第二节Igress部署安装(nginx)

一、背景

K8S能保证在任意副本(Pod)挂掉时自动从其他机器启动一个新的,还可以动态扩容等,通俗地说,这个 Pod 可能在任何时刻出现在任何节点上,也可能在任何时刻死在任何节点上;那么自然随着 Pod 的创建和销毁,Pod Ilinux操作系统基础知识P 肯定会动态变化;那么linux是什么操作系统如何把这个动态的 Pod IP 暴露出去?这里借助于 Kubernetes 的 S系统运维工作内容ervice 机制,linuxService 可以以标签的形式选定一组带有指定标签的 Pod,并监控和自动负载他们的 Pod IP,那么我们向外暴露只暴露 Servic系统/运维e IP 就行了;这就是 NodePor系统/运维t 模式:即在每个节点上开起一个端口,然后转linux常用命令发到内部 Pod IP 上,如下图所linux删除文件命令示:

采用 NodePort 方式暴露服务面临问题是,服务一旦多起来,NodePort 在每个节点上开启的端口会及其庞大,而且难以维护

二、Ingress原理

为了解决端口管理问题,并且能够兼容pod的动态伸缩后的动态路由问题,这就系统运维工程师是ingress,它基于service实现了对pod的负载均衡


                                            第二节Igress部署安装(nginx)

linux命令​如上图所示,ingress Controllelinuxr通过识别ingress对象动态linux对controller中的转发规linux系统则进行修改,而ingress对象通过识别service来获取service对应的pod节点,并且实现负载均衡

linux常用命令Ingress 简单的理解就是你原来需要改 Nginx(不一定是nginx,还可能是haproxy,envoy等,nginx是官方的默认实现) 配置,然后配置各种域名对应哪个 Service,现在把这个动作抽象出来,变成一个 Ingress 对象,你可以用 yaml 创建,每次不要去linux必学的60个命令改 Nginx 了,直接改 yaml 然后创建/更新就行了;那么问题来了:”Nginx 该怎么处理?”

ingress Controller 这东西就是解决 “Nginx 的处理方式” 的;Ingress Controller系统运维工程师 通过与 Kubernelinuxtes API 交互,动态的去感知集linux必学的60个命令群中 Ingress 规则变化,然后读取他,按照他自己模板生linux是什么操作系统成一段 Nginx 配置系统运维工资一般多少,再写到 Nginx Pod 里,最linux系统后 reload 一下

实际上Ingress也是系统/运维Kubernetes APlinux系统I的标准资源类型之一,它其实就是一组基于DNS名称(host)或URL路径把请求转发到指定的Service资源的规则。用于将集群外部的请求流量转发到集群内部完成的服务发布。我们需要明白的是,Ingress资源自身不能进行“流量穿透”,仅仅是一组规则的集合,这些集合规则还需要其他功能的linux辅助,比如监听某套接字,然后根据这些规则的匹配进行路由转发,这些能够为Inlinuxgress资源监听套接字并将流量转发的组件就是Ingress Controller

关于headless servicelinux重启命令在这里有必要进行补充说明下

在K8S中,Service可以起到对pod负载均衡的作用,主要有3种service typelinux(ClusterIP,NodePort,LoadBalalinux删除文件命令nce),其中type为ClusterIP时有2种情况,clusterIP设置为None时,我们把它称为linux操作系统基础知识headless service,这个headless service与普通linux常用命令的service有什么区别呢?

headless service设置cluster系统运维工程师IP为Nonlinux操作系统基础知识e,那么在k8s集群中,kubelinux系统-proxy就不linux重启命令对其进行代理,则集群内部对象在访问该服务时将返回服务的全部pod的ip,开发者可以根据这些ip列表自己做负载均衡。我们对以上说法进行下证明

如下图所示,我建了2个servlinux系统ice,其中nacos-headless为clusterIP设置为None的,这2个service都代理了资源类型为StatefulSet类型的nacos服务(2个pod实例)


                                            第二节Igress部署安装(nginx)

么我登录一个pod容器根据dns查找下对应的服务名,发现查找linux常用命令nacos-headless时,返回了2个ip,正常service返回1个ip,因此也证明linux常用命令了以上说法,headless servicelinux删除文件命令在集群内部使用时,service不对其进行负载均衡


                                            第二节Igress部署安装(nginx)

headless service主要使用场景

1、k8s集群内部自己做负载均衡的情况

2、与ingress配合使用,使用ingress来做负载、路由,并配置一些流量规则的情况

三、安装ingress-ng系统运维工程师inx

1.部署文件介绍

1.namespace.yaml 
创建一个独立的命名空间 ingress-nginx

2.configmap.yaml
ConfigMap是存储通用的配置变量的,类似于配置文件,使用户可以将分布式系统中用于不同模块的环境变量统一到一个对象中管理;而它与配置文件的区别在于它是存在集群的“环境”中的,并且支持K8S集群中所有通用的操作调用方式。
从数据角度来看,ConfigMap的类型只是键值组,用于存储被Pod或者其他资源对象(如RC)访问的信息。这与secret的设计理念有异曲同工之妙,主要区别在于ConfigMap通常不用于存储敏感信息,而只存储简单的文本信息。
ConfigMap可以保存环境变量的属性,也可以保存配置文件。
创建pod时,对configmap进行绑定,pod内的应用可以直接引用ConfigMap的配置。相当于configmap为应用/运行环境封装配置。
pod使用ConfigMap,通常用于:设置环境变量的值、设置命令行参数、创建配置文件。

3.default-backend.yaml
如果外界访问的域名不存在的话,则默认转发到default-http-backend这个Service,其会直接返回404:

4.rbac.yaml
负责Ingress的RBAC授权的控制,其创建了Ingress用到的ServiceAccount、ClusterRole、Role、RoleBinding、ClusterRoleBinding

5.with-rbac.yaml
是Ingress的核心,用于创建ingress-controller。前面提到过,ingress-controller的作用是将新加入的Ingress进行转化为Nginx的配置

2.​部署文件介绍

1.namespace.yaml 
创建一个独立的命名空间 ingress-nginx

2.configmap.yaml
ConfigMap是存储通用的配置变量的,类似于配置文件,使用户可以将分布式系统中用于不同模块的环境变量统一到一个对象中管理;而它与配置文件的区别在于它是存在集群的“环境”中的,并且支持K8S集群中所有通用的操作调用方式。
从数据角度来看,ConfigMap的类型只是键值组,用于存储被Pod或者其他资源对象(如RC)访问的信息。这与secret的设计理念有异曲同工之妙,主要区别在于ConfigMap通常不用于存储敏感信息,而只存储简单的文本信息。
ConfigMap可以保存环境变量的属性,也可以保存配置文件。
创建pod时,对configmap进行绑定,pod内的应用可以直接引用ConfigMap的配置。相当于configmap为应用/运行环境封装配置。
pod使用ConfigMap,通常用于:设置环境变量的值、设置命令行参数、创建配置文件。

3.default-backend.yaml
如果外界访问的域名不存在的话,则默认转发到default-http-backend这个Service,其会直接返回404:

4.rbac.yaml
负责Ingress的RBAC授权的控制,其创建了Ingress用到的ServiceAccount、ClusterRole、Role、RoleBinding、ClusterRoleBinding

5.with-rbac.yaml
是Ingress的核心,用于创建ingress-controller。前面提到过,ingress-controller的作用是将新加入的Ingress进行转化为Nginx的配置

3. ​部署ingress

​1)准备镜像,从这里mandatolinux系统ry.yaml查看需要哪系统运维工作内容些镜像

​镜像名称 版本 下载地址

镜像名称

版本

下载地址

k8s.gcr.io/defaultbackend-amd64

1.linux5

registry.cn-qingdao.aliyuncs.com/kublinux是什么操作系统ernetes_xingej/defaultbackend-amd64

quay.io/kubernetes-ingress-controller/nginx-ingress-colinux操作系统基础知识ntroller

0.20.0

registry.cn-qinlinux系统安装gdao.alilinux是什么操作系统yuncs.com/kubernetes_xingelinux系统j/nginx-ingress-controller

linux2)在每一个节点(​​​Node​​)上下载镜像:

[root@k8s-node1 ~]# docker pull registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5  #注意版本号

[root@k8s-node1 ~]# docker pull registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0 #注意版本号


[root@k8s-node1 ~]# docker images #检查镜像是否下载成功
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64 1.5 d8f37b8cdaf4 2 weeks ago 5.13 MB
registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller 0.20.0 3cc332ecde4f 3 weeks ago 513 MB

3)​下载yaml文件并更新mandatory.yaml中的镜像地址(master上)

[root@k8s-master ~]# mkdir /home/ingress-nginx
[root@k8s-master ~]# cd /home/ingress-nginx
[root@k8s-master ingress-nginx]# sed -i 's#k8s.gcr.io/defaultbackend-amd64#registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64#g' mandatory.yaml #替换defaultbackend-amd64镜像地址
sed -i 's#quay.io/kubernetes-ingress-controller/nginx-ingress-controller#registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller#g' mandatory.yaml #替换nginx-ingress-controller镜像地址
[root@k8s-master ingress-nginx]# grep image mandatory.yaml #检查替换结果
# Any image is permissible as long as:
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0

catlinux是什么操作系统man系统运维工作内容datory.yaml

apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx

---

apiVersion: apps/v1
kind: Deployment
metadata:
name: default-http-backend
labels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissible as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi

---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: ingress-nginx
labels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
spec:
ports:
- port: 80
targetPort: 8080
selector:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---

apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx

---

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
hostNetwork: true
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1

---

修改镜像

[root@k8s-master ~]# mkdir /home/ingress-nginx
[root@k8s-master ~]# cd /home/ingress-nginx
[root@k8s-master ingress-nginx]# sed -i 's#k8s.gcr.io/defaultbackend-amd64#registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64#g' mandatory.yaml #替换defaultbackend-amd64镜像地址
sed -i 's#quay.io/kubernetes-ingress-controller/nginx-ingress-controller#registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller#g' mandatory.yaml #替换nginx-ingress-controller镜像地址
[root@k8s-master ingress-nginx]# grep image mandatory.yaml #检查替换结果
# Any image is permissible as long as:
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0

修改mandatory.yaml ,在linux操作系统基础知识serviceAccountName​上方添加​hostNetwork: true​

4)​修改service-nodepoingress-nginxrt.yaml文件,添加NodePort端口,默认为随机端口

​[root@k8s-master ingress-nginx]# cat service-nodeport.yaml

apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 32080 #http
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 32443 #https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

5)部署​​linux系统安装nginx​​-ingress-controllelinux重启命令r

[root@k8s-master ingress-nginx]# kubectl apply -f mandatory.yaml

[root@k8s-master ingress-nginx]# kubectl apply -f service-nodeport.yaml

6)​查看ingress-nginx组件状态

[root@k8s-master ingress-nginx]#  kubectl get pods -n ingress-nginx    #pod状态
NAME READY STATUS RESTARTS AGE
default-http-backend-66c4fbf5b4-x2n8w 1/1 Running 0 58s
nginx-ingress-controller-64bcff8657-5gdrd 1/1 Running 0 58s
[root@k8s-master ingress-nginx]# kubectl get svc -n ingress-nginx #service状态及暴露端口
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-http-backend ClusterIP 10.96.87.65 <none> 80/TCP 1m
ingress-nginx NodePort 10.100.48.237 <none> 80:32080/TCP,443:32443/TCP 1m

7)​访系统运维工资一般多少问ing系统运维工程师ress-nginx服务,查linux必学的60个命令看是否配置成功系统/运维


                                            第二节Igress部署安装(nginx)以看到,提示404,这个因为当前ingress-nginx服务现在还没有后端服系统运维工作内容务,这是正常的

四、​创建ingr系统运维工作内容ess-nginx后ingress-nginx端服务

1.创建一个Service及后端Deployment(以nginx为例)

[root@k8s-master01 ingress]# cat deploy-demon.yaml 
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
spec:
replicas: 5
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: httpd
containerPort: 80

2.​创建相关服务及检查状态是否就绪

[root@k8s-master ingress-nginx]# kubectl apply -f deploy-demon.yaml 
service "myapp" created
deployment.apps "myapp-deploy" created
[root@k8s-master ingress-nginx]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-deploy-5cfd895984-ffzm5 1/1 Running 0 1m
myapp-deploy-5cfd895984-ftg9t 1/1 Running 0 1m
myapp-deploy-5cfd895984-jg887 1/1 Running 0 1m
myapp-deploy-5cfd895984-mk4jq 1/1 Running 0 1m
myapp-deploy-5cfd895984-nqz6s 1/1 Running 0 1m
myweb-hrfqm 1/1 Running 0 8d
myweb-pb5tb 1/1 Running 0 8d
myweb-xrk22 1/1 Running 0 8d
[root@k8s-master ingress-nginx]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 9d
myapp ClusterIP 10.102.30.215 <none> 80/TCP 1m
myweb NodePort 10.106.138.244 <none> 8080:31888/TCP 8d

3. 将myapp添加至ingreslinuxs-nginx中linux

[root@k8s-master ingress-nginx]# cat ingress-myapp.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.magedu.com #生产中该域名应当可以被公网解析
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80

[root@k8s-master ingress-nginx]# kubectl apply -f inglinuxress-myapp.系统运维工作内容yaml

3.配置域名解析,当前测试环境我们使用hosts文件进行解析

​172.33.16.241 myapp.magedu.com

五 ​创建tomcat

1.​创建一个Service及后端Deployment

[root@k8s-master ingress-nginx]# cat tomcat-deploy.yaml 
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
port: 8080
targetPort: 8080
- name: ajp
port: 8009
targetPort: 8009

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:7-alpine
ports:
- name: httpd
containerPort: 8080
- name: ajp
containerPort: 8009
[root@k8s-master ingress-nginx]# kubectl apply -f tomcat-deploy.yaml
service "tomcat" created
deployment.apps "tomcat-deploy" created
[root@k8s-master ingress-nginx]# kubectl get pod #等待pod状态就绪

2.将tomcat添加至ingress-nginx中

[root@k8s-master ingress-nginx]# cat ingress-tomcat.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernets.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@k8s-master ingress-nginx]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions "ingress-tomcat" created


                                            第二节Igress部署安装(nginx)

3. ​下面我们对tomc系统运维工程师a系统运维工程师t服务添加httpds服务

1) 创建私有证书系统运维工程师及secret

[root@k8s-master ingress-nginx]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..............................+++
e is 65537 (0x10001)
[root@k8s-master ingress-nginx]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.magedu.com #注意域名要和服务的域名一致
[root@k8s-master ingress-nginx]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key #创建secret
secret "tomcat-ingress-secret" created
[root@k8s-master ingress-nginx]# kubectl get secret
NAME TYPE DATA AGE
default-token-bf52l kubernetes.io/service-account-token 3 9d
tomcat-ingress-secret kubernetes.io/tls 2 7s
[root@k8s-master ingress-nginx]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>

Type: kubernetes.io/tls

Data
====
tls.crt: 1294 bytes #base64加密
tls.key: 1679 bytes

2) 将证书应用至tomcat服务中

[root@k8s-master01 ingress]# cat ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernets.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.magedu.com #与secret证书的域名需要保持一致
secretName: tomcat-ingress-secret #secret证书的名称
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@k8s-master01 ingress]#  kubectl apply -f ingress-tomcat-tls.yaml

3) 访问服务


                                            第二节Igress部署安装(nginx)