将后端服务修改为tomcat
编辑 ingress-tomcat.yaml
, 文件内容如下:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.test.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
tomcat-deploy.yaml
内容如下:
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.32-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
创建ingress
按如下命令创建ingress-tomcat
[root@master ingress-nginx]# kubectl apply -f tomcat-deploy.yaml
service/tomcat created
deployment.apps/tomcat-deploy created
[root@master ingress-nginx]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/ingress-tomcat created
[root@master ingress-nginx]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-tomcat tomcat.test.com 80 6s
此时,修改本地hosts解析后,就可以访问tomcat.test.com:30080地址了。出来的是tomcat的欢迎页面
使网站支持https协议
制作证书和私钥
创建证书和私钥
[root@master ingress-nginx]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
......+++
e is 65537 (0x10001)
[root@master ingress-nginx]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Hangzhou/L=Hangzhou/O=kubernetes/CN=tomcat.test.com
[root@master ingress-nginx]# ls tls*
tls.crt tls.key
这个证书不能直接被ingress的nginx使用,需要转成secret后,才能被注入到nginx中,被ingress使用。
创建secret
[root@master ingress-nginx]# kubectl create secret tls tomcat-ingress-secret --cert tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress-nginx]# kubectl get secret
NAME TYPE DATA AGE
default-token-qcfxf kubernetes.io/service-account-token 3 8d
tomcat-ingress-secret kubernetes.io/tls 2 7s
[root@master ingress-nginx]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1306 bytes
tls.key: 1679 bytes
编辑 ingress-tomcat-tls.yaml
文件,内容如下:
在yaml文件中添加了secret的相关信息:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.test.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.test.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
创建ingress
[root@master ingress-nginx]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/ingress-tomcat-tls created
[root@master ingress-nginx]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-tomcat tomcat.test.com 80 17m
ingress-tomcat-tls tomcat.test.com 80, 443 8s
然后去查看ingress-controller上的nginx配置文件
[root@master ingress-nginx]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-6586bc58b6-4f6qm 1/1 Running 1 8h
nginx-ingress-controller-7675fd6cdb-njvdb 1/1 Running 1 8h
[root@master ingress-nginx]# kubectl exec -n ingress-nginx nginx-ingress-controller-7675fd6cdb-njvdb -it -- /bin/sh
$ cat nginx.conf|grep secret
ssl_certificate /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_certificate_key /etc/ingress-controller/ssl/default-tomcat-ingress-secret.pem;
ssl_trusted_certificate /etc/ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem;
$
发现,secret的相关信息,已经被注入到了ingress-controller的nginx配置之中。
访问https://tomcat.test.com:80443 发现可以访问。
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。