一、 ingress nginx

1、两个核心概念:

# ingress:
kubernetes中的一个对象,作用是`定义请求如何转发到service的规则`
# ingress controller:
`具体实现反向代理及负载均衡的程序`,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx, Contour, Haproxy等等

2、Ingress(以Nginx为例)的工作原理如下:

1. 用户编写Ingress规则,`说明哪个域名对应kubernetes集群中的哪个Service`
2. Ingress`控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置`
3. Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
4. 到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则

ingress配置多path ingress nginx_kubernetes


ingress配置多path ingress nginx_nginx_02


ingress配置多path ingress nginx_kubernetes_03

官网:https://kubernetes.github.io/ingress-nginx/

3、准备工作

#1.下载 nginx ingress(属于外部网络资源,不是集群内部资源,所以需要安装)
[root@k8s-master1 ~]# wget  https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml


如果报错无法建立ssl连接,请执行
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml --no-check-certificate

查看需要的镜像:
[root@k8s-master-01 ~]# cat deploy.yaml |grep image

#2.修改镜像
[root@k8s-master1 ~]# sed -i 's#k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g'  deploy.yaml

#3.部署
[root@k8s-master1 ~]# kubectl apply -f deploy.yaml
#查看ingress的pod
[root@k8s-master-01 plusin]# kubectl get pods -n ingress-nginx 
NAME                                       READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create-fddhv       0/1     Completed   0          11m
ingress-nginx-admission-patch-smg2p        0/1     Completed   0          11m
ingress-nginx-controller-944f8df68-pdhrs   1/1     Running     0          11m

#查看对应svc对应的ingress,显示nodeport。
[root@k8s-master-01 plusin]# kubectl get svc -n ingress-nginx 
NAME                                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.111.248.0    <none>        80:30287/TCP,443:31004/TCP   14m
ingress-nginx-controller-admission   ClusterIP   10.105.122.35   <none>        443/TCP                      14m

测试

[root@k8s-master-01 mnt]# kubectl apply -f ingress-http.yaml 
deployment.apps/nginx-dm created
service/nginx-svc created

#查看svc
[root@k8s-master-01 mnt]# kubectl get svc
NAME             TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)        AGE
baidu            ExternalName   <none>          www.baidu.com   <none>         23h
kubernetes       ClusterIP      10.96.0.1       <none>          443/TCP        10d
myapp            NodePort       10.96.174.205   <none>          80:32179/TCP   32h
myapp-headless   ClusterIP      None            <none>          80/TCP         31h
nginx-svc        ClusterIP      10.99.46.132    <none>          80/TCP         53s

#直接curl svc即可访问到后端的pod
[root@k8s-master-01 mnt]# curl 10.99.46.132 
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132 
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132 
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132 
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132 
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
部署的pod以及svc
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-dm
spec:
  replicas: 2
  selector:
    matchLabels:
      name: nginx
  template:
    metadata:
      labels:
        name: nginx
    spec:
      containers:
        - name: nginx
          image: wangyanglinux/myapp:v1
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80

---

apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
spec:
  selector:
    name: nginx
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
部署的ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-ingress
  namespace: default  #与部署证书-n default指定相同
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: www.test.com
      http:
        paths:
          - path: /
            backend:
              serviceName: svc-test
              servicePort: 80


    - host: www.abc.com   #添加以下内容
      http:
        paths:
          - path: /
            backend:
              serviceName: svc-release
              servicePort: 80
验证
[root@k8s-master-01 mnt]# kubectl get ingress
NAME              CLASS    HOSTS                      ADDRESS   PORTS   AGE
ingress-ingress   <none>   www.test.com,www.abc.com             80      27s

ingress配置多path ingress nginx_linux_04

基于TLS的Ingress(测试访问nginx)======》https访问

ingress配置多path ingress nginx_linux_05

#1.创建HTTPS 证书
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com

#2.部署证书
kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-test
spec:
  replicas: 2
  selector:
    matchLabels:
      name: nginx-test
  template:
    metadata:
      labels:
        name: nginx-test
    spec:
      containers:
        - name: nginx
          image: nginx
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80

---

apiVersion: v1
kind: Service
metadata:
  name: svc-test
spec:
  selector:
    name: nginx-test
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
        


---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts: 
        - www.test-nginx.com
      secretName: ingress-tls
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /
            backend:
              serviceName: svc-test
              servicePort: 80

ingress配置多path ingress nginx_TCP_06

nginx认证登录

官网:https://kubernetes.github.io/ingress-nginx/examples/auth/basic/

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          imagePullPolicy: IfNotPresent
          image: nginx
---
kind: Service
apiVersion: v1
metadata:
  name: nginx
spec:
  ports:
    - port: 80
      targetPort: 80
      name: http
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  ingressClassName: nginx
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: 
            name: nginx
            port: 
              number: 80
查看
[root@k8s-master-01 mnt]# kubectl get pods 
NAME                     READY   STATUS    RESTARTS   AGE
nginx-7cf7d6dbc8-6mxfl   1/1     Running   0          7m32s
[root@k8s-master-01 mnt]# kubectl get svc
NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1     <none>        443/TCP   17d
nginx        ClusterIP   10.103.3.55   <none>        80/TCP    7m37s
[root@k8s-master-01 mnt]# kubectl get svc -n ingress-nginx 
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.108.34.77   <none>        80:32035/TCP,443:30441/TCP   2d1h
ingress-nginx-controller-admission   ClusterIP   10.106.38.15   <none>        443/TCP                      2d1h
[root@k8s-master-01 mnt]# kubectl get secrets 
NAME                  TYPE                                  DATA   AGE
basic-auth            Opaque                                1      11m
default-token-hd5m9   kubernetes.io/service-account-token   3      17d
ingress-tls           kubernetes.io/tls                     2      38h

[root@k8s-master-01 mnt]# kubectl get secrets basic-auth  -o yaml
apiVersion: v1
data:
  auth: Zm9vOiRhcHIxJFhURnpIaWN0JElNVUtWd2Vsejd0Rm4vdHlHNG9uei4K
kind: Secret
metadata:
  creationTimestamp: "2021-12-22T06:29:28Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:auth: {}
      f:type: {}
    manager: kubectl-create
    operation: Update
    time: "2021-12-22T06:29:28Z"
  name: basic-auth
  namespace: default
  resourceVersion: "291491"
  uid: bf4bcb7e-b92f-40a7-922f-adbf553da165
type: Opaque

[root@k8s-master-01 mnt]# kubectl get ingress
NAME                CLASS   HOSTS         ADDRESS         PORTS   AGE
ingress-with-auth   nginx   foo.bar.com   192.168.15.32   80      7m50s


注意:`ingress必须分配一个address地址,才能访问。`

ingress配置多path ingress nginx_linux_07

secret补充

secret用于保存铭感信息,比如密码、ssh-key、令牌等等

存储格式:K/V键值对
使用方式:环境变量和挂载(volumes)
密文方式:base64
创建方式:命令行创建和配置清单
使用场景:
opaque:通用自定义数据,base64编码
kubernetes.io/service-account-token:用于存储SA用户认证信息
kubernetes.io/dockerconfigjson:用户存储docker仓库认证信息
kubernetes.io/tls:用于tls通讯模式认证信息
kubernetes.io/ssh-auth:用于ssh认证信息
bootstrap.kubernetes.io/token:启动引导token

nginx重写

ingress配置多path ingress nginx_linux_08

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-dm
spec:
  replicas: 2
  selector:
    matchLabels:
      name: nginx-dm
  template:
    metadata:
      labels:
        name: nginx-dm
    spec:
      containers:
        - name: nginx
          image: wangyanglinux/myapp:v1
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80

---

apiVersion: v1
kind: Service
metadata:
  name: nginx-dm
spec:
  selector:
    name: nginx-dm
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-ingress
  namespace: default  #与部署证书-n default指定相同
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: abc.test.com
      http:
        paths:
          - path: /
            backend:
              serviceName: nginx-dm
              servicePort: 80
配置跳转重定向
#1.修改配置清单(以nginx为例)
[root@k8s-master1 ~]# vim ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-ingress-tset-test
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: http://abc.test.com:32035  #指定重定向的域名(百度网址)
spec:
  rules:
    - host: ccc.aaa.com
      http:
        paths:
          - path: /
            backend:
              serviceName: nginx-dm
              servicePort: 80

ingress配置多path ingress nginx_linux_09

查看
[root@k8s-master-01 mnt]# kubectl get ingress
NAME                        CLASS    HOSTS          ADDRESS         PORTS   AGE
ingress-ingress             <none>   abc.test.com   192.168.15.32   80      12m
ingress-ingress-tset-test   <none>   ccc.aaa.com    192.168.15.32   80      7m41s
ingress-with-auth           nginx    foo.bar.com    192.168.15.32   80      9h
[root@k8s-master-01 mnt]# kubectl get svc -n ingress-nginx 
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.108.34.77   <none>        80:32035/TCP,443:30441/TCP   2d10h
ingress-nginx-controller-admission   ClusterIP   10.106.38.15   <none>        443/TCP                      2d10h
[root@k8s-master-01 mnt]# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP   18d
nginx        ClusterIP   10.103.3.55     <none>        80/TCP    9h
nginx-dm     ClusterIP   10.108.239.10   <none>        80/TCP    15m