k8s學習記錄，Ingress及其安裝（十四）

什么是Ingress

通俗的說，Ingress和Service、Deployment、StatefulSet、DaemonSet一樣，是k8s的資源類型，主要用於實現用域名的方式訪問k8s內部應用。【ingress-nginx(k8s官方維護的nginx實現的ingress)】

為什么不使用nodeport來發布服務呢？

• 當nodeport太多時，服務不方便管理
• nodeport當service太多時，性能會下降

因為這樣，所以k8s引入了ingress的概念，在k8s內部實現一個7層或4層的代理，可以實現端口的代理或域名的發布

helm安裝Ingress

1、添加官方ingress-nginx的helm倉庫

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

2、搜索倉庫中已有的ingress-nginx版本信息

#建議安裝0.40.2以上的版本
helm search repo ingress-nginx

3、拉取ingress-nginx的包

#   helm pull [repo名稱/chart名稱]
helm pull ingress-nginx/ingress-nginx

4、解壓包，修改values.yaml配置文件

#修改鏡像倉庫地址為國內鏡像倉庫地址
image:
    #repository: k8s.gcr.io/ingress-nginx/controller
    repository: registry.cn-hangzhou.aliyuncs.com/creamk87/ingress-nginx-controller
    tag: "v0.46.0"
# 注釋掉hash值檢查
    # digest: sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a

# 使用hostNetwork模式，並且修改dns策略為ClusterFirstWithHostNet，指定某幾台node專門跑ingress，並且使用DaemoSet來進行部署，添加nodeSelector
  # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
  # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
  # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
  dnsPolicy: ClusterFirstWithHostNet

  # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
  # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
  reportNodeInternalIp: false

  # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
  # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
  # is merged
  hostNetwork: true
 
  ......
  
  ## DaemonSet or Deployment
  ##
  kind: DaemonSet
  
  ......

  nodeSelector:
    kubernetes.io/os: linux
    ingress: "true"

  ......
  
# 根據生產環境機器配置修改資源需求【筆記本帶不動，我這里就配的比較小】
  resources:
  #  limits:
  #    cpu: 100m
  #    memory: 90Mi
    requests:
      cpu: 50m
      memory: 40Mi

  ......

    ports:
      http: 80
      https: 443

    targetPorts:
      http: http
      https: https
    # 如果環境是部署在公有雲上，使用雲服務提供的負載均衡，如果部署在本地機房，這里使用ClusterIP
    # type: LoadBalancer
    type: ClusterIP

  ......

  admissionWebhooks:
    annotations: {}
    # 如果ingress的版本過低，enabled需要設置為false，低版本做證書檢測有問題
    enabled: true
    failurePolicy: Fail

  ......

  patch:
      enabled: true
      image:
        # 修改鏡像地址為國內地址
        repository: registry.cn-hangzhou.aliyuncs.com/creamk87/kube-webhook-certgen
        tag: v1.5.1
        pullPolicy: IfNotPresent

5、使用命令安裝ingress

# 創建對應的命名空間
kubectl create ns ingress-nginx

# 給對應的node打上標簽，使上面配置的nodeSelector生效，在指定節點部署DaemonSet
kubectl label node master03. ingress=true

[root@master01 ingress-nginx]# helm install ingress-nginx -n ingress-nginx .
NAME: ingress-nginx
LAST DEPLOYED: Sat May 29 21:41:58 2021
NAMESPACE: ingress-nginx
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
Get the application URL by running these commands:
  export POD_NAME=$(kubectl --namespace ingress-nginx get pods -o jsonpath="{.items[0].metadata.name}" -l "app=ingress-nginx,component=controller,release=ingress-nginx")
  kubectl --namespace ingress-nginx port-forward $POD_NAME 8080:80
  echo "Visit http://127.0.0.1:8080 to access your application."

An example Ingress that makes use of the controller:

  apiVersion: networking.k8s.io/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls
[root@master01 ingress-nginx]#

如果出現上面的報錯，可以使用describe查看一下pod的報錯原因，我這里查看是因為鏡像文件拉取不成功導致，解決方法參見后面第十五篇筆記

kubectl  describe po ingress-nginx-controller-xdlwk -n ingress-nginx

#之前的報錯信息
#Warning  Failed     21s (x2 over 38s)  kubelet            Failed to pull image "registry.cn-beijing.aliyuncs.com/dotbalo/ingress-nginx/controller:v0.40.2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-beijing.aliyuncs.com/dotbalo/ingress-nginx/controller, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

至此，ingress安裝完成