Kubernetes--Ingress實踐

Ingress

Ingress-nginx用來作http代理，能夠實現服務對外發布，採用service的tcp須要更多的ip和端口

部署ingress的controller

# 下載ingress contronller的部署文件
$ wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml
--2020-07-25 21:00:01--  https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml
正在解析主機 raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.64.133, 151.101.0.133, ...
正在鏈接 raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... 已鏈接。
已發出 HTTP 請求，正在等待迴應... 200 OK
長度：18133 (18K) [text/plain]
正在保存至: 「deploy.yaml」

deploy.yaml                    100%[==================================================>]  17.71K  --.-KB/s  用時 0.05s   

2020-07-25 21:00:01 (389 KB/s) - 已保存 「deploy.yaml」 [18133/18133])

下載後須要修改一些Service的type類型爲NodePort，默認文件用的balancer

# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-2.11.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.34.1
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: NodePort
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      nodePort: 30080
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      nodePort: 30443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller

# 執行ingress contronller部署
$ kubectl apply -f deploy.yaml 
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created

# 查看ingress-nginx命名空間下所建立的資源
$kubectl get all -n ingress-nginx
NAME                                           READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-fvph7       0/1     Completed   0          5m46s
pod/ingress-nginx-admission-patch-gr48z        0/1     Completed   1          5m46s
pod/ingress-nginx-controller-c96557986-9rw9m   1/1     Running     0          5m56s

NAME                                         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx-controller             NodePort    10.107.249.8   <none>        80:30080/TCP,443:30443/TCP   5m56s
service/ingress-nginx-controller-admission   ClusterIP   10.104.5.150   <none>        443/TCP                      5m56s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ingress-nginx-controller   1/1     1            1           5m56s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/ingress-nginx-controller-c96557986   1         1         1       5m56s

NAME                                       COMPLETIONS   DURATION   AGE
job.batch/ingress-nginx-admission-create   1/1           2s         5m56s
job.batch/ingress-nginx-admission-patch    1/1           3s         5m56s

NodePort 會在全部節點暴露ingress端口

經過Ingress來代理HTTP應用

c$ cat tomcat-deploy.yaml 
kind: Namespace
apiVersion: v1
metadata:
  name: testing
  labels:
    env: testing


---
# Tomcat deployments
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: testing
spec:
  replicas: 2
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.0.50-jre8-alpine
        ports:
        - containerPort: 8080
          name: httpport
        - containerPort: 8009
          name: ajpport


---
# Tomcat Service
apiVersion: v1
kind: Service
metadata:
  name: tomcat-svc
  namespace: testing
  labels:
    app: tomcat-svc
spec:
  selector:
    app: tomcat
  ports:
  - name: httpport
    port: 80
    targetPort: 8080
    protocol: TCP

$ cat tomcat-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat
  namespace: testing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: tomcat.kubernetes.io
    http:
      paths:
      - path: 
        backend:
          serviceName: tomcat-svc
          servicePort: 80

經過Ingress來代理HTTPS

$ cat tomcat-ingress-tls.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-ingress-tls
  namespace: testing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.linux.io
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.linux.io
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-svc
          servicePort: 80

$ openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
............................................................................................................................+++
e is 65537 (0x10001)

$ openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=GuangDong/L=GuangZhou/O=DevOps/CN=tomcat.kubernetes.io -days 3650
ca0gu0@ca0gu0deMBP ingress % kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key -n testing
secret/tomcat-ingress-secret created

$ kubectl apply -f tomcat-ingress-tls.yaml
ingress.extensions/tomcat-ingress-tls created
ca0gu0@ca0gu0deMBP ingress % kubectl get svc -n testing
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
tomcat-svc   ClusterIP   10.98.232.166   <none>        80/TCP    32m

$ kubectl get ingress -n testing
NAME                 CLASS    HOSTS                  ADDRESS        PORTS     AGE
tomcat               <none>   tomcat.kubernetes.io   10.107.249.8   80        32m
tomcat-ingress-tls   <none>   tomcat.linux.io                       80, 443   29s

經過https協議訪問