注:
默认本文读者具备一定的k8s基础,并对k8s的apiserver、service、controller manager等基本概念有所了解。
模式简介:
Ingress在service之前加了一层ingress,结构如下:
ingress -> service -> label selector -> pods
www.ok1.com -> app1-service -> app1 selector -> app1 1234
Port:80 or other -> www.ok2.com -> app2-service -> app2 selector -> app2 3456
Ingerss模式的优点
增加了7层的识别能力,可以根据 http header, path 等进行路由转发。
模式缺点
复杂度大为提升。
理解Ingress 实现
Ingress 的实现分为两个部分 Ingress Controller 和 Ingress。
Ingress Controller 是流量的入口,是一个实体软件, 一般是Nginx 和 Haproxy(较少使用)。
Ingress 描述具体的路由规则。
Ingress Controller 会监听 api server上的 /ingresses 资源 并实时生效。
Ingerss 描述了一个或者多个 域名的路由规则,以 ingress 资源的形式存在。
简单说: Ingress 描述路由规则, Ingress Controller 实时实现规则。
示例:
结构图:
完成k8s集群环境搭建
创建后端测试app及service,本例使用ikubernetes/myapp:v2镜像。
more deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
创建Ingress及Ingress Controller环境。
下载并部署:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
default-http-backend默认镜像使用:gcr.io/google_containers/defaultbackend:1.4
因被墙的原因,改为:registry.cn-hangzhou.aliyuncs.com/google_containers/defaultbackend:1.4
kubectl apply -f mandatory.yaml
检测:
kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-5ccf4689c5-tc4mr 1/1 Running 0 19m
nginx-ingress-controller-5b6864749-5kcc9 1/1 Running 0 19m
创建service-nodeport
下载并部署:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
修改yaml文件,增加nodePort设置,将随机端口固定。
more service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
配置Ingress,将服务暴露,完成示例目标。
more ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.ok.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
测试:
修改本机hosts,访问截图如下:
配置https:
生成证书:
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.ok.com
转格式:
kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secret
kubectl describe secret tomcat-ingress-secret
more tomcat-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:latest
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
more ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.ok.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.ok.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
测试:
后续可在其前端增加四层或七层负载,完成高可用。
参考链接:
https://github.com/kubernetes/ingress-nginx/tree/master/deploy
https://kubernetes.github.io/ingress-nginx/deploy/
https://www.jianshu.com/p/189fab1845c5
原文地址:http://blog.51cto.com/bobo365/2178724