.152.253   80        20m
ingress1            www1.wuzi.com   192.168.152.253   80        177m
ingress2            www2.wuzi.com   192.168.152.253   80        177m
rewrite             www5.wuzi.com   192.168.152.253   80        41s

測試訪問：

http://www5.wuzi.com:30361 

 

 已跳轉