4 Ingress资源
4.1 基于URL实现路由
将来自同一域名,不同URL调度到不同Service。
4.1.1部署nginx应用
#编写资源清单
vim nginx-service.yaml
apiVersion:apps/v1
kind:Deployment
metadata:
name:nginx
namespace:default
spec:
replicas: 2
selector:
matchLabels:
app:nginx
template:
metadata:
labels:
app:nginx
spec:
containers:
- name:nginx
image:nginx:latest
imagePullPolicy:IfNotPresent
ports:
- protocol:TCP
containerPort: 80
---
apiVersion:v1
kind:Service
metadata:
name:nginx-svc
namespace:default
spec:
selector:
app:nginx
ports:
- port: 80
targetPort: 80
protocol:TCP
4.1.2 部署tomcat应用
#编写资源清单
vim tomcat-service.yaml
apiVersion:apps/v1
kind:Deployment
metadata:
name:tomcat
namespace:default
spec:
replicas: 2
selector:
matchLabels:
app:tomcat
template:
metadata:
labels:
app:tomcat
spec:
containers:
- name:tomcat
image:tomcat:8.5-jre8-alpine
imagePullPolicy:IfNotPresent
ports:
- protocol:TCP
containerPort: 8080
---
apiVersion:v1
kind:Service
metadata:
name:tomcat-svc
namespace:default
spec:
selector:
app:tomcat
ports:
- port: 8080
targetPort: 8080
protocol:TCP
4.1.3 配置Ingress
#编写资源清单
vim nginx-tomcat-ingress-yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-tomcat-ingress
namespace: default
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
# 当客户端请求的 path 匹配到时,跳转至指定路由,$2 代表第二个括号的占位符
#rewrite.bar.com/something rewrites to rewrite.bar.com/
#rewrite.bar.com/something/ rewrites to rewrite.bar.com/
#rewrite.bar.com/something/new rewrites to rewrite.bar.com/new
nginx.ingress.kubernetes.io/rewrite-target: /$2 #配置rewrite规则
spec:
ingressClassName: "nginx"
rules:
- host: web.qingchen.net
http:
paths:
- path: /nginx(/|$)(.*)
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80
- path: /tomcat(/|$)(.*)
pathType: Prefix
backend:
service:
name: tomcat-svc
port:
number: 8080
4.1.4 客户端测试
修改电脑本地的host文件
http://web.qingchen.net/tomcat/index.jsp
4.2基于名称虚拟主机
将来自不同的域名的请求调度到不同的Service。
4.2.1配置Ingress
#创建资源清单
vim nginx-tomcat-ingress-yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-tomcat-ingress
namespace: default
spec:
ingressClassName: "nginx"
rules:
- host: app.nginx.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80
- host: app.tomcat.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-svc
port:
number: 8080
4.2.2客户端测试
修改电脑本地的host文件
app.nginx.net
app.tomcat.net
4.3Ingress实现HTTPS
在Ingress中设定包含TLS私钥和证书的Secret资源来保护Ingress,让Ingress控制器使用TLS加密从客户端到负载均衡器的通道。
4.3.1 创建TLS证书
openssl genrsa -out java.key 2048
openssl req -new -x509 \
-key java.key \
-out java.crt \
-subj \
/C=CN/ST=ShanDong/L=JiNan/O=qingchen/CN=app.tomcat.net4.3.2 配置Secrets
kubectl create secret tls app-tomcat-tls \
--key=java.key \
--cert=java.crt
#要确保所创建的TLS Secret创建自包含app.tomcat.net的公共名称(Common Name,CN)的证书。4.3.3 配置Ingress
#编写资源清单
vim tomcat-tls-ingress.yaml
apiVersion:networking.k8s.io/v1
kind:Ingress
metadata:
name:nginx-tomcat-ingress
namespace:default
spec:
ingressClassName: "nginx"
tls:
- hosts:
- app.tomcat.net
secretName:app-tomcat-tls
rules:
- host:app.tomcat.net
http:
paths:
- path:/
pathType:Prefix
backend:
service:
name:tomcat-svc
port:
number: 8080#不能针对默认规则使用TLS,因为这样做需要为所有可能的子域名签发证书。 因此,tls 字段中的hosts的取值需要与rules字段中的host完全匹配。
4.3.4 客户端测试
4.4 特殊情况不定义虚拟主机
如果你所创建的Ingress资源没有在rules中定义主机,则规则可以匹配指向Ingress控制器IP地址的所有网络流量,而无需基于名称的虚拟主机。
例如,下面的Ingress对象会将请求first.bar.com的流量路由到service1,将请求second.bar.com的流量路由到service2,而将所有其他流量路由到service3。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: name-virtual-host-ingress-no-third-host
spec:
rules:
- host: first.bar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: service1
port:
number: 80
- host: second.bar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: service2
port:
number: 80
- http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: service3
port:
number: 80
