zoukankan      html  css  js  c++  java
  • 4.2.k8s.Ingress-Nginx

    Ingress-Nginx

    ingress-nginx为7层代理,通过配置域名访问后端服务
    ingress-nginx容器和kubernetes api交互,动态生成nginx配置
    ingress服务定义域名规则,最终更新到ingress容器
    官网
    https://kubernetes.github.io/ingress-nginx/deploy/
    https://github.com/kubernetes/ingress-nginx

    #部署ingress-nginx

    #下载ingress-nginx yaml文件
    wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
    
    #查看image
    grep image mandatory.yaml
    #更改镜像源(hub.docker.com官网找镜像)
    sed -i 's@quay.io/kubernetes-ingress-controller@siriuszg@' mandatory.yaml
    #下载镜像
    docker pull $(awk '/image/{print $2}' mandatory.yaml)
    
    #部署Pod
    kubectl apply -f mandatory.yaml
    
    #查看
    kubectl get pod -n ingress-nginx
    
    #下载NodePort yaml
    wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml
    
    #NodePort默认为随机端口,固定添加端口30080 30443
    sed  -i '/targetPort: 80/a      nodePort: 30080' service-nodeport.yaml
    sed  -i '/targetPort: 443/a      nodePort: 30443' service-nodeport.yaml
    
    #部署
    kubectl apply -f service-nodeport.yaml
    
    #查看
    kubectl get svc -n ingress-nginx
    

    #部署后端web demo

    #ingress-nginx-demo.yaml
    
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
     name: nginx-dm
    spec:
     replicas: 2
     template:
       metadata:
         labels:
           name: nginx
       spec:
         containers:
         - name: myapp
           image: alivv/nginx:node
           imagePullPolicy: IfNotPresent
           ports:
           - name: http
             containerPort: 80
    
    ---
    apiVersion: v1
    kind: Service
    metadata:
     name: nginx-svc
    spec:
     selector:
       name: nginx
     ports:
       - port: 80
         targetPort: 80
         protocol: TCP
    

    #ingress 使用域名代理

    #ingress-nginx-http.yaml
    
    #Ingress HTTP代理 http://abc1.tt.dev
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
     name: ingress-nginx-http-demo
    spec:
     rules:
       - host: abc1.tt.dev
         http:
           paths:
           - path: /
             backend:
               serviceName: nginx-svc
               servicePort: 80
    
    ---
    #Ingress HTTPS代理 https://abc2.tt.dev
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
     name: ingress-nginx-https-demo
    spec:
     tls:
       - hosts:
         - abc2.tt.dev
         secretName: tls-secret
     rules:
       - host: abc2.tt.dev
         http:
           paths:
           - path: /
             backend:
               serviceName: nginx-svc
               servicePort: 80
    
    #创建域名证书,https用
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/O=DevOps/CN=abc2.tt.dev"
    #创建cert存储
    kubectl create secret tls tls-secret --key tls.key --cert tls.crt
    
    #部署
    kubectl apply -f ingress-nginx-demo.yaml
    kubectl apply -f ingress-nginx-http.yaml
    
    #查看
    kubectl  get pod
    kubectl  get deployment
    kubectl  get svc -A
    kubectl  get ingress
    
    #查看ingress-nginx容器Nginx配置
    pod_ingress=$(kubectl get pod -n ingress-nginx |awk '/nginx-ingress/{print $1}')
    kubectl exec -it -n ingress-nginx $pod_ingress -- cat /etc/nginx/nginx.conf
    
    #访问测试
    #host解析tt.dev
    echo "127.0.0.1    abc1.tt.dev abc2.tt.dev" >>/etc/hosts
    #curl访问域名
    curl  http://abc1.tt.dev:30080
    curl  https://abc2.tt.dev:30443 -k
    

    #Ingress-Nginx BasicAuth 密码验证

    #ingress-with-auth.yaml
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
     name: ingress-with-auth
     annotations:
       nginx.ingress.kubernetes.io/auth-type: basic
       nginx.ingress.kubernetes.io/auth-secret: basic-auth
       nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
    spec:
     rules:
     - host: auth.tt.dev
       http:
         paths:
         - path: /
           backend:
             serviceName: nginx-svc
             servicePort: 80
    
    #创建密码文件auth 用户foo 密码pswd
    #yum install httpd-tools
    #htpasswd -bc auth  foo pswd
    docker run -it --rm -v $(pwd):/data -w /data jess/htpasswd   -bc auth  foo pswd 
    cat auth
    kubectl create secret generic basic-auth --from-file=auth
    kubectl get secret basic-auth -o yaml
    
    #创建
    kubectl apply -f ingress-with-auth.yaml
    
    #master节点host解析abc.tt.dev
    echo "127.0.0.1    auth.tt.dev" >>/etc/hosts
    #curl访问测试
    curl http://auth.tt.dev:30080  #无认证用户,访问失败
    curl http://auth.tt.dev:30080 -u 'foo:pswd'
    
    

    #删除测试项

    #删除
    kubectl delete -f ingress-with-auth.yaml
    kubectl delete -f ingress-nginx-http.yaml
    kubectl delete -f ingress-nginx-demo.yaml
    kubectl delete -f service-nodeport.yaml
    kubectl delete -f mandatory.yaml
    kubectl delete secret tls-secret
    kubectl delete secret basic-auth
    sed -i '/tt.dev/d' /etc/hosts
    

    Blog地址 https://www.cnblogs.com/elvi/p/11755780.html
    本文git地址 https://gitee.com/alivv/k8s/tree/master/notes

  • 相关阅读:
    【C++】资源管理
    【Shell脚本】逐行处理文本文件
    【算法题】rand5()产生rand7()
    【Shell脚本】字符串处理
    Apple iOS产品硬件参数. 不及格的程序员
    与iPhone的差距! 不及格的程序员
    iPhone游戏 Mr.Karoshi"过劳死"通关. 不及格的程序员
    XCode V4 发布了, 苹果的却是个变态. 不及格的程序员
    何时readonly 字段不是 readonly 的?结果出呼你想象!!! 不及格的程序员
    object file format unrecognized, invalid, or unsuitable Command 不及格的程序员
  • 原文地址:https://www.cnblogs.com/elvi/p/11755780.html
Copyright © 2011-2022 走看看