Kubernetes之(十一)Ingress和Ingress Controller

Kubernetes之(十一)Ingress和Ingress Controller

概念

通常情况下,service和pod的IP仅可在集群内部访问。集群外部的请求需要通过负载均衡转发到service在Node上暴露的NodePort上,然后再由kube-proxy将其转发给相关的Pod。

NodePort 方式暴露服务面临问题是,服务一旦多起来,NodePort 在每个节点上开启的端口会及其庞大,而且难以维护;这时,我们可以能否使用一个Nginx直接对内进行转发呢?众所周知的是,Pod与Pod之间是可以互相通信的,而Pod是可以共享宿主机的网络名称空间的,也就是说当在共享网络名称空间时,Pod上所监听的就是Node上的端口。那么这又该如何实现呢?简单的实现就是使用 DaemonSet 在每个 Node 上监听 80,然后写好规则,因为 Nginx 外面绑定了宿主机 80 端口(就像 NodePort),本身又在集群内,那么向后直接转发到相应 Service IP就行了。

但是新的问题出现:当每次有新服务加入时怎么办。此时 Ingress 出现了,如果不算上面的Nginx,Ingress 包含两大组件:Ingress ControllerIngress

Ingress就是为进入集群的请求提供路由规则的集合,如下图所示

Ingress可以给service提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些Ingress规则,集群管理员需要部署一个Ingress controller,它监听Ingress和service的变化,并根据规则配置负载均衡并提供访问入口。

Ingress也是Kubernetes API的标准资源类型之一,它其实就是一组基于DNS名称(host)或URL路径把请求转发到指定的Service资源的规则。用于将集群外部的请求流量转发到集群内部完成的服务发布。我们需要明白的是,Ingress资源自身不能进行“流量穿透”,仅仅是一组规则的集合,这些集合规则还需要其他功能的辅助,比如监听某套接字,然后根据这些规则的匹配进行路由转发,这些能够为Ingress资源监听套接字并将流量转发的组件就是Ingress Controller。

Ingress 控制器不同于Deployment 控制器的是,Ingress控制器不直接运行为kube-controller-manager的一部分,它仅仅是Kubernetes集群的一个附件,类似于CoreDNS,需要在集群上单独部署。

创建Ingress资源
Ingress资源时基于HTTP虚拟主机或URL的转发规则,需要强调的是,这是一条转发规则。它在资源配置清单中的spec字段中嵌套了rules、backend和tls等字段进行定义。如下示例中定义了一个Ingress资源,其包含了一个转发规则:将发往myapp.magedu.com的请求,代理给一个名字为myapp的Service资源。

apiVersion: extensions/v1beta1      
kind: Ingress       
metadata:           
  name: ingress-myapp   
  namespace: default     
  annotations:          
    kubernetes.io/ingress.class: "nginx"
spec:     
  rules:   
  - host: myapp.magedu.com   
    http:
      paths:       
      - path:       
        backend:    
          serviceName: myapp
          servicePort: 80

Ingress 中的spec字段是Ingress资源的核心组成部分,主要包含以下3个字段:

  • rules:用于定义当前Ingress资源的转发规则列表;由rules定义规则,或没有匹配到规则时,所有的流量会转发到由backend定义的默认后端。
  • backend:默认的后端用于服务那些没有匹配到任何规则的请求;定义Ingress资源时,必须要定义backend或rules两者之一,该字段用于让负载均衡器指定一个全局默认的后端。
  • tls:TLS配置,目前仅支持通过默认端口443提供服务,如果要配置指定的列表成员指向不同的主机,则需要通过SNI TLS扩展机制来支持该功能

backend对象的定义由2个必要的字段组成:serviceName和servicePort,分别用于指定流量转发的后端目标Service资源名称和端口。
rules对象由一系列的配置的Ingress资源的host规则组成,这些host规则用于将一个主机上的某个URL映射到相关后端Service对象,其定义格式如下:

spec:
  rules:
  - hosts: <string>
    http:
      paths:
      - path:
        backend:
          serviceName: <string>
          servicePort: <string>

需要注意的是,.spec.rules.host属性值,目前暂不支持使用IP地址定义,也不支持IP:Port 的格式,该字段留空,代表着通配所有主机名。
tls对象由2个内嵌的字段组成,仅在定义TLS主机的转发规则上使用。

  • hosts:包含于使用的TLS证书之内的主机名称字符串列表,因此,此处使用的主机名必须匹配tlsSecret中的名称。
  • secretName: 用于引用SSL会话的secret对象名称,在 基于SNI实现多主机路由的场景中,此字段为可选。

Ingress资源类型

Ingress的资源类型有以下4种:

  • 单Service资源型Ingress
  • 基于URL路径进行流量转发
  • 基于主机名称的虚拟主机
  • TLS类型的Ingress资源

单Service资源型Ingress

暴露单个服务的方法有多种,如NodePort、LoadBanlancer等等,当然也可以使用Ingress来进行暴露单个服务,只需要为Ingress指定default backend即可,如下示例:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
  backend:
    serviceName: my-svc
    servicePort: 80

Ingress控制器会为其分配一个IP地址接入请求流量,并将其转发至后端my-svc

Ingress Nginx部署

使用Ingress功能步骤:
1、安装部署ingress controller Pod
2、部署后端服务
3、部署ingress-nginx service
4、部署ingress
Ingress 也是标准的 K8S 资源,其定义的方式,也可以使用 explain 进行查看:

[root@master ~]# kubectl explain ingress
KIND:     Ingress
VERSION:  extensions/v1beta1

DESCRIPTION:
     Ingress is a collection of rules that allow inbound connections to reach
     the endpoints defined by a backend. An Ingress can be configured to give
     services externally-reachable urls, load balance traffic, terminate SSL,
     offer name based virtual hosting etc.

FIELDS:
   apiVersion   <string>
     APIVersion defines the versioned schema of this representation of an
     object. Servers should convert recognized schemas to the latest internal
     value, and may reject unrecognized values. More info:
     https://git.k8s.io/community/contributors/devel/api-conventions.md#resources

   kind <string>
     Kind is a string value representing the REST resource this object
     represents. Servers may infer this from the endpoint the client submits
     requests to. Cannot be updated. In CamelCase. More info:
     https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds

   metadata     <Object>
     Standard object's metadata. More info:
     https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata

   spec <Object>
     Spec is the desired state of the Ingress. More info:
     https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status

   status       <Object>
     Status is the current state of the Ingress. More info:
     https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status

部署Ingress controller

此处使用ingress-nginx 0.17.1版本,未使用最新的master
下载ingress相关yaml

[root@master manifests]# mkdir ingress-nginx  
[root@master manifests]# cd ingress-nginx  
[root@master manifests]#  for file in namespace.yaml configmap.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml udp-services-configmap.yaml default-backend.yaml;do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/$file;done

[root@master ingress-nginx]# ll
总用量 476
[root@master ingress-nginx]# ll
总用量 28
-rw-r--r-- 1 root root  134 4月   1 17:19 configmap.yaml #configmap用于为nginx从外部注入配置的
-rw-r--r-- 1 root root 1216 4月   1 17:20 default-backend.yaml   #配置默认后端服务
-rw-r--r-- 1 root root   68 4月   1 17:19 namespace.yaml #创建独立的名称空间
-rw-r--r-- 1 root root 2390 4月   1 17:19 rbac.yaml  #rbac用于集群角色授权
-rw-r--r-- 1 root root   94 4月   1 17:19 tcp-services-configmap.yaml
-rw-r--r-- 1 root root   94 4月   1 17:20 udp-services-configmap.yaml
-rw-r--r-- 1 root root 2174 4月   1 17:20 with-rbac.yaml

创建ingress-nginx名称空间

[root@master ingress-nginx]# cat namespace.yaml 
---
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  
[root@master ingress-nginx]# kubectl apply -f namespace.yaml 
namespace/ingress-nginx created

创建ingress controller的pod

#由于国内网络防火墙问题导致无法正常拉取k8s.grc.io仓库中拉取所需镜像文件,需要修改配置文件,修改镜像地址
[root@master ingress-nginx]# vim default-backend.yaml 
        #image: gcr.io/google_containers/defaultbackend:1.4
        image: xiaobai20201/defaultbackend-amd64:1.5

[root@master ingress-nginx]# kubectl apply -f .
configmap/nginx-configuration created
deployment.extensions/default-http-backend created
service/default-http-backend created
namespace/ingress-nginx unchanged
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
configmap/tcp-services created
configmap/udp-services created
deployment.extensions/nginx-ingress-controller created

查看结果

[root@master ingress-nginx]# kubectl get pod -n ingress-nginx  
NAME                                        READY   STATUS    RESTARTS   AGE
default-http-backend-788bdcf46f-7b5ds       1/1     Running   0          24s
nginx-ingress-controller-7db86988c8-jmv72   1/1     Running   0          3m50s

配置ingress后端服务

查看配置清单:

[root@master ~]# kubectl explain ingress.spec.
KIND:     Ingress
VERSION:  extensions/v1beta1

RESOURCE: spec <Object>

DESCRIPTION:
     Spec is the desired state of the Ingress. More info:
     https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status

     IngressSpec describes the Ingress the user wishes to exist.

FIELDS:
   backend      <Object>   #定义后端主机

   rules        <[]Object>  #定义规则

   tls  <[]Object>

部署:

[root@master ingress-nginx]# cd ../ && mkdir ingress  &&  cd ingress
[root@master ingress]# vim deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp
    release: canary
  ports:
  - name: http
    targetPort: 80
    port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-backend-pod
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v2
        ports:
        - name: http
          containerPort: 80

查看部署结果

[root@master ingress]# kubectl get pods,svc
NAME                                     READY   STATUS    RESTARTS   AGE
pod/filebeat-ds-h8rwk                    1/1     Running   0          18h
pod/filebeat-ds-kzhxw                    1/1     Running   0          18h
pod/myapp-backend-pod-6b56d98b6b-2dh5h   1/1     Running   0          78s
pod/myapp-backend-pod-6b56d98b6b-hwzws   1/1     Running   0          78s
pod/myapp-backend-pod-6b56d98b6b-ztwn2   1/1     Running   0          78s
pod/readiness-httpget-pod                1/1     Running   0          3d16h

NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/kubernetes       ClusterIP   10.96.0.1       <none>        443/TCP    5d16h
service/myapp            ClusterIP   10.100.41.152   <none>        80/TCP     7m47s
service/myapp-headless   ClusterIP   None            <none>        80/TCP     16h

部署ingress-nginx service

通过ingress-controller对外提供服务,现在还需要手动给ingress-controller建立一个service,接收集群外部流量。
下载ingress-controller的yaml文件

[root@master ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/provider/baremetal/service-nodeport.yaml

[root@master ingress]# vim service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
    nodePort: 31111 #默认是随机端口,此处指定
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
    nodePort: 31443  #默认是随机端口,此处指定
  selector:
    app: ingress-nginx

查看部署结果

[root@master ingress]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
[root@master ingress]# kubectl get svc -n ingress-nginx
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
default-http-backend   ClusterIP   10.98.233.231    <none>        80/TCP                       33m
ingress-nginx          NodePort    10.103.142.142   <none>        80:31111/TCP,443:31443/TCP   8s

此时尝试访问10.0.0.10:31111 应该是404,因为调度器工作正常,但是后端服务还没有关联

部署Ingress

编写清单

[root@master ingress]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp-ingress  #ingress的名称
  namespace: default  #所属名称空间
  annotations: #注解信息
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:  #定义后端转发的规则
  - host: myapp.white.com  #通过域名进行转发
    http:
      paths:   
      - path:   #配置访问路径,如果通过url进行转发,需要修改;空默认为访问的路径为根"/"
        backend:  #配置后端服务
          serviceName: myapp
          servicePort: 80

创建后查看结果:

[root@master ingress]# kubectl apply -f ingress-myapp.yaml 
ingress.extensions/myapp-ingress created
[root@master ingress]# kubectl get ingress
NAME            HOSTS             ADDRESS   PORTS   AGE
myapp-ingress   myapp.white.com             80      12s

查看myapp-ingress的详细信息

[root@master ingress]# kubectl describe ingress myapp-ingress
Name:             myapp-ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host             Path  Backends
  ----             ----  --------
  myapp.white.com  
                      myapp:80 (<none>)
Annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"myapp-ingress","namespace":"default"},"spec":{"rules":[{"host":"myapp.white.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}

  kubernetes.io/ingress.class:  nginx
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  62s   nginx-ingress-controller  Ingress default/myapp-ingress
[root@master ingress]# 

进入nginx-ingress-controller进行查看是否注入了nginx的配置

[root@master ingress]# kubectl get pods -n ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE
default-http-backend-788bdcf46f-7b5ds       1/1     Running   0          41m
nginx-ingress-controller-7db86988c8-jmv72   1/1     Running   0          45m

[root@master ingress]# kubectl exec -it  nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh 
$ cat  nginx.conf
......
        upstream default-myapp-80 { #自动配置负载均衡到后端pod
                least_conn;

                keepalive 32;

                server 10.244.1.44:80 max_fails=0 fail_timeout=0;
                server 10.244.2.49:80 max_fails=0 fail_timeout=0;
                server 10.244.2.48:80 max_fails=0 fail_timeout=0;

        }
......
        ## start server myapp.white.com
        server {
                server_name myapp.white.com ;

                listen 80;

                listen [::]:80;

                set $proxy_upstream_name "-";

                location / {

                        set $namespace      "default";
                        set $ingress_name   "myapp-ingress";
                        set $service_name   "myapp";
                        set $service_port   "80";
                        set $location_path  "/";

                        rewrite_by_lua_block {

                        }
...

修改本地host文件 访问
10.0.0.10 master myapp.white.com
10.0.0.11 node01 myapp.white.com
10.0.0.12 node02 myapp.white.com

增加tomcat服务

编写清单

[root@master ingress]# vim tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetPort: 8080
    port: 8080
  - name: ajp
    targetPort: 8009
    port: 8009

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.5-alpine
        ports:
        - name: http
          containerPort: 8080
        - name: ajp
          containerPort: 8009

编写tomcat的ingress规则,并创建ingress资源

[root@master ingress]# vim ingress-tomcat.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: tomcat.white.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

执行

[root@master ingress]# kubectl apply -f tomcat-deploy.yaml 

[root@master ingress]# kubectl get pods
NAME                                 READY   STATUS    RESTARTS   AGE
filebeat-ds-h8rwk                    1/1     Running   0          19h
filebeat-ds-kzhxw                    1/1     Running   0          19h
myapp-backend-pod-6b56d98b6b-2dh5h   1/1     Running   0          62m
myapp-backend-pod-6b56d98b6b-hwzws   1/1     Running   0          62m
myapp-backend-pod-6b56d98b6b-ztwn2   1/1     Running   0          62m
readiness-httpget-pod                1/1     Running   0          3d17h
tomcat-deploy-5f554cd88d-7gzc7       1/1     Running   0          44s
tomcat-deploy-5f554cd88d-c42t6       1/1     Running   0          44s
tomcat-deploy-5f554cd88d-qhc4j       1/1     Running   0          44s

[root@master ingress]# kubectl get svc
NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
kubernetes       ClusterIP   10.96.0.1       <none>        443/TCP             5d17h
myapp            ClusterIP   10.100.41.152   <none>        80/TCP              70m
myapp-headless   ClusterIP   None            <none>        80/TCP              17h
tomcat           ClusterIP   10.107.88.118   <none>        8080/TCP,8009/TCP   3m4s

查看tomcat-deploy是否监听8080和8009

[root@master ingress]# kubectl exec -it tomcat-deploy-5f554cd88d-7gzc7 -- netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN   

创建ingress资源

[root@master ingress]# kubectl apply -f ingress-tomcat.yaml 
ingress.extensions/tomcat-ingress created
[root@master ingress]# kubectl get ingress
NAME             HOSTS              ADDRESS   PORTS   AGE
myapp-ingress    myapp.white.com              80      45m
tomcat-ingress   tomcat.white.com             80      5s

查看tomcat-ingress详细信息

[root@master ingress]# kubectl describe ingress tomcat-ingress
Name:             tomcat-ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host              Path  Backends
  ----              ----  --------
  tomcat.white.com  
                       tomcat:8080 (<none>)
Annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}

  kubernetes.io/ingress.class:  nginx
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  71s   nginx-ingress-controller  Ingress default/tomcat-ingress

修改本地host文件映射后测试访问

10.0.0.10 master myapp.white.com tomcat.white.com
10.0.0.11 node01 myapp.white.com tomcat.white.com
10.0.0.12 node02 myapp.white.com tomcat.white.com

总结

从前面的部署过程中,可以再次进行总结部署的流程如下:

  1. 下载Ingress-controller相关的YAML文件,并给Ingress-controller创建独立的名称空间;
  2. 部署后端的服务,如myapp,并通过service进行暴露;
  3. 部署Ingress-controller的service,以实现接入集群外部流量;
  4. 部署Ingress,进行定义规则,使Ingress-controller和后端服务的Pod组进行关联。

构建TLS站点

准备证书

[root@master ingress]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
.....................................................+++
e is 65537 (0x10001)
[root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Guangdong/L=Zhongshan/O=DevOps/CN=tomcat.white.com
[root@master ingress]# ls
deploy-demo.yaml    ingress-tomcat.yaml    tls.crt  tomcat-deploy.yaml
ingress-myapp.yaml  service-nodeport.yaml  tls.key

此时生成的证书不能直接被nginx的pod调用,需要转换成secret(领一个标准的kubernetes对象)
生成secret

[root@master ingress]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress]# kubectl get secret
NAME                    TYPE                                  DATA   AGE
default-token-dqd2f     kubernetes.io/service-account-token   3      5d18h
tomcat-ingress-secret   kubernetes.io/tls                     2      11s
[root@master ingress]# kubectl describe secret tomcat-ingress-secret
Name:         tomcat-ingress-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  1302 bytes
tls.key:  1679 bytes

创建ingress

[root@master ingress]# vim ingress-tomcat-tls.yaml
[root@master ~]# kubectl explain ingress.spec.tls.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-ingress-tls
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.white.com
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.white.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

[root@master ingress]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/tomcat-ingress-tls created
[root@master ingress]# kubectl get ingress
NAME                 HOSTS              ADDRESS   PORTS     AGE
myapp-ingress        myapp.white.com              80        61m
tomcat-ingress       tomcat.white.com             80        16m
tomcat-ingress-tls   tomcat.white.com             80, 443   25s


#查看描述
[root@master ingress]# kubectl describe ingress  tomcat-ingress-tls
Name:             tomcat-ingress-tls
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
TLS:
  tomcat-ingress-secret terminates tomcat.white.com
Rules:
  Host              Path  Backends
  ----              ----  --------
  tomcat.white.com  
                       tomcat:8080 (<none>)
Annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.white.com"],"secretName":"tomcat-ingress-secret"}]}}

  kubernetes.io/ingress.class:  nginx
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  107s  nginx-ingress-controller  Ingress default/tomcat-ingress-tls

进入pod内查看

[root@master ingress]# kubectl exec -it nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh
$ cat nginx.conf
······
upstream default-tomcat-8080 {
                least_conn;

                keepalive 32;

                server 10.244.1.45:8080 max_fails=0 fail_timeout=0;
                server 10.244.2.51:8080 max_fails=0 fail_timeout=0;
                server 10.244.2.50:8080 max_fails=0 fail_timeout=0;

        }
······
        ## start server _
        server {
                server_name _ ;

                listen 80 default_server  backlog=511;

                listen [::]:80 default_server  backlog=511;

                set $proxy_upstream_name "-";

                listen 443  default_server  backlog=511 ssl http2;

                listen [::]:443  default_server  backlog=511 ssl http2;

                # PEM sha: 07ee66d47cf4e5ef25baa6f91d62296e05243cfe
                ssl_certificate                         /etc/ingress-controller/ssl/default-fake-certificate.pem;
                ssl_certificate_key                     /etc/ingress-controller/ssl/default-fake-certificate.pem;
......

客户端访问31443查看

由于证书问题,提示不安全,但是可以访问https 443端口。

参考资料

https://www.cnblogs.com/linuxk
马永亮. Kubernetes进阶实战 (云计算与虚拟化技术丛书)
Kubernetes-handbook-jimmysong-20181218

posted @ 2019-04-12 10:11  微落不落  阅读(2359)  评论(0编辑  收藏  举报