https://www.bilibili.com/video/av66617940?p=36
一、域名访问设置
1)获取ingress的pod。添加的路由规则都记录在里面
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml [root@master ~]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-5694ccb578-78ldg 1/1 Running 5 23d [root@master ~]# kubectl exec nginx-ingress-controller-5694ccb578-78ldg -n ingress-nginx -it /bin/bash www-data@nginx-ingress-controller-5694ccb578-78ldg:/etc/nginx$ ls nginx.conf nginx.conf
2)获取访问nginx的代理端口
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml [root@master ~]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.97.138.34 <none> 80:32116/TCP,443:30338/TCP 12s
默认的执行的配置文件,协议端口随机变化
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
如果后面生成的域名访问方法
curl www1.test.com:32116 curl www2.test.com:32116
二、域名访问具体示例
1)例如设置访问域名 www1.test.com
1.1)创建pod和service
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment1
spec:
replicas: 2
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-1
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx
1.2)设置访问的域名
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress1
spec:
rules:
- host: www1.test.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
访问
[root@master test1]# curl www1.test.com:32116 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
2)设置访问域名 www2.test.com
2.1)创建pod和service
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment2
spec:
replicas: 2
template:
metadata:
labels:
name: nginx2
spec:
containers:
- name: nginx2
image: wangyanglinux/myapp:v2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-2
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx2
2.2)设置访问的域名
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress2
spec:
rules:
- host: www2.test.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
2.3)查看 ingress
[root@master ~]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress1 www1.test.com 80 19m
ingress2 www2.test.com 80 19m
访问
[root@master ~]# curl www1.test.com:32116 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> [root@master ~]# curl www2.test.com:32116 Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
三、使用加密的方式 https://www3.test.com进行访问
1)创建证书 tls-secret
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/0=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
2)创建pod和service
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment3
spec:
replicas: 2
template:
metadata:
labels:
name: nginx3
spec:
containers:
- name: nginx3
image: wangyanglinux/myapp:v3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-3
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx3
3)设置的访问的域名,加载证书的方式
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress3
spec:
tls:
- hosts:
- www3.test.com
secretName: tls-secret
rules:
- host: www3.test.com
http:
paths:
- path: /
backend:
serviceName: svc-3
servicePort: 80
此时访问 已经 不是 http 服务了,需使用 443 端口 对应的端口
4)访问服务
[root@master https]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.97.138.34 <none> 80:32116/TCP,443:30338/TCP 142m
https://www3.test.com:30338
四、访问认证
1) 设置 访问的认证 用户名 和密码
[root@master ~]# yum install httpd -y
[root@master ~]# mkdir -p basic-auth
[root@master basic-auth]# htpasswd -c auth foo
New password:
Re-type new password:
Adding password for user foo
[root@master basic-auth]# ll
total 4
-rw-r--r-- 1 root root 42 Nov 11 01:34 auth
2)创建 secret 引入 认证方式
[root@master basic-auth]# kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created
3)添加 域名 引入 auth 认证
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress4
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: auth.test.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
此时 访问 网站内容 ,需输入 用户名,密码
用户名:foo
密码:xxxxxxx
五、地址跳转
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-test
annotations:
nginx.ingress.kubernetes.io/rewrite-target: https://www3.test.com:30338
spec:
rules:
- host: re.test.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
访问 re.test.com:32116 跳转到 https://www3.test.com:30338
六、问题。代理的访问端口存在不确定性
[root@master ~]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.97.138.34 <none> 80:32116/TCP,443:30338/TCP 3h7m [root@master ~]# kubectl delete -f service-nodeport.yaml service "ingress-nginx" deleted [root@master ~]# kubectl apply -f service-nodeport.yaml service/ingress-nginx created [root@master ~]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.106.225.226 <none> 80:31813/TCP,443:32425/TCP 1s
重启了 service-nodeport.yaml 服务, 访问 的端口 将发生变化。
6.1)修改配置文件,固定端口测试
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
- name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
测试
[root@k8s-master01 ~]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.107.188.157 <none> 80:30080/TCP,443:30443/TCP 2s
通用域名
[root@nginx-internal0001 conf.d]# cat apaas.conf upstream apaas-infra-http { server apaas-master0001.eniot.io:80; server apaas-master0002.eniot.io:80; server apaas-master0003.eniot.io:80; check interval=3000 rise=2 fall=5 timeout=1000 default_down=false type=http port=1936; check_http_send "GET /healthz HTTP/1.0\r\n\r\n"; check_http_expect_alive http_2xx http_3xx; } upstream apaas-infra-https { server apaas-master0001.eniot.io:443; server apaas-master0002.eniot.io:443; server apaas-master0003.eniot.io:443; check interval=3000 rise=2 fall=5 timeout=1000 default_down=false type=http port=1936; check_http_send "GET /healthz HTTP/1.0\r\n\r\n"; check_http_expect_alive http_2xx http_3xx; } server { listen 80; server_name *.apaas-gf1.eniot.io; underscores_in_headers on; client_max_body_size 100m; location / { proxy_pass http://apaas-infra-http; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_connect_timeout 3; proxy_send_timeout 9000; proxy_read_timeout 9000; } } server { listen 443 ssl; server_name *.apaas-gf1.eniot.io; ssl_certificate /etc/nginx/ssl/Server_wildcard_eniot_io_20180308.cer; ssl_certificate_key /etc/nginx/ssl/Server_wildcard_eniot_io_20180308.key; underscores_in_headers on; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; proxy_ssl_verify off; proxy_ssl_session_reuse on; proxy_http_version 1.1; proxy_pass https://apaas-infra-https; proxy_connect_timeout 3; proxy_send_timeout 9000; proxy_read_timeout 9000; } }
*.apaas-ptt1.eniot.io 10.65.54.56 10.65.54.57
新增域名 私有云dns指向 其它环境dns指向 其它环境 apaas-ptt1.eniot.io 10.65.54.56 10.65.54.57 10.10.1.42 AWS中国、办公网 *.apaas-ptt1.eniot.io 10.65.54.56 10.65.54.57 10.10.1.42 AWS中国、办公网 apaas-internal.eniot.io 10.65.54.56 10.65.54.57 harbor-cn2.eniot.io 52.80.242.65 falcon-ptt1.eniot.io 10.10.1.42 10.10.1.42 AWS中国、办公网 notice.eniot.io 10.10.1.42 其中:10.65.54.56 10.65.54.57 nginx机器