Ingress-Nginx
ingress-nginx为7层代理,通过配置域名访问后端服务
ingress-nginx容器和kubernetes api交互,动态生成nginx配置
ingress服务定义域名规则,最终更新到ingress容器
官网
https://kubernetes.github.io/ingress-nginx/deploy/
https://github.com/kubernetes/ingress-nginx
#部署ingress-nginx
#下载ingress-nginx yaml文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
#查看image
grep image mandatory.yaml
#更改镜像源(hub.docker.com官网找镜像)
sed -i 's@quay.io/kubernetes-ingress-controller@siriuszg@' mandatory.yaml
#下载镜像
docker pull $(awk '/image/{print $2}' mandatory.yaml)
#部署Pod
kubectl apply -f mandatory.yaml
#查看
kubectl get pod -n ingress-nginx
#下载NodePort yaml
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml
#NodePort默认为随机端口,固定添加端口30080 30443
sed -i '/targetPort: 80/a nodePort: 30080' service-nodeport.yaml
sed -i '/targetPort: 443/a nodePort: 30443' service-nodeport.yaml
#部署
kubectl apply -f service-nodeport.yaml
#查看
kubectl get svc -n ingress-nginx
#部署后端web demo
#ingress-nginx-demo.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: myapp
image: alivv/nginx:node
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
name: nginx
ports:
- port: 80
targetPort: 80
protocol: TCP
#ingress 使用域名代理
#ingress-nginx-http.yaml
#Ingress HTTP代理 http://abc1.tt.dev
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-nginx-http-demo
spec:
rules:
- host: abc1.tt.dev
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
---
#Ingress HTTPS代理 https://abc2.tt.dev
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-nginx-https-demo
spec:
tls:
- hosts:
- abc2.tt.dev
secretName: tls-secret
rules:
- host: abc2.tt.dev
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
#创建域名证书,https用
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/O=DevOps/CN=abc2.tt.dev"
#创建cert存储
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
#部署
kubectl apply -f ingress-nginx-demo.yaml
kubectl apply -f ingress-nginx-http.yaml
#查看
kubectl get pod
kubectl get deployment
kubectl get svc -A
kubectl get ingress
#查看ingress-nginx容器Nginx配置
pod_ingress=$(kubectl get pod -n ingress-nginx |awk '/nginx-ingress/{print $1}')
kubectl exec -it -n ingress-nginx $pod_ingress -- cat /etc/nginx/nginx.conf
#访问测试
#host解析tt.dev
echo "127.0.0.1 abc1.tt.dev abc2.tt.dev" >>/etc/hosts
#curl访问域名
curl http://abc1.tt.dev:30080
curl https://abc2.tt.dev:30443 -k
#Ingress-Nginx BasicAuth 密码验证
#ingress-with-auth.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: auth.tt.dev
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
#创建密码文件auth 用户foo 密码pswd
#yum install httpd-tools
#htpasswd -bc auth foo pswd
docker run -it --rm -v $(pwd):/data -w /data jess/htpasswd -bc auth foo pswd
cat auth
kubectl create secret generic basic-auth --from-file=auth
kubectl get secret basic-auth -o yaml
#创建
kubectl apply -f ingress-with-auth.yaml
#master节点host解析abc.tt.dev
echo "127.0.0.1 auth.tt.dev" >>/etc/hosts
#curl访问测试
curl http://auth.tt.dev:30080 #无认证用户,访问失败
curl http://auth.tt.dev:30080 -u 'foo:pswd'
#删除测试项
#删除
kubectl delete -f ingress-with-auth.yaml
kubectl delete -f ingress-nginx-http.yaml
kubectl delete -f ingress-nginx-demo.yaml
kubectl delete -f service-nodeport.yaml
kubectl delete -f mandatory.yaml
kubectl delete secret tls-secret
kubectl delete secret basic-auth
sed -i '/tt.dev/d' /etc/hosts
Blog地址 https://www.cnblogs.com/elvi/p/11755780.html
本文git地址 https://gitee.com/alivv/k8s/tree/master/notes