kubernetes 之ingress-nginx对象实现代理后端主机并实现ssl回话卸载

下载所需：https://github.com/kubernetes/ingress-nginx/tree/nginx-0.17.1

创建一个目录

mkdir -p /data
[root@master ~]# tar xf ingress-nginx-nginx-0.17.1.tar.gz -C /data/
[root@master deploy]# cd /data/ingress-nginx-nginx-0.17.1/deploy

修改mandatory.yaml与with-rbac.yaml

1 2	`apiVersion: apps/v1` `#把 extensions/v1beta1修改成apps/v1；两个文件一样操作` `kind: Deployment`

创建名称空间资源

1 2	`[root@master deploy]# kubectl apply -f namespace.yaml` `namespace/ingress-nginx` `created`

　把剩下的yaml文件全部创建出来

[root@master deploy]# kubectl apply -f ./
configmap/nginx-configuration created
service/default-http-backend created
namespace/ingress-nginx unchanged
deployment.apps/default-http-backend created
service/default-http-backend unchanged
configmap/nginx-configuration unchanged
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
namespace/ingress-nginx unchanged
serviceaccount/nginx-ingress-serviceaccount unchanged
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole unchanged
role.rbac.authorization.k8s.io/nginx-ingress-role unchanged
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding unchanged
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding unchanged
configmap/tcp-services unchanged
configmap/udp-services unchanged
deployment.apps/nginx-ingress-controller created
unable to recognize "default-backend.yaml": no matches for kind "Deployment" in version "extensions/v1beta1"
unable to recognize "mandatory.yaml": no matches for kind "Deployment" in version "extensions/v1beta1"

查看创建的pod

[root@master deploy]# kubectl get -n ingress-nginx pods
NAME                                        READY   STATUS    RESTARTS   AGE
default-http-backend-75b5c88cd6-5z8kg       1/1     Running   0          7m22s
nginx-ingress-controller-7c457c5b84-zbr9n   1/1     Running   0          7m21s

　创建后端应用pod

[root@master data]# vim  depl-server-web.yaml 
 
apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp-cx
    cx: cx
  ports:
  - name: http
    targetPort: 80  
    port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-dp
  namespace: default
spec:
  replicas: 2
  revisionHistoryLimit: 5
  selector:
    matchLabels:
      app: myapp-cx
      cx: cx
  strategy:
    rollingUpdate:
      maxSurge: 3
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: myapp-cx
        cx: cx
      name: myapp-dp
      namespace: default
    spec:
      containers:
      - name: myapp-f
        image: ikubernetes/myapp:v2
        ports:
        - name: httpd
          containerPort: 80
        livenessProbe:
          tcpSocket:
            port: 80

启动创建

[root@master data]# kubectl apply -f depl-server-web.yaml 
service/myapp created
deployment.apps/myapp-dp created
[root@master data]# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP    114d
myapp        ClusterIP   10.96.177.23    <none>        80/TCP     13s
mysql        ClusterIP   10.96.177.112   <none>        3306/TCP   93d
[root@master data]# kubectl get pods
NAME                        READY   STATUS    RESTARTS   AGE
myapp-dp-75889b7b8c-kcddh   1/1     Running   0          50s
myapp-dp-75889b7b8c-p9cfk   1/1     Running   0          50s

　　编写ingress-nginx与podserver建立的配置文件

[root@master baremetal]# cd /data/ingress-nginx-nginx-0.17.1/deploy/provider/baremetal/
[root@master baremetal]# vim service-nodeport.yaml   修改这个文件
 
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
    nodePort: 30080   添加节点监听的端口
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
    nodePort: 30443   添加节点监听的端口
  selector:
    app: ingress-nginx   
 
[root@master baremetal]# kubectl apply -f service-nodeport.yaml 
service/ingress-nginx created
[root@master baremetal]# kubectl get -n ingress-nginx svc   查看创建的svc
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
default-http-backend   ClusterIP   10.96.24.100    <none>        80/TCP                       51m
ingress-nginx          NodePort    10.96.234.141   <none>        80:30080/TCP,443:30443/TCP   45s

　　浏览器访问NodeIP加端口号测试

[root@master baremetal]# curl http://192.168.10.21:30080/
default backend - 404
[root@master baremetal]# curl http://192.168.10.21:30443/
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.13.12</center>
</body>
</html>

　　创建于后端建立关系的ingress的资源

[root@master baremetal]# cat ingress-nginx.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  namespace: default
  annotations: 
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: www.chenxi.com   监听的主机名server_name
    http:
      paths:
      - path:   不写表示跟路径
        backend:
          serviceName: myapp   引用到那个service上
          servicePort: 80     servervice 监听的端口

　　创建并测试

[root@master baremetal]# kubectl apply -f ingress-nginx.yaml 
ingress.extensions/ingress created
[root@master baremetal]# kubectl describe ingress   查看相关资源
Name:             ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host            Path  Backends
  ----            ----  --------
  www.chenxi.com  
                     myapp:80 (10.244.1.56:80,10.244.2.46:80)
Annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/i
ngress.class":"nginx"},"name":"ingress","namespace":"default"},"spec":{"rules":[{"host":"www.chenxi.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
  kubernetes.io/ingress.class:  nginx
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  11m   nginx-ingress-controller  Ingress default/ingress
 
[root@master baremetal]# vim /etc/hosts   主机名解析
 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.20 master
192.168.10.21 node01 www.chenxi.com
192.168.10.22 node02
[root@master baremetal]# curl http://www.chenxi.com:30080
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>

　　进入pod内部

1 2	`[root@master ~]# kubectl exec -it -n ingress-nginx nginx-ingress-controller-7c457c5b84-zbr9n -- /bin/sh` `$` `ls`

　　创建HTTPS会话卸载代理至tomcat创建tomcat pod以及server

[root@master data]# cat depl-tomcat.yaml 
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector: 
    app: tomcat
    cx: tomcat-cx
  ports:
  - name: http
    targetPort: 8080
    port: 8080
---
apiVersion: apps/v1
kind: Deployment   
metadata:
  name: tomcat
  namespace: default
spec:
  replicas: 3
  revisionHistoryLimit: 5
  selector:
    matchLabels:
      app: tomcat
      cx: tomcat-cx
  strategy:
    rollingUpdate:
      maxSurge: 3
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: tomcat
        cx: tomcat-cx
      name: tomcat
      namespace: default
    spec:
      containers:
      - name: myapp-f
        image: tomcat
        ports:  
        - name: httpd
          containerPort: 8080
        livenessProbe:
          tcpSocket:
            port: 8080

　　创建

1	`[root@master baremetal]# kubectl apply -f ingress-tomcat.yaml`

　　编写ingress资源；service-nodeport.yaml文件里如果不写默认是映射80端口的那个端口

[root@master baremetal]# cat ingress-tomcat.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
  annotations: 
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: www.cx.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

　　启动

[root@master baremetal]# kubectl apply -f ingress-tomcat.yaml 
ingress.extensions/ingress configured
[root@master baremetal]# kubectl describe ingress ingress-tomcat
Name:             ingress-tomcat
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host        Path  Backends
  ----        ----  --------
  www.cx.com  
                 tomcat:8080 (10.244.1.57:8080,10.244.2.47:8080,10.244.2.48:8080)
Annotations:
  kubernetes.io/ingress.class:                       nginx
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/i
ngress.class":"nginx"},"name":"ingress-tomcat","namespace":"default"},"spec":{"rules":[{"host":"www.cx.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  23s   nginx-ingress-controller  Ingress default/ingress-tomcat

　　测试

[root@master baremetal]# curl http://www.cx.com:30080
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h
1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Not found</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/8.5.54</h3></body></html>

　　实现https创建证书文件

[root@master baremetal]# openssl genrsa -out tls.key 2048
[root@master baremetal]# openssl req -new -x509 -key tls.key  -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/o=DevOps/CN=www.cx.com
[root@master baremetal]# kubectl create secret tls tomcat-ingress-secret  --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created

　　修改ingress-tomcat.yaml 文件

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:  添加tls
  - hosts:   主机名
    - www.cx.com
    secretName: tomcat-ingress-secret   哪里读取文件
  rules:
  - host: www.cx.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080