文章目录
简介
Kubernetes中的Ingress服务是一种全局的、为了代理不同后端 Service 而设置的负载均衡服务。Ingress由两部分组成:Ingress controller和Ingress服务。
一、实验环境
1.部署好的k8s平台,一个master,两个node节点,一个私有docker镜像仓库
2.master主机名:server2
3.node节点主机名:server3,server4
4.私有docker镜像仓库:server1
二、基本部署
1.应用后端定义文件
kubectl apply -f demo.yml
demo.yml文件内容如下:
---
apiVersion: v1
kind: Service
metadata:
name: myservice
spec:
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo2
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v2
2.应用Ingress定义文件
kubectl apply -f deploy.yaml
deploy.yaml内容见如下链接:
链接: https://blog.csdn.net/nk298120/article/details/113976226.
3.创建ingress服务
kubectl apply -f nginx.yml
nginx.yml文件内容如下:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice %为1中定义的后端
servicePort: 80
注意:要为server4上添加www1.westos.org的解析,因为在deploy.yaml文件中将Ingress controller部署到server4上去了
4.定义不同后端
kubectl apply -f nginx-svc.yml
nginx.yml文件内容如下:
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: myapp
image: myapp:v1
编辑nginx.yml将上述定义的svc给负载出去:
nginx.yml文件内容如下:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc %为新定义的svc
servicePort: 80
注意:当然也可以将不同的svc通过创建不同的ingress服务分离开
三、加密配置(Ingress TLS 配置)
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc" % 在本地生成key和证书
kubectl create secret tls tls-secret --key tls.key --cert tls.crt %将生成的key和证书存到k8s中
修改nginx.yml文件并应用使证书生效:
nginx.yml文件内容如下:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
tls: % 添加tls配置
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
注意:上述nginx.yml文件中没有将两个svc分离,还在一个ingress服务中,因此在上述位置添加证书后会使两个后端同时生效,如果要分离开,可修改nginx.yml文件如下:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
tls: % 添加tls配置
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo2
spec:
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
四、Ingress 认证配置
yum install -y httpd-tools % 安装相应工具
htpasswd -c auth wxh % 创建认证用户及密码
New password:
Re-type new password:
Adding password for user xxx
kubectl create secret generic basic-auth --from-file=auth %将认证信息存到secret中的auth文件中
kubectl get secret basic-auth -o yaml %查看认证信息
更改nginx.yml文件,激活认证:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
annotations: % 添加认证信息
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - xxx'
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo2
spec:
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
五、Ingress地址重写
重写可使访问域名时直接重定向到某个页面下
修改nginx.yml文件如下:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - xxx'
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo2
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2 % 定义重写对象参数
spec:
rules:
- host: www2.westos.org
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80
path: /westos(/|$)(.*) % 定义重写规则