Ingress概念介绍
service只能做四层代理 无法做七层代理(如https服务)
lvs只能根据第四层的数据进行转发 无法对七层协议数据进行调度
Ingress Controller
拥有七层代理的Pod程序
Ingress资源
1.首先通过无头service动态关联符合标签选择器选择的后端Pod
2.Ingress动态的把service关联的pod地址注入到前端配置upstream中 同时触发主程序重新加载最新的配置文件
pod变化 > service变化 > Ingress变化 > Ingress Control注入配置
Ingress反代到后端的web服务器
1.部署后端pod
apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: selector: app: myapp release: canary ports: - name: http targetPort: 80 port: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: default apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: selector: app: myapp release: canary ports: - name: http targetPort: 80 port: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: default spec: replicas: 3 selector: matchLabels: app: myapp release: canary template: metadata: labels: app: myapp release: canary spec: containers: - name: myapp image: ikubernetes/myapp:v2 ports: - name: http containerPort: 80
2.创建ingress资源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-myapp namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: myapp.yxh.com http: paths: - path: backend: serviceName: myapp servicePort: 80
3.创建ingress controller的pod
[root@k8s-master ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE 3d nginx-ingress-controller-7d4c999994-pn6wt 1/1 Running 0 3d service_nodeport是用来给ingress-controller接入集群外部流量的 ingress-controller就是一个运行nginx的pod service_nodeport就是nginx pod的service ingress-controller 的pod是由在git上下载的nginx-ingress中的yaml文件创建的
4.创建service_nodeport配置
apiVersion: v1 kind: Service metadata: name: ingress-nginx namespace: ingress-nginx spec: type: NodePort ports: - name: http port: 80 targetPort: 80 protocol: TCP nodePort: 30080 - name: https port: 443 targetPort: 443 nodePort: 30443 protocol: TCP selector: app: ingress-nginx
5.修改hosts文件
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 192.168.11.141 myapp.yxh.com 192.168.11.141 tomcat.yxh.com
6.浏览器访问
Ingress实现tomcat的https反代
1.部署tomcat pod
apiVersion: v1 kind: Service metadata: name: tomcat namespace: default spec: selector: app: tomcat release: canary ports: - name: http targetPort: 8080 port: 8080 - name: ajp targetPort: 8009 port: 8009 --- apiVersion: apps/v1 kind: Deployment metadata: name: tomcat-deploy namespace: default spec: replicas: 3 selector: matchLabels: app: tomcat release: canary template: metadata: labels: app: tomcat release: canary spec: containers: - name: tomcat image: tomcat:8.5.32-jre8-alpine ports: - name: http containerPort: 8080 - name: ajp containerPort: 8009
2.创建ssl证书
生成自签名证书 [root@k8s-master ingress]# openssl genrsa -out tls.key 2048 Generating RSA private key, 2048 bit long modulus .................................................................+++ ...........................................................................................................+++ e is 65537 (0x10001) [root@k8s-master ingress]# openssl req -new -x509 -key tls.key -out tls.out -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.yxh.com CN的设置必须和访问的域名设置为一样的 [root@k8s-master ingress]# ls ingress-myapp.yaml ngx-deploy.yaml tls.key tomcat ingress-nginx-nginx-0.13.0 service_nodeport.yaml tls.out 把生成的证书转换成secret资源对象 [root@k8s-master ingress]# kubectl create tls tomcat-ingress-cert --cert=tls.crt --key=tls.key [root@k8s-master ingress]# kubectl get secret NAME TYPE DATA AGE default-token-n87jl kubernetes.io/service-account-token 3 244d tomcat-ingress-secret kubernetes.io/tls 2 1h
3.创建tomact ssl ingress资源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-tomcat-tls namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - tomcat.yxh.com secretName: tomcat-ingress-secret rules: - host: tomcat.yxh.com http: paths: - path: backend: serviceName: tomcat servicePort: 8080
4.创建tomcat http ingress资源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-tomcat namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: tomcat.yxh.com http: paths: - path: backend: serviceName: tomcat servicePort: 8080
5.实现原理
执行kubectl apply|delete -f ingress-tomcat-tls.yaml的时候 都会把设置自动更新到ingress-controller的nginx的主配置文件中 并且能够立即生效
ingress-controller相当于一个ssl会话卸载器 客户端发送请求给controller必须时https协议 但是由controller把请求转发到集群内部的tomcat pod
的时候 使用的却是http协议
ingress_nginx_controller的配置 # find /etc -name nginx.conf /etc/nginx/nginx.conf
kubectl exec -n ingress-nginx -ti nginx-ingress-controller-7d4c999994-pn6wt -- /bin/sh
kubectl logs -n ingress-nginx nginx-ingress-controller-7d4c999994-pn6wt |grep error
## start server tomcat.yxh.com server { server_name tomcat.yxh.com ; listen 80; listen [::]:80; set $proxy_upstream_name "-"; listen 443 ssl http2; listen [::]:443 ssl http2; # PEM sha: 8d7a91d9f8445a2e44ca5cef9dcea2c9bf8e7141 ssl_certificate /ingress-controller/ssl/default-tomcat-ingress-secret.pem; ssl_certificate_key /ingress-controller/ssl/default-tomcat-ingress-secret.pem; ssl_trusted_certificate /ingress-controller/ssl/default-tomcat-ingress-secret-full-chain.pem; ssl_stapling
6.最终效果
