笔记摘自视频章节:第六章 Service Ingress
主题
上一个实验,由于对应的http访问,会通过ingress-nginx规则去查找和匹配。然而并没有匹配到规则,所以返回了404 not found。为了访问到对应的服务 这一次实验中,在集群中开启对应的服务端规则,实现一次完整的nginx规则匹配。
前提: 完成ingress-nginx的安装和启动
http反向代理
- 文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
selector:
matchLabels:
name: nginx
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-test
spec:
ingressClassName: nginx
rules:
- host: www1.jjh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80
解释:主要就是deployment-> service -> ingress。这里仅讲解一下Ingress部分
-
ingress: 设定一个路由,路由规则为域名为
www1.jjh.com,匹配路由为/,转发到后端的service: nginx-svc的80端口中 -
apply一下,然后再尝试访问。由于我们的域名没有进行过申请,所以只能通过修改本地的hosts文件来进行这次实验
- 修改
/etc/hosts,增加$any_node_ip www1.jjh.com,这里的 any_node_ip为任意一个Node的外部IP。 - 尝试访问,命中的Hostname与实际集群内的pod name相同。符合预期
- 修改
# 我的mac本地,修改hosts文件后
➜ ~ curl http://www1.jjh.com:30815/hostname.html
nginx-dm-7555c6bb5b-nwwv2
➜ ~ curl http://www1.jjh.com:30815/hostname.html
nginx-dm-7555c6bb5b-b2j6n
# 回到master上看一下pod name
root@jjh-k8s-demo-master:~/k8s_yaml/bzhan_shangguigu# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-dm-7555c6bb5b-b2j6n 1/1 Running 0 24h
nginx-dm-
7555c6bb5b-nwwv2 1/1 Running 0 24h
https代理
- 创建+应用证书:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
Generating a RSA private key
...............+++++
..........+++++
writing new private key to 'tls.key'
-----
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created
- deployment文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dm-v3
spec:
replicas: 2
selector:
matchLabels:
name: nginx-v3
template:
metadata:
labels:
name: nginx-v3
spec:
containers:
- name: nginx-v3
image: wangyanglinux/myapp:v3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc-v3
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx-v3
- ingress文件
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-https
spec:
ingressClassName: nginx
tls:
- hosts:
- www3.jjh.com
secretName: tls-secret
rules:
- host: www3.jjh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc-v3
port:
number: 80
- 创建
root@jjh-k8s-demo-master:~/k8s_yaml/bzhan_shangguigu# kubectl apply -f p36_svc_ingress_https.yaml
ingress.networking.k8s.io/nginx-https configured
- 测试访问,成功
Basic-auth
- 前置工作
apt-get install apache2
htpasswd -c auth jjh
kubectl create secret generic basic-auth --from-file=auth
- 文件
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - jjh'
spec:
ingressClassName: nginx
rules:
- host: auth.jjh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80
- apply一下,尝试访问,测试通过
nginx重写
- 文件
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-rewrite
annotations:
nginx.ingress.kubernetes.io/rewrite-target: http://www1.jjh.com:30815/
spec:
ingressClassName: nginx
rules:
- host: rewrite.jjh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80
