kubernetes-ingress-nginx-controller资源-用于管理和处理集群中的 Ingress 资源

ingress-nginx-controller 是一个常用的 Kubernetes Ingress 控制器,它基于 NGINX 实现,主要用于管理和处理集群中的 Ingress 资源。
Ingress 资源是 Kubernetes 中的一种网络入口资源,用于将外部流量路由到集群内部的服务

ingress-nginx-controller 的功能作用

流量管理和路由

# 1、管理外部流量:
- ingress-nginx-controller 接收并管理外部到达 Kubernetes 集群的 HTTP 和 HTTPS 请求,根据 Ingress 规则将流量路由到对应的服务。

# 2、基于域名和路径的路由:
- 通过定义 Ingress 资源,可以根据请求的域名(host)和 URL 路径(path)将请求路由到不同的服务。

spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /foo
        backend:
          service:
            name: foo-service
            port:
              number: 80
      - path: /bar
        backend:
          service:
            name: bar-service
            port:
              number: 80

#在上面的例子中,ingress-nginx-controller 会将 example.com/foo 的请求路由到 foo-service,将 example.com/bar 的请求路由到 bar-service。

1.2 负载均衡

# 1、提供负载均衡功能:
- ingress-nginx-controller 能够将请求分发到集群内的多个后端 Pod,提供负载均衡功能,提高服务的可用性和扩展性。

安全和认证

#HTTPS/TLS 终止:
- ingress-nginx-controller 可以管理 SSL/TLS 证书,提供 HTTPS 终止,确保请求在到达后端服务前已经过加密处理和解密。

spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls-secret
    
#这段配置说明 example.com 域名使用了 example-tls-secret 中的证书来处理 HTTPS 请求。


#身份验证和授权:
- 支持各种认证机制,如 Basic Auth、OAuth 等,可以对进入的流量进行身份验证和访问控制。

 应用层网关

# 应用层代理:
- ingress-nginx-controller 作为一个应用层代理,可以处理复杂的应用层逻辑,例如路径重写、请求头修改等。

#这段配置示例表示所有请求将被重写到 /,实现路径重写功能。
- nginx.ingress.kubernetes.io/rewrite-target: /


#请求头操作:
- 可以修改请求头信息,添加、删除或替换请求头,方便实现某些业务逻辑和安全策略。

日志和监控 

日志记录:
ingress-nginx-controller 提供详细的访问日志和错误日志,便于对流量进行监控和分析,帮助快速定位和解决问题。

监控指标:
提供 Prometheus 兼容的监控指标,可以用于集成到监控系统中,实时监控流量情况和服务性能。

架构与工作原理 

2.1 架构
Controller 部分:
监听 Kubernetes API Server,监控 Ingress 资源的变化。根据 Ingress 资源的定义,动态生成 NGINX 配置。

NGINX 部分:
运行在集群内部,负责实际处理请求。通过 ingress-nginx-controller 动态生成的 NGINX 配置文件来管理流量。

2.2 工作流程
定义 Ingress 资源:
用户在 Kubernetes 集群中定义 Ingress 资源,指定规则和目标服务。

Controller 监控资源:
ingress-nginx-controller 监听 Ingress 资源的变化,根据规则生成或更新 NGINX 配置文件。

NGINX 处理请求:
NGINX 使用生成的配置文件,处理外部请求并将其路由到相应的服务。

动态更新:
当 Ingress 资源发生变化时,ingress-nginx-controller 会自动更新 NGINX 配置,实现流量的无缝转发。

以下是一个简单的 ingress-nginx 使用示例,它定义了一个基本的 HTTP 路由规则:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

#在这个示例中,ingress-nginx-controller 将会:
监听 Ingress 资源 example-ingress。
当请求域名为 example.com 时,将请求转发到名为 example-service 的服务。

 

开发环境下:ingress-deploy.yaml

apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount			# 创建 SA,用于 IngressContainer 和 kube-apiServer 进行认证
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role			# 设置集群角色策略,是否允许对 ingress-container 中的资源-resources(pod、configmaps等)进行用户授权
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:		#资源
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resourceNames:
  - ingress-nginx-leader
  resources:
  - leases
  verbs:
  - get
  - update
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:	#用于指定哪些API组中的资源可以被访问
  - ""			#当""为空时可以访问所有的api资源
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:		#用于指定哪些API组中的资源可以被访问
  - discovery.k8s.io	#只想允许访问特定API组的资源:discovery.k8s.io
  resources:
  - endpointslices	#表示角色可以访问endpointslices资源
  verbs:			#这一部分定义了角色可以对上述资源执行的动作
  - list			#允许角色列出所有endpointslices资源
  - watch			#允许角色监视endpointslices资源的更改。当资源发生变化时,角色会收到通知
  - get				#允许角色获取单个endpointslices资源的详细信息
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding				#绑定上面定义的角色Role权限
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: v1
data:
  allow-snippet-annotations: "true"
  compute-full-forwarded-for: "true"
  forwarded-for-header: X-Forwarded-For
  use-forwarded-headers: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  annotations:
    service.cloud.tencent.com/local-svc-weighted-balance: "true"
    service.kubernetes.io/local-svc-only-bind-node-with-pod: "true"
    service.kubernetes.io/tke-existed-lbid: xxxxxx   # 修改成CLB的id
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer
  loadBalancerIP: 10.142.47.22
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  minReadySeconds: 0
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.8.1
    spec:
      imagePullSecrets:
        - name: docker-secret
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-nginx-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        image: ccr.gpdc.cloud.cn/library-images/nginx-ingress-controller:v1.8.1
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        - containerPort: 8443
          name: webhook
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 100m
            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 101
        volumeMounts:
        - mountPath: /usr/local/certificates/
          name: webhook-cert
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
      - name: webhook-cert
        secret:
          secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission-create				#ingress-nginx-admission 是 Kubernetes Ingress-Nginx 控制器的一个插件,其作用是验证使用该控制器创建的 Ingress 对象的配置是否正确,并确保它们可以成功部署和运行。
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.8.1
      name: ingress-nginx-admission-create
    spec:
      imagePullSecrets:
        - name: docker-secret
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: ccr.gpdc.cloud.cn/library-images/kube-webhook-certgen:v20230407
        imagePullPolicy: IfNotPresent
        name: create
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission-patch		#ingress-nginx-admission 是 Kubernetes Ingress-Nginx 控制器的一个插件,其作用是验证使用该控制器创建的 Ingress 对象的配置是否正确,并确保它们可以成功部署和运行。
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.8.1
      name: ingress-nginx-admission-patch
    spec:
      imagePullSecrets:
        - name: docker-secret
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: ccr.gpdc.cloud.cn/library-images/kube-webhook-certgen:v20230407
        imagePullPolicy: IfNotPresent
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass			#通过它来识别ingress
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: nginx
spec:
  controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration		#用于配置 Admission Controller 中的 Validating Webhook,从而对 Kubernetes API 对象进行验证(validation)
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.8.1
  name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: ingress-nginx
      path: /networking/v1/ingresses
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None

 

再创建一个 ingress-rule.yaml 来配置 ingress-nginx-controller 的路由规则

apiVersion: networking.k8s.io/v1    #表示这是一个 Ingress 资源,并使用了 Kubernetes 网络 API v1 版本
kind: Ingress     #kind: 定义了资源的类型。在这里是 Ingress,用来管理外部 HTTP 和 HTTPS 流量并将其路由到集群内部的服务。
metadata:
  annotations:  #注释提供了对 NGINX Ingress 控制器的一些额外配置。
    kubernetes.io/ingress.class: nginx    #指定了使用的 Ingress 控制器类。在这里使用的是 nginx Ingress 控制器。通过这个注释,Kubernetes 知道该 Ingress 资源应由 NGINX Ingress 控制器来处理。
    nginx.ingress.kubernetes.io/cors-allow-methods: '*'   #配置允许的 HTTP 方法,用于跨域资源共享(CORS)。'*' 表示允许所有 HTTP 方法。
    nginx.ingress.kubernetes.io/cors-allow-origin: '*'    #配置允许的跨域来源。'*' 表示允许所有来源,可以访问资源。这是一个非常开放的设置,意味着任何域都可以访问该服务。
    nginx.ingress.kubernetes.io/enable-cors: "true"       #启用 CORS(跨域资源共享)。设置为 "true" 表示开启 CORS 功能
    nginx.ingress.kubernetes.io/proxy-body-size: 1024m    #配置允许的请求体的最大大小。1024m 表示允许最大 1024MB 的请求体。这对于上传大文件的应用非常有用。
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" #配置与上游服务器建立连接的超时时间。30 秒内未建立连接则会超时
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"   #配置从上游服务器读取数据的超时时间。600 秒内未收到数据则会超时。这是读取整个请求的超时时间。
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"   #配置发送数据到上游服务器的超时时间。600 秒内未完成发送数据则会超时
    nginx.ingress.kubernetes.io/send-timeout: "600"         #配置发送数据到客户端的超时时间。600 秒内未完成数据发送则会超时
    nginx.ingress.kubernetes.io/upstream-hash-by: $http_x_forwarded_for #配置上游服务器的哈希负载均衡策略。$http_x_forwarded_for 表示基于请求的 X-Forwarded-For 头部来进行哈希,用于实现基于客户端 IP 的会话保持。
  name: ingress-rule      #Ingress 资源的名称。这个名称在集群中是唯一的,可以用来标识该 Ingress 资源。
  namespace: ops-system   #Ingress 资源所属的命名空间
spec: 
  rules:                  #定义了具体的路由规则,决定了哪些请求会被转发到哪个后端服务。
  - http:                 #http 表示规则适用于 HTTP 请求,定义了 HTTP 路径和对应的后端服务。
      paths:              #paths 是一个列表,每个元素定义了一个路径及其对应的后端服务。
      - backend:                            #指定了处理请求的后端服务 相当于 location xxx {} 指向一个名为 ops-webui-svc 的服务,并指定了服务的端口号 80
          service:                          #定义了将请求转发到哪个 Kubernetes 服务(Service)。指定了 ops-webui-svc,这意味着所有匹配的请求都会被转发到这个服务
            name: ops-webui-svc             #name 是 service 的名称。在 Kubernetes 中,服务是通过名称来标识的。     kubectl get svc -n ops-system
            port:
              number: 80                    #访问的端口
        path: /                             #路由的路径定义了 URL 路径,该路径决定哪些请求应该被转发到指定的后端服务
        pathType: Prefix                    #定义了路径匹配的类型。Prefix 表示路径前缀匹配,也就是说,所有以指定前缀开头的请求路径都会被认为是匹配 /images 会匹配 /images 本身以及所有以 /images 开头的路径

      - backend:    
          service:
            name: ops-webui-svc
            port:
              number: 80
        path: /images
        pathType: Prefix
      - backend:
          service:
            name: ops-webui-svc
            port:
              number: 80
        path: /static
        pathType: Prefix
      - backend:
          service:
            name: ops-webui-svc
            port:
              number: 80
        path: /models
        pathType: Prefix
      - backend:
          service:
            name: ops-webui-svc
            port:
              number: 80
        path: /fonts
        pathType: Prefix
      - backend:
          service:
            name: ops-webui-svc
            port:
              number: 80
        path: /iconfont
        pathType: Prefix
      - backend:
          service:
            name: ops-static-svc
            port:
              number: 80
        path: /diffhtml/css_js
        pathType: Prefix
      - backend:
          service:
            name: ops-static-svc
            port:
              number: 80
        path: /data/key_cfg_compare/export
        pathType: Prefix
      - backend:
          service:
            name: iam-svc
            port:
              number: 8888
        path: /api
        pathType: Prefix
      - backend:
          service:
            name: kong-svc
            port:
              number: 8000
        path: /asset
        pathType: Prefix
      - backend:
          service:
            name: kong-svc
            port:
              number: 8000
        path: /ops-manage/ws
        pathType: Prefix
      - backend:
          service:
            name: kong-svc
            port:
              number: 8000
        path: /ops-manage
        pathType: Prefix
      - backend:
          service:
            name: kong-svc
            port:
              number: 8000
        path: /ops-elink
        pathType: Prefix
      - backend:
          service:
            name: kong-svc
            port:
              number: 8000
        path: /ops-metrics
        pathType: Prefix
      - backend:
          service:
            name: lap-svc
            port:
              number: 8889
        path: /lap
        pathType: Prefix
  tls:                          #添加tls加密证书 https
  - hosts:
    - 192.168.19.13
    secretName: ops-tls-secret  #证书存放的 secret - kubectl get secret -n ops-system
status:
  loadBalancer:                 #负载均衡
    ingress:
    - ip: 10.142.46.247

 

posted @ 2024-06-13 23:09  little小新  阅读(71)  评论(0编辑  收藏  举报