kubernetes部署Ingress Controller创建证书

大概分为三个部分

  • Pod与Ingress的关系
  • Ingress Controller
  • Ingress 实现HTTP与HTTPS

在上面接触到了NodePortLoadBalancer可以把应用暴露给外界进行访问,能感觉到需要提前规划端口,应用越来越多就会变得很麻烦,并且每个Service都会给你创建一个负载均衡,维护成本有点高,Ingress就是一个全局的负载均衡器,能提供统一的访问入口,他可以通过域名或URL将请求转发到不同的Service,他支持七层的负载均衡,而之前提到的那些都是四层的,Ingress是授权请求入站访问到集群的规则集合,具体的实现是由Ingress Controller来完成的,先了解一下PodIngress的关系。

Pod与Ingress的关系

Ingress是通过Service来关联Pod的,通过你指定的Service来绑定一组pod,通过Ingress Controller来实现Pod的负载均衡,Ingress只是定义了规则,负载均衡是由控制器(Controller)来完成的,他支持四层和七层的转发

Ingress Controller

具体帮你提供全局负载均衡,了解一下访问流程,用户会先访问Ingress控制器定义的规则,这个规则你可以理解为nginx配置文件写的各个虚拟主机,用户请求会先到达Ingress控制器,控制器是在node上运行的,然后再到具体的pod,我们用的是Ingress-nginx,这个官方维护的,其实还有很多,具体还有哪些可以看一下官方文档,下面部署一下Ingress-nginx

 ingress controller相关信息地址:https://github.com/kubernetes/ingress-nginx

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.46.0/deploy/static/provider/baremetal/deploy.yaml

国内用户需要修改镜像地址

      containers:
        - name: controller
          image: acicn/ingress-nginx-controller:v0.46.0
          imagePullPolicy: IfNotPresent

还需要添加使用宿主机网络的参数:ingress-controller 将会使用宿主机网络的 80 和 443 端口。

 spec:
      dnsPolicy: ClusterFirst
      hostNetwork: true
      containers:
        - name: controller
          image: acicn/ingress-nginx-controller:v0.46.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:

部署安装


kubectl apply -f deploy.yaml 

$ kubectl get pods -n ingress-nginx 
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create-ptkwd        0/1     Completed   0          2m59s
ingress-nginx-admission-patch-zdqzp         0/1     Completed   0          2m59s
ingress-nginx-controller-76fc46c57b-t897c   0/1     Running     0          2m59s

验证使用 Ingress

创建tomcat的deployment、service

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: testing
spec:
  replicas: 2
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      containers:
        - name: tomcat
          image: tomcat:8.0.50-jre8-alpine
          ports:
          - containerPort: 8080
            name: httpport
          - containerPort: 8009
            name: ajpport
---
apiVersion: v1
kind: Service
metadata:
  name: tomcat-svc
  namespace: testing
  labels:  
    name: tomcat-svc
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 8080
      nodePort: 30443
  selector:
    app: tomcat

创建tomcat-ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat
  namespace: testing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: tomcat.ingress.com
    http:
      paths:
      - path: 
        backend:
          serviceName: tomcat-svc
          servicePort: 80

查看结果

[root@k8s-master tls]# curl -I http://tomcat.ingress.com:30443
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 29 Jun 2021 07:30:43 GMT

Ingress 定义HTTPS

1、案例一

#生成私钥
openssl genrsa -out tls.key 2048
# 根据私钥生成tls证书,注意CN是域名的形式
openssl req -new -x509 -key tls.key -out tls.cert -days 360 -subj /CN=tomcat.ingress.com
# 根据生成的key和cert创建secret
kubectl create secret tls -n testing  nginx-tls --cert=tls.cert --key=tls.key

修改 Ingress 规则

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-ingress-tls
  namespace: testing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.ingress.com
    secretName: nginx-tls
  rules:
  - host: tomcat.ingress.com
    http:
      paths:
      - path: 
        backend:
          serviceName: tomcat-svc
          servicePort: 80

2、案例二

刚刚创建的域名是www.opesn.com,所以我直接用我的证书了,而且是可信任的撒,需要创建一个secret来保存tls证书信息,下面开始吧。

[root@k8s01 opesn]# ll
total 8
-rw-r--r-- 1 root root 1675 Jun  1 16:38 2536473_www.opesn.com.key
-rw-r--r-- 1 root root 3667 Jun  1 16:38 2536473_www.opesn.com.pem
[root@k8s01 opesn]# kubectl create secret tls opesn.com --cert=2536473_www.opesn.com.pem --key=2536473_www.opesn.com.key 
secret/opesn.com created
[root@k8s01 opesn]# kubectl get secrets opesn.com 
NAME        TYPE                DATA   AGE
opesn.com   kubernetes.io/tls   2      16s
[root@k8s01 opesn]# 

这就创建完了,在secrets里也阔以看到了,有两个数字信息,下面编写一下Ingress规则。

[root@k8s01 yml]# cat ingress_ssl.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: www.opesn.com-ssl
spec:
  tls:
  - hosts:
    - www.opesn.com
    secretName: opesn.com
  rules:
  - host: www.opesn.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-service
          servicePort: 80

注意一下tls那里的配置,别的就和上面一样了,在创建之前先把之前的删了,

[root@k8s01 yml]# kubectl create -f ingress_ssl.yaml 
ingress.extensions/www.opesn.com-ssl created
[root@k8s01 yml]# kubectl get ingresses.extensions 
NAME                HOSTS           ADDRESS   PORTS     AGE
www.opesn.com-ssl   www.opesn.com             80, 443   2m54s
[root@k8s01 yml]# 

[root@k8s01 yml]# curl -I www.opesn.com
HTTP/1.1 308 Permanent Redirect
Server: nginx/1.17.8
Date: Mon, 01 Jun 2020 08:52:34 GMT
Content-Type: text/html
Content-Length: 171
Connection: keep-alive
Location: https://www.opesn.com/

[root@k8s01 yml]# curl -I https://www.opesn.com
HTTP/1.1 200 OK
Server: nginx/1.17.8
Date: Mon, 01 Jun 2020 08:49:35 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 14 Apr 2020 14:19:26 GMT
ETag: "5e95c66e-264"
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15724800; includeSubDomains

[root@k8s01 yml]# 

可以看到以非https方式访问他帮你重定向到https了,重定向状态码为308,事实证明没问题,如果你的证书是自签的,使用curl -k参数可以忽略证书问题,如果证书指定错了,k8s就是用默认的证书了。

部署多个ingress crontroller

controller.IngressClass     
同一个集群中不同Ingress Crontroller监控的ingress class标识必须唯一,且不能设置nginx关键字(nginx是集群默认Ingress Crontroller的监听标识) 创建多个ingress crontroller containers:
- args: - /nginx-ingress-controller - --publish-service=prod-bigdata/prod-bigdata-ingress-nginx-ack-ingress-nginx-controller-private - --election-id=prod-bigdata-ingress-controller-leader - --ingress-class=prod-bigdata-ingress-nginx ---------必须指定不同名称 - --configmap=prod-bigdata/prod-bigdata-ingress-nginx-ack-ingress-nginx-controller - --tcp-services-configmap=prod-bigdata/prod-bigdata-ingress-nginx-ack-ingress-nginx-tcp - --udp-services-configmap=prod-bigdata/prod-bigdata-ingress-nginx-ack-ingress-nginx-udp - --watch-namespace=prod-bigdata - --v=2 在选择ingress时需要指定ingressclass metadata: name: aa namespace: default annotations: kubernetes.io/ingress.class: "nginx" ------选择不同的ingress crontroller nginx.ingress.kubernetes.io/proxy-body-size: 8m

 

posted @ 2021-06-29 15:50  fat_girl_spring  阅读(366)  评论(0编辑  收藏  举报