标签:为什么 listen pen replicas cto rsa 私钥 man metadata
Ingress controller
Nginx -->后来改造
Traefik -->也是用于微服务
Envoy -->微服务
Ingress资源
目前使用0.17.1版本ingress-nginx
ingress定义 后端pod发生变化,service就变化,service变化ingress就发生变化,ingress再把变化注入到ingress-nginx-controller主容器的nginx的backend反向代理配置且重载配置文件使之能够动态改变反向代理配置
kubectl explain ingress
kubectl explain ingress.spec
kubectl explain ingress.spec.rules
kubectl explain ingress.spec.rules.http
kubectl explain ingress.spec.backend 关联后端
在github上下载ingress nginx
yum install git -y
kubectl create namespace env 创建名称空间
kubectl get ns
kubectl delete ns env 删除名称空间
需要用到的文件
namespace.yaml
rbac.yaml
with-rbac.yaml
configmap.yaml
udp-services-configmap.yaml
tcp-services-configmap.yaml
1.先创建namespace
kubectl apply -f namespace.yaml
然后其他一起创建
kubectl create -f ./
2.或者使用一键部署
kubectl create -f mandatory.yaml
查询是否在下载ingress镜像
kubectl get pods -n ingress-nginx
kubectl explain ingress.spec
cp deploy-demo.yaml ../ingress-nginx/
vim deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-service
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80 容器端口
port: 80 service端口
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy 控制器名
namespace: default
spec:
replicas: 3 3个副本
selector:
matchLabels: 匹配标签
app: myapp
release: canary
template:
metadata:
labels: 定义pod标签
app: myapp
release: canary
spec:
containers:
- name: myapp 容器名
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80 容器端口
kubectl apply -f deploy-demo.yaml 先创建pods和svc
kubectl get pods
kubectl get svc
kubectl describe pods nginx-ingress-controller-589b9b8c9d-7mkng -n ingress-nginx 查看为什么下载不成功 -n 指定名称空间
创建 service-nodeport
cat service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx 名称空间
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort service类型为nodeport
ports:
- name: http
nodePort: 30080 node端口
port: 80 service端口
targetPort: 80 pod端口
protocol: TCP
- name: https
nodePort: 30443
port: 443
targetPort: 443
protocol: TCP
selector: 指定ingress-ningx-controller 主容器标签
app: ingress-nginx
kubectl apply -f service-nodeport.yaml
kubectl get svc -n ingress-nginx 查询创建是否成功
开放服务 创建ingress控制把服务放出去,同步pod的nginx配置文件
vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress 类型
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx" 指定的控制器类ingress 叫 nginx 生成匹配规则
spec:
rules: 规则
- host: myapp.baidu.com 指定外部访问的host域名
http:
paths: 转发路径
- path:
backend: 指定backend反向代理
serviceName: myapp-service 转发的service
servicePort: 80 转发的service port
kubectl apply -f service-nodeport.yaml
查询创建是否成功
kubectl get ingress
查看详细信息
kubectl describe ingresses
创建成功,自动注入ingress-nginx-controller主容器,即自动转换成nginx配置文件
进入ingress-nginx-controller 检查
kubectl exec -n ingress-nginx -it nginx-ingress-controller-5dc4979fb6-nfvvt -- /bin/sh
cat nginx.conf 看是否已经写入配置信息
访问测试:
node绑定 hosts
https://myapp.com:30080
ssl证书:
openssl genrsa -out tls.key 2048
私钥:tls.key
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=devops/CN=myapp.com
自签证书:tls.crt
kubectl create secret tls myapp-ingress-secret --cert=tls.crt --key=tls.key
注入到k8s
kubectl get secrets
查询是否注入
kubectl describe secrets myapp-ingress-secret
kubectl explain ingress.spec
kubectl explain ingress.spec.tls
cp ingress-myapp.yaml ingress-myapp-tls.yaml
vim ingress-myapp-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- myapp.baidu.com
secretName: myapp-ingress-secret
rules:
- host: myapp.baidu.com
http:
paths:
- path:
backend:
serviceName: myapp-service
servicePort: 80
创建ingress
kubectl apply -f ingress-myapp-tls.yaml
kubectl get ingress
kubectl describe ingress ingress-myapp-tls
查看主容器配置文件,有443监听
kubectl exec -n ingress-nginx -it nginx-ingress-controller-5dc4979fb6-nfvvt -- /bin/sh
结果:listen 443 ssl http2;
访问测试:
node绑定 hosts
https://myapp.com:30443
数据流向 外部--> service_nodeport --> service --> pod_network
Ingress控制ingress-ningx-controller主容器进行反向代理
标签:为什么 listen pen replicas cto rsa 私钥 man metadata
原文地址:https://www.cnblogs.com/leiwenbin627/p/11306416.html