Six, kubernetes of Ingress Management

Ingress Introduction
Typically, service and pod in the cluster can be accessed only through the internal network ip address, network outside the cluster inaccessible. Use NodePort type of service, although you can turn on the external access channel, but too much can lead to service port on the node in the cluster service when too much is not conducive to management.

Ingress can be understood as a proxy 'nginx' on K8S cluster boundary, you can configure a variety of forwarding rules based on URL, SSL, domain name, etc. to achieve Ingress, eventually external access to internal cluster service resources.
So you can use only one port, multiple services to achieve the cluster of foreign exposure

ingress consists of two components: ingress controller and ingress service.
ingress controller的本质是一个运行负载均衡器的PodThere are two main: ingress controller-based services and nginx based traefik the ingress controller.

working principle
ingress service configured to receive and store user-defined forwarding rule, and notifies the K8S api-server.

api-server real-time interaction ingress controller and K8S dynamic service-aware ingress forwarding rule changes and read the new forwarding rule, and then press the configuration format of the load balancer configuration file is written to the load balancer, and reload the its new configuration can take effect.

ingress用于设定转发规则，ingress controller为pod应用这些规则。ingress controller建议设置为daemonset控制器部署，这些Pod设置NodePort类型的Service

Ingress type

Single Service Ingress
The back end is exposed to the outside of the default Service directly by creating a cluster no rules.
Default Service field is defined spec.backend, for example as follows

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
spec:
  backend:
    serviceName: testsvc
    servicePort: 80

URL-based traffic forwarding path

apiVersion: extensions/v1beta1
kind: Ingress
metadata: 
	name: test-ingress
spec:
	rules:    ##列表rules是一个列表，保存多条转发规则
	- http:   ##定义一条转发规则
		paths:
		- path: /test  ##针对此url进行转发至后端服务，后端服务上需要有此path，否则需要rewrite处理。下面会再举例
		  backend:   ##定义后端服务
		  	serviceName: test   ##后端提供服务的service的name
		  	servicePort: 80     ##后端提供服务的service的port

后端服务没有对应的路径testDo first rewrite process

apiVersion: extensions/v1beta1
kind: Ingress
metadata: 
	name: test-ingress
	annotations:           #注解信息
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite /test /hostname.html break;
spec:
	rules:    ##列表rules是一个列表，保存多条转发规则
	- http:   ##定义一条转发规则
		paths:
		- path:   
		  backend:   ##定义后端服务
		  	serviceName: test   ##后端提供服务的service的name
		  	servicePort: 80     ##后端提供服务的service的port

Host-based virtual host name

apiVersion: extensions/v1beta1
kind: Ingress
metadata: 
	name: test-ingress
	rules:    ##列表rules是一个列表，保存多条转发规则
	- host: myapp.magedu.com
	  http:   ##定义一条转发规则
		paths:
		- path:   
		  backend:   ##定义后端服务
		  	serviceName: test   ##后端提供服务的service的name
		  	servicePort: 80     ##后端提供服务的service的port

Deployment Ingress controller
architecture is shown

Deploy a backend service
Provide back-end services Pod, to ensure the stability of the back-end service is accessed is service; therefore need to create a new pod and service. 注意后端服务无需使用ingress-nginx的名称空间, The following list of definitions

apiVersion: v1
kind: Service
metadata:
   name: ngx-service
spec:
   selector:
     app: ngx
   ports:
     - protocol: TCP
       port: 80
       targetPort: 80
---
apiVersion: apps/v1
kind: deployment
metadata:
   name: ngx-deployment
   labels:
      app: ngx
spec:
   replicas: 2
   selector:
      matchLabels:
         app: ngx
   template:
      metadata:
         labels:
           app: ngx
      spec:
         containers:
         - name: ngxv2
           image: 192.168.80.146:5000/my_ngx:v2

Create and view the results after verify

[root@k8s-master ingress-nginx]# kubectl get pod
NAME                              READY     STATUS    RESTARTS   AGE
ngx-deployment-58d847f49c-9tbwh   1/1       Running   0          1d
ngx-deployment-58d847f49c-vvnrj   1/1       Running   0          1d

[root@k8s-master ingress-nginx]# kubectl get services
NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes        ClusterIP   10.96.0.1       <none>        443/TCP        9d
ngx-service   ClusterIP    10.106.74.134   <none>        80/TCP   1d

Deployment of ingress controller

Deployment of service ingress controller
By ingress-controller to provide services, now also need to manually create one for ingress-controller NodePort类型的service, receives a cluster external traffic. Configuration list is as follows

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 30081
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
      nodePort: 30443
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

Create and view the results after verify

[root@k8s-master ingress-nginx]# kubectl get -n ingress-nginx services
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.102.208.10   <none>        80:30081/TCP,443:30443/TCP   2h

Deployment of ingress
That configuration of forwarding rules ingress controller

apiVersion: extensions/v1beta1      #api版本
kind: Ingress       #清单类型
metadata:           #元数据
  name: ingress-myapp    #ingress的名称
  namespace: default     #所属名称空间
  annotations:           #注解信息
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite /test /hostname.html break;
    kubernetes.io/ingress.class: "nginx"
spec:      #规格
  rules:   #定义后端转发的规则
  - host: myapp.magedu.com
    http:
      paths:       
      - path:       #配置访问路径，如果通过url进行转发，需要修改；空默认为访问的路径为"/"
        backend:    #配置后端服务
          serviceName: ngx-service
          servicePort: 80

Create and view the results after verify

[root@k8s-master ingress-nginx]# kubectl get -n ingress-nginx pods
NAME                                        READY     STATUS    RESTARTS   AGE
nginx-ingress-controller-5c54df76f6-qktts   1/1       Running   0          2h

##进入ingress controller的Pod内部查看nginx配置文件
[root@k8s-master ingress-nginx]# kubectl exec -n ingress-nginx -it  nginx-ingress-controller-5c54df76f6-qktts  /bin/bash
www-data@nginx-ingress-controller-5c54df76f6-qktts:/etc/nginx$ cat nginx.conf
.....
## start server myapp.magedu.com
    server {
        server_name myapp.magedu.com ;
        
        listen 80;
        
        set $proxy_upstream_name "-";
        
        location / {
            
            set $namespace      "default";
            set $ingress_name   "ingress-myapp";
            set $service_name   "myapp";
            set $service_port   "80";
            set $location_path  "/";
.....

Use tls
configured to use https for the forwarding rule, you can specify hosts and secretName used in spec.tls in;
create store certificates for secretName

kubectl create secret tls tls-myapp --key tls.key --cert tls.crt

tls:
- hosts:
  -  myapp.magedu.com
  secretName: tls-myapp

to sum up
Out of the cluster initiate access for verification, to modify the local hosts file

[root@192-168-80-114 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.80.147  k8s-node2 myapp.magedu.com
192.168.80.140  k8s-node1 myapp.magedu.com
[root@192-168-80-114 ~]# curl myapp.magedu.com:30081
ngx-deployment-58d847f49c-vvnrj
[root@192-168-80-114 ~]# curl myapp.magedu.com:30081
ngx-deployment-58d847f49c-9tbwh