将后端服务修改为tomcat

编辑 ingress-tomcat.yaml, 文件内容如下:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: tomcat.test.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

tomcat-deploy.yaml 内容如下:

apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetPort: 8080
    port: 8080
  - name: ajp
    targetPort: 8009
    port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: default
spec:
  replicas: 3
  selector: 
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.5.32-jre8-alpine
        ports: 
        - name: http
          containerPort: 8080
        - name: ajp
          containerPort: 8009

创建ingress

按如下命令创建ingress-tomcat

[root@master ingress-nginx]# kubectl apply -f tomcat-deploy.yaml 
service/tomcat created
deployment.apps/tomcat-deploy created
[root@master ingress-nginx]# kubectl apply -f ingress-tomcat.yaml 
ingress.extensions/ingress-tomcat created
[root@master ingress-nginx]# kubectl get ingress
NAME             HOSTS             ADDRESS   PORTS     AGE
ingress-tomcat   tomcat.test.com             80        6s

此时,修改本地hosts解析后,就可以访问tomcat.test.com:30080地址了。出来的是tomcat的欢迎页面

使网站支持https协议

制作证书和私钥

创建证书和私钥

[root@master ingress-nginx]# openssl genrsa -out tls.key 2048 
Generating RSA private key, 2048 bit long modulus
......................................+++
......+++
e is 65537 (0x10001)
[root@master ingress-nginx]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Hangzhou/L=Hangzhou/O=kubernetes/CN=tomcat.test.com
[root@master ingress-nginx]# ls tls*
tls.crt  tls.key

这个证书不能直接被ingress的nginx使用,需要转成secret后,才能被注入到nginx中,被ingress使用。

创建secret

[root@master ingress-nginx]# kubectl create secret tls tomcat-ingress-secret --cert tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress-nginx]# kubectl get secret
NAME                    TYPE                                  DATA      AGE
default-token-qcfxf     kubernetes.io/service-account-token   3         8d
tomcat-ingress-secret   kubernetes.io/tls                     2         7s
[root@master ingress-nginx]# kubectl describe secret tomcat-ingress-secret
Name:         tomcat-ingress-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  1306 bytes
tls.key:  1679 bytes

编辑 ingress-tomcat-tls.yaml 文件,内容如下:

在yaml文件中添加了secret的相关信息:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.test.com
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.test.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

创建ingress

[root@master ingress-nginx]# kubectl apply -f ingress-tomcat-tls.yaml 
ingress.extensions/ingress-tomcat-tls created
[root@master ingress-nginx]# kubectl get ingress
NAME                 HOSTS             ADDRESS   PORTS     AGE
ingress-tomcat       tomcat.test.com             80        17m
ingress-tomcat-tls   tomcat.test.com             80, 443   8s

然后去查看ingress-controller上的nginx配置文件

[root@master ingress-nginx]# kubectl get pods -n ingress-nginx
NAME                                        READY     STATUS    RESTARTS   AGE
default-http-backend-6586bc58b6-4f6qm       1/1       Running   1          8h
nginx-ingress-controller-7675fd6cdb-njvdb   1/1       Running   1          8h
[root@master ingress-nginx]# kubectl exec -n ingress-nginx nginx-ingress-controller-7675fd6cdb-njvdb -it -- /bin/sh
$ cat nginx.conf|grep secret
        ssl_certificate                         /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
        ssl_certificate_key                     /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
        ssl_trusted_certificate                 /etc/ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem;
$ 

发现,secret的相关信息,已经被注入到了ingress-controller的nginx配置之中。

访问https://tomcat.test.com:80443 发现可以访问。


felix0913
27 声望1 粉丝