Kubernetes--Ingress实践

头像
pa0v0
    阅读 7 分钟

    Ingress

    Ingress-nginx用来做http代理,可以实现服务对外发布,采用service的tcp需要更多的ip和端口

    部署ingress的controller

    # 下载ingress contronller的部署文件
$ wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml
--2020-07-25 21:00:01--  https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml
正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.64.133, 151.101.0.133, ...
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:18133 (18K) [text/plain]
正在保存至: “deploy.yaml”

deploy.yaml                    100%[==================================================>]  17.71K  --.-KB/s  用时 0.05s   

2020-07-25 21:00:01 (389 KB/s) - 已保存 “deploy.yaml” [18133/18133])
    下载后需要修改一些Service的type类型为NodePort,默认文件用的balancer
    # Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-2.11.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.34.1
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: NodePort
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      nodePort: 30080
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      nodePort: 30443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
    # 执行ingress contronller部署
$ kubectl apply -f deploy.yaml 
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
    # 查看ingress-nginx命名空间下所创建的资源
$kubectl get all -n ingress-nginx
NAME                                           READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-fvph7       0/1     Completed   0          5m46s
pod/ingress-nginx-admission-patch-gr48z        0/1     Completed   1          5m46s
pod/ingress-nginx-controller-c96557986-9rw9m   1/1     Running     0          5m56s

NAME                                         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx-controller             NodePort    10.107.249.8   <none>        80:30080/TCP,443:30443/TCP   5m56s
service/ingress-nginx-controller-admission   ClusterIP   10.104.5.150   <none>        443/TCP                      5m56s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ingress-nginx-controller   1/1     1            1           5m56s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/ingress-nginx-controller-c96557986   1         1         1       5m56s

NAME                                       COMPLETIONS   DURATION   AGE
job.batch/ingress-nginx-admission-create   1/1           2s         5m56s
job.batch/ingress-nginx-admission-patch    1/1           3s         5m56s

    a.jpg

    NodePort 会在所有节点暴露ingress端口

    c.jpg

    通过Ingress来代理HTTP应用

    c$ cat tomcat-deploy.yaml 
kind: Namespace
apiVersion: v1
metadata:
  name: testing
  labels:
    env: testing


---
# Tomcat deployments
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: testing
spec:
  replicas: 2
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.0.50-jre8-alpine
        ports:
        - containerPort: 8080
          name: httpport
        - containerPort: 8009
          name: ajpport


---
# Tomcat Service
apiVersion: v1
kind: Service
metadata:
  name: tomcat-svc
  namespace: testing
  labels:
    app: tomcat-svc
spec:
  selector:
    app: tomcat
  ports:
  - name: httpport
    port: 80
    targetPort: 8080
    protocol: TCP

    $ cat tomcat-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat
  namespace: testing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: tomcat.kubernetes.io
    http:
      paths:
      - path: 
        backend:
          serviceName: tomcat-svc
          servicePort: 80

    b2.jpg

    b.jpg

    通过Ingress来代理HTTPS

    $ cat tomcat-ingress-tls.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-ingress-tls
  namespace: testing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.linux.io
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.linux.io
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-svc
          servicePort: 80
    $ openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
............................................................................................................................+++
e is 65537 (0x10001)

$ openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=GuangDong/L=GuangZhou/O=DevOps/CN=tomcat.kubernetes.io -days 3650
ca0gu0@ca0gu0deMBP ingress % kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key -n testing
secret/tomcat-ingress-secret created

$ kubectl apply -f tomcat-ingress-tls.yaml
ingress.extensions/tomcat-ingress-tls created
ca0gu0@ca0gu0deMBP ingress % kubectl get svc -n testing
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
tomcat-svc   ClusterIP   10.98.232.166   <none>        80/TCP    32m

$ kubectl get ingress -n testing
NAME                 CLASS    HOSTS                  ADDRESS        PORTS     AGE
tomcat               <none>   tomcat.kubernetes.io   10.107.249.8   80        32m
tomcat-ingress-tls   <none>   tomcat.linux.io                       80, 443   29s

    p.jpg

    通过https协议访问

    1595686938300.jpg

    【完结】

    kubernetes
    pa0v0
    1 声望0 粉丝
    « 上一篇
    Kubernetes--Service实践
    下一篇 »
    Kubernetes--Volume存储卷实践

    引用和评论

    推荐阅读
    头像
    Kubernetes-Secret创建与挂载

    pa0v0阅读 5k

    头像
    K8s 小白入门|从电影配乐谈起,聊聊容器编排和 K8s

    小猿姐1阅读 1.5k

    头像
    在 Kubernetes 上用 KubeBlocks + Dify 快速构建生产级 AIGC 应用

    小猿姐阅读 2.4k

    头像
    数据库的下一场革命:S3 延迟已降至原先的 10%,云数据库架构该进化了

    小猿姐阅读 1.5k

    头像
    PostgreSQL@K8s 性能优化记

    小猿姐阅读 1.3k

    头像
    只需三步,就可以在KubeBlocks上集成和使用NebulaGraph集群啦!

    小猿姐阅读 1.1k

    头像
    在 ApeCloud (云猿生数据)实习是怎样的体验?跟行业大佬练技术修为的一年小记

    小猿姐阅读 1k

    0 条评论
    得票最新