一 手动部署-官网版
1.1 获取资源
1 [root@master01 ~]# mkdir ingress 2 [root@master01 ~]# cd ingress/ 3 [root@master01 ingress]# git clone https://github.com/nginxinc/kubernetes-ingress/ 4 [root@master01 ingress]# cd kubernetes-ingress/deployments 5 [root@master01 ingress]# git checkout v1.7.0
1.2 安装RBAC
1 [root@master01 deployments]# kubectl apply -f common/ns-and-sa.yaml #部署namespace及ServiceAccount 2 [root@master01 deployments]# kubectl apply -f rbac/rbac.yaml #部署RBAC角色及权限等
1.3 安装基础资源
1 [root@master01 deployments]# kubectl apply -f common/default-server-secret.yaml
说明:
创建TLS证书和NGINX中默认服务器的secret。默认服务器返回Not Found页面,其中包含404状态代码,用于未定义的所有访问规则请求的返回值。默认包含了一个自签名的证书和生成的密钥。
1 [root@master01 deployments]# kubectl apply -f common/nginx-config.yaml 2 [root@master01 deployments]# kubectl apply -f common/vs-definition.yaml 3 [root@master01 deployments]# kubectl apply -f common/vsr-definition.yaml 4 [root@master01 deployments]# kubectl apply -f common/ts-definition.yaml #创建虚拟主机 5 [root@master01 deployments]# kubectl apply -f common/gc-definition.yaml 6 [root@master01 deployments]# kubectl apply -f common/global-configuration.yaml
1.4 安装ingress controllers
1 [root@master01 deployments]# vi daemon-set/nginx-ingress.yaml
1 …… 2 - -global-configuration=$(POD_NAMESPACE)/nginx-configuration 3 ……
1 [root@master01 deployments]# kubectl apply -f daemon-set/nginx-ingress.yaml 2 [root@master01 deployments]# kubectl get pods --namespace=nginx-ingress 3 NAME READY STATUS RESTARTS AGE 4 5 nginx-ingress-cqv2m 1/1 Running 0 43s 6 nginx-ingress-fpmbv 1/1 Running 0 43s 7 nginx-ingress-kdl9p 1/1 Running 0 43s 8 nginx-ingress-lggw9 1/1 Running 0 43s 9 nginx-ingress-lnw28 1/1 Running 0 43s 10 nginx-ingress-z8rn8 1/1 Running 0 43s
1.5 创建ingress controllers service
[root@master01 deployments]# vi service/nodeport.yaml
1 apiVersion: v1 2 kind: Service 3 metadata: 4 name: nginx-ingress 5 namespace: nginx-ingress 6 spec: 7 type: NodePort 8 ports: 9 - port: 80 10 targetPort: 80 11 protocol: TCP 12 name: http 13 nodePort: 30011 14 - port: 443 15 targetPort: 443 16 protocol: TCP 17 name: https 18 nodePort: 30012 19 selector: 20 app: nginx-ingress
1 [root@master01 deployments]# kubectl create -f service/nodeport.yaml 2 [root@master01 deployments]# kubectl get svc nginx-ingress --namespace=nginx-ingress 3 [root@master01 deployments]# kubectl describe svc nginx-ingress --namespace=nginx-ingress
参考文档:https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/。
二 手动部署-github社区版(推荐)
2.1 获取资源
1 [root@master01 ~]# mkdir ingress 2 [root@master01 ~]# cd ingress/ 3 [root@master01 ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.32.0/deploy/static/provider/baremetal/deploy.yaml 4 [root@master01 ingress]# vi deploy.yaml
1 …… 2 apiVersion: apps/v1 3 kind: Deployment 4 …… 5 spec: 6 replicas: 3 7 …… 8 - --default-backend-service=$(POD_NAMESPACE)/default-http-backend 9 …… 10 apiVersion: v1 11 kind: Service 12 …… 13 name: ingress-nginx-controller 14 …… 15 spec: 16 type: NodePort 17 externalTrafficPolicy: Local 18 ports: 19 - name: http 20 port: 80 21 protocol: TCP 22 targetPort: http 23 nodePort: 80 24 - name: https 25 port: 443 26 protocol: TCP 27 targetPort: https 28 nodePort: 443 29 ……
[root@master01 ingress]# kubectl create -f deploy.yaml
提示:添加默认backend需要等待default-backend创建完成controllers才能成功部署。
2.2 创建default backend
[root@master01 ingress]# vi default-backend.yaml
1 --- 2 apiVersion: apps/v1 3 kind: Deployment 4 metadata: 5 name: default-http-backend 6 labels: 7 app.kubernetes.io/name: default-http-backend 8 app.kubernetes.io/part-of: ingress-nginx 9 namespace: ingress-nginx 10 spec: 11 replicas: 1 12 selector: 13 matchLabels: 14 app.kubernetes.io/name: default-http-backend 15 app.kubernetes.io/part-of: ingress-nginx 16 template: 17 metadata: 18 labels: 19 app.kubernetes.io/name: default-http-backend 20 app.kubernetes.io/part-of: ingress-nginx 21 spec: 22 terminationGracePeriodSeconds: 60 23 containers: 24 - name: default-http-backend 25 # Any image is permissible as long as: 26 # 1. It serves a 404 page at / 27 # 2. It serves 200 on a /healthz endpoint 28 image: k8s.gcr.io/defaultbackend-amd64:1.5 29 livenessProbe: 30 httpGet: 31 path: /healthz 32 port: 8080 33 scheme: HTTP 34 initialDelaySeconds: 30 35 timeoutSeconds: 5 36 ports: 37 - containerPort: 8080 38 resources: 39 limits: 40 cpu: 10m 41 memory: 20Mi 42 requests: 43 cpu: 10m 44 memory: 20Mi 45 46 --- 47 apiVersion: v1 48 kind: Service 49 metadata: 50 name: default-http-backend 51 namespace: ingress-nginx 52 labels: 53 app.kubernetes.io/name: default-http-backend 54 app.kubernetes.io/part-of: ingress-nginx 55 spec: 56 ports: 57 - port: 80 58 targetPort: 8080 59 selector: 60 app.kubernetes.io/name: default-http-backend 61 app.kubernetes.io/part-of: ingress-nginx 62 ---
1 [root@master01 ingress]# kubectl create -f default-backend.yaml
2.3 确认验证
1 [root@master01 ingress]# kubectl get pods -n ingress-nginx 2 [root@master01 ingress]# kubectl get svc -n ingress-nginx
参考文档:https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md。
三 ingress使用
3.1 创建demo环境
1 [root@master01 ingress]# vi deploy-demo01.yaml #创建第一个用于测试的svc和pod
1 apiVersion: v1 2 kind: Service 3 metadata: 4 name: mydemo01svc 5 namespace: default 6 spec: 7 selector: 8 app: mydemo01 9 ports: 10 - name: http 11 port: 80 12 targetPort: 80 13 --- 14 apiVersion: apps/v1 15 kind: Deployment 16 metadata: 17 name: mydemo01pod 18 spec: 19 replicas: 3 20 selector: 21 matchLabels: 22 app: mydemo01 23 template: 24 metadata: 25 labels: 26 app: mydemo01 27 spec: 28 containers: 29 - name: myapp 30 image: ikubernetes/myapp:v2 31 ports: 32 - name: httpd 33 containerPort: 80
1 [root@master01 ingress]# echo '<h1>Hello world!</h1>' > index.html #创建Tomcat测试页面 2 [root@master01 ingress]# scp index.html root@worker01:/etc/kubernetes/ 3 [root@master01 ingress]# scp index.html root@worker02:/etc/kubernetes/ 4 [root@master01 ingress]# scp index.html root@worker02:/etc/kubernetes/ 5 [root@master01 ingress]# vi deploy-demo02.yaml #创建第二个用于测试的svc和pod
1 apiVersion: v1 2 kind: Service 3 metadata: 4 name: mydemo02svc 5 namespace: default 6 spec: 7 selector: 8 app: mydemo02 9 ports: 10 - name: httpd 11 port: 8080 12 targetPort: 8080 13 14 --- 15 apiVersion: apps/v1 16 kind: Deployment 17 metadata: 18 name: mydemo02pod 19 spec: 20 replicas: 3 21 selector: 22 matchLabels: 23 app: mydemo02 24 template: 25 metadata: 26 labels: 27 app: mydemo02 28 spec: 29 containers: 30 - name: mytomcat 31 image: tomcat:9 32 ports: 33 - name: httpd 34 containerPort: 8080 35 volumeMounts: 36 - mountPath: "/usr/local/tomcat/webapps/ROOT/index.html" 37 name: sample-volume 38 readOnly: true 39 volumes: 40 - name: sample-volume 41 hostPath: 42 type: File 43 path: /etc/kubernetes/index.html
1 [root@master01 ingress]# kubectl apply -f deploy-demo01.yaml 2 [root@master01 ingress]# kubectl apply -f deploy-demo02.yaml 3 [root@master01 ingress]# kubectl get pods -o wide 4 [root@master01 ingress]# kubectl get svc -o wide
3.2 创建ingress策略
1 [root@master01 ingress]# vi deploy-demo-ingress-http.yaml
1 apiVersion: networking.k8s.io/v1beta1 2 kind: Ingress 3 metadata: 4 name: ingress-mydemo 5 namespace: default 6 annotations: 7 kubernetes.io/ingress.class: "nginx" 8 spec: 9 rules: 10 - host: demo01.odocker.com 11 http: 12 paths: 13 - path: 14 backend: 15 serviceName: mydemo01svc 16 servicePort: 80 17 - host: demo02.linuxsb.com 18 http: 19 paths: 20 - path: 21 backend: 22 serviceName: mydemo02svc 23 servicePort: 8080
1 [root@master01 ingress]# kubectl apply -f deploy-demo-ingress-http.yaml 2 [root@master01 ingress]# kubectl get pods -o wide 3 [root@master01 ingress]# kubectl get svc -o wide 4 [root@master01 ingress]# kubectl get ingress -o wide
3.3 确认验证
添加demo01.odocker.com和demo02.odocker.com的解析。分别访问两个地址:
参考:https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/
四 ingress https使用
4.1 创建证书
使用自签名证书,证书创建参考《附008.Kubernetes TLS证书介绍及创建》。
4.2 创建secret
1 [root@master01 ingress]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout demo02.key -out demo02.crt -subj "/CN=demo02.odocker.com" 2 [root@master01 ingress]# kubectl create secret generic demo02-tls --from-file=demo02.crt --from-file=demo02.key -n default 3 [root@master01 ingress]# kubectl get secret demo02-tls 4 NAME TYPE DATA AGE 5 6 demo02-tls Opaque 2 27s
4.3 创建TLS ingress策略
[root@master01 ingress]# vi deploy-demo-ingress-https.yaml
1 apiVersion: networking.k8s.io/v1beta1 2 kind: Ingress 3 metadata: 4 name: ingress-mydemo02-https 5 namespace: default 6 annotations: 7 kubernets.io/ingress.class: "nginx" 8 spec: 9 tls: 10 - hosts: 11 - demo02.odocker.com 12 secretName: demo02-tls 13 rules: 14 - host: demo02.odocker.com 15 http: 16 paths: 17 - path: 18 backend: 19 serviceName: mydemo02svc 20 servicePort: 8080
[root@master01 ingress]# kubectl apply -f deploy-demo-ingress-https.yaml
4.4 确认验证
浏览器访问:https://demo02.odocker.com/。
