Loading

kubernetes ingress-nginx 入门实践

Ingress-Nginx deploy

ingress.png

https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/index.md

[root@rocky01 ~]# ip addr | grep ens3
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.5.31/24 brd 192.168.5.255 scope global dynamic noprefixroute ens34
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.5.239/24 brd 192.168.5.255 scope global dynamic noprefixroute ens37
[root@rocky01 ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/cloud/deploy.yaml
[root@rocky01 ~]# vim deploy.yaml
...
Kind: Service
spec:
  #externalTrafficPolicy: Local
  externalTrafficPolicy: Cluster  # change to Cluster for local test
  externalIPs: ['192.168.5.239']  # any Node ip is fine, master node for example
...
[root@rocky01 ~]# kubectl apply -f deploy.yaml
[root@rocky01 ~]# kubectl get pod -n ingress-nginx
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create-svjf7        0/1     Completed   0          8h
ingress-nginx-admission-patch-mrt99         0/1     Completed   1          8h
ingress-nginx-controller-77667b9d9b-f9v8t   1/1     Running     0          8h
[root@rocky01 ~]# kubectl get svc -n ingress-nginx
NAME                                 TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.68.236.92   192.168.5.239   80:30822/TCP,443:32132/TCP   8h
ingress-nginx-controller-admission   ClusterIP      10.68.192.67   <none>          443/TCP                      8h

root@iStoreOS ~ # grep app /etc/dnsmasq.conf
address=/*.app/192.168.5.239
root@iStoreOS ~ # nslookup v1.app
Server:		127.0.0.1
Address:	127.0.0.1:53

Name:	v1.app
Address: 192.168.5.239

Create kubernetes Ingress-Nginx resource

[root@rocky01 ~]# kubectl create ingress NAME --rule=host/path=service:port[,tls[=secret]] [options]
[root@rocky01 ~]# kubectl create deployment --image ikubernetes/myapp:v2 --replicas 2 myappv2
[root@rocky01 ~]# kubectl create deployment --image ikubernetes/myapp:v1 --replicas 2 myappv1
[root@rocky01 ~]# kubectl create svc clusterip myappv1 --tcp 80:80
[root@rocky01 ~]# kubectl create svc clusterip myappv2 --tcp 80:80
单域名匹配
graph LR A[Client] -->B(http://v1.app) B --> C[Ingress-nginx:myappv1] C --> D[service:myappv1:80] D --> E[pod:myappv1:80] 
# 单域名
[root@rocky01 ~]# kubectl create ingress myappv1 --class=nginx --rule="v1.app/=myappv1:80"
[root@rocky01 ~]# curl v1.app
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@rocky01 ~]# curl v1.app/hostname.html   # 无法访问
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
单域名支持子路径
graph LR A[Client] -->B(http://v2.app/hostname.html) B --> C[Ingress-nginx:myappv2] C --> D[service:myappv1:80] D --> E[pod:myappv1:80/hostname.html] 
[root@rocky01 ~]# kubectl create ingress myappv2 --class=nginx --rule="v2.app/*=myappv2:80" # 注意*的位置和上个实例区别
[root@rocky01 ~]# curl v2.app
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
[root@rocky01 ~]# curl v2.app/hostname.html 
myappv2-c5889974d-l86ht  G、H、I、J、K、L、M
单域名多URL匹配:
graph LR A[Client] -->B(http://myapp.app/v2) B --> C[Ingress-nginx:myapp] C --> D[Service:myappv2] D --> F[Pod:myappv1] A[Client] -->H(http://myapp.app/v1) H --> I[Ingress-nginx:myapp] I --> J[Service:myappv1] J --> K[Pod:myappv1] 
[root@rocky01 ~]# kubectl create ingress myapp --class=nginx --rule="myapp.app/v1=myappv1:80" --rule="myapp.app/v2=myappv2:80"
[root@rocky01 ~]# kubectl get ingress -o wide
NAME      CLASS   HOSTS       ADDRESS         PORTS   AGE
myapp     nginx   myapp.app   192.168.5.239   80      10m
[root@rocky01 ~]# curl -o /dev/null -s -w "%{http_code}\n" myapp.app/v1
404
[root@rocky01 ~]# curl -o /dev/null -s -w "%{http_code}\n" myapp.app/v2
404
# 此时一定在好奇到底那里除了问题为何404,其实配置没有问题,只需要稍微的修改并加上:
# --annotation=nginx.ingress.kubernetes.io/rewrite-target=/ 表示代理后端服务器的/,而非代理到后端服务的子URL /v1和/v2
[root@rocky01 ~]# kubectl create ingress myapp --class=nginx --rule="myapp.app/v1=myappv1:80" --rule="myapp.app/v2=myappv2:80" --annotation=nginx.ingress.kubernetes.io/rewrite-target=/
[root@rocky01 ~]# curl  myapp.app/v2
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
[root@rocky01 ~]# curl  myapp.app/v1
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
二级子域名匹配
graph LR A[Client] -->B(http://myapp.app/v2/hostname) B --> C[Ingress:myapp] C --> D[Service:myappv2] D --> E[Pod:myappv2/hostname] 
[root@rocky01 ~]# kubectl create ingress myapp --class=nginx --rule="myapp.app/v1(/|$)(.*)=myappv1:80" --rule="myapp.app/v2(/|$)(.*)=myappv2:80" --annotation=nginx.ingress.kubernetes.io/rewrite-target="/$2"
[root@rocky01 ~]# curl myapp.app/v2/hostname
[root@rocky01 ~]# curl myapp.app/v2 
[root@rocky01 ~]# kubectl get ingress
NAME    CLASS   HOSTS       ADDRESS         PORTS   AGE
myapp   nginx   myapp.app   192.168.5.239   80      17m
[root@rocky01 ~]# curl myapp.app/v1/
kubernetes pod-test v0.1!! ClientIP: 172.20.59.9, ServerName: myappv1-846945d675-qtxww, ServerIP: 172.20.59.14!
[root@rocky01 ~]# curl myapp.app/v1/hostname    # 应该显示部分相应的信息,但是不知为何我这里有问题
kubernetes pod-test v0.1!! ClientIP: 172.20.59.9, ServerName: myappv1-846945d675-n5sxs, ServerIP: 172.20.189.78!
子域名匹配
graph LR A[Client] -->B(http://v1.app) B --> C[Ingress:myapp] C --> D[Service:myappv1] D --> E[Pod:myappv1] A[Client] -->F(http://v2.app) F --> J[Ingress:myapp] J --> H[Service:myappv2] H --> I[Pod:myappv2] 
[root@rocky01 ~]# kubectl create ingress myapp --class=nginx --rule="v1.app/=myappv1:80" --rule="v2.app/=myappv2:80"
[root@rocky01 ~]# kubectl get ingress
NAME    CLASS   HOSTS           ADDRESS         PORTS   AGE
myapp   nginx   v1.app,v2.app   192.168.5.239   80      68s
[root@rocky01 ~]# curl v1.app
kubernetes pod-test v0.1!! ClientIP: 172.20.59.9, ServerName: myappv1-846945d675-qtxww, ServerIP: 172.20.59.14!
[root@rocky01 ~]# curl v2.app
kubernetes pod-test v0.2!! ClientIP: 172.20.59.9, ServerName: myappv2-5ff5c6f779-z5mxq, ServerIP: 172.20.59.13!
实现HTTPS
# 生成一个 2048 位的私钥
[root@rocky01 ~]# openssl genrsa -out private.key 2048
# 生成自签名证书
[root@rocky01 ~]# openssl req -x509 -new -key private.key -out selfsigned.crt -days 3650 -subj /C=CN/ST=BJ/L=BJ/O=SRE/CN=myapp.app
[root@rocky01 ~]# ll private.key request.csr selfsigned.crt
-rw------- 1 root root 1874 8月   6 16:10 private.key
-rw-r--r-- 1 root root 1180 8月   6 16:11 selfsigned.crt
# k8s中创建secret
[root@rocky01 ~]# kubectl create secret tls tls-app --cert=./selfsigned.crt --key=./private.key
[root@rocky01 ~]# kubectl get secrets
NAME      TYPE                DATA   AGE
tls-app   kubernetes.io/tls   2      22s
[root@rocky01 ~]# kubectl create ingress myapp-tls --class=nginx --rule="v1.app/*=myappv1:80,tls=tls-app" --rule="v2.app/*=myappv2:80,tls=tls-app"
[root@rocky01 ~]# curl -I v1.app
HTTP/1.1 308 Permanent Redirect
Date: Tue, 06 Aug 2024 07:59:03 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://v1.app   # 	已经自动重定向到HTTPS
[root@rocky01 ~]# curl -k https://v1.app
kubernetes pod-test v0.1!! ClientIP: 172.20.59.9, ServerName: myappv1-846945d675-qtxww, ServerIP: 172.20.59.14!
[root@rocky01 ~]# curl -k https://v1.app/hostname
ServerName: myappv1-846945d675-n5sxs
posted @ 2024-08-06 16:37  Jas0n0ss  阅读(19)  评论(0编辑  收藏  举报