注:

默认本文读者具备一定的k8s基础,并对k8s的apiserver、service、controller manager等基本概念有所了解。

模式简介:

Ingress在service之前加了一层ingress,结构如下:

                            ingress ->   service    -> label selector -> pods
                        www.ok1.com -> app1-service -> app1 selector  -> app1 1234
Port:80 or other   ->  www.ok2.com -> app2-service -> app2 selector  -> app2 3456

Ingerss模式的优点

增加了7层的识别能力,可以根据 http header, path 等进行路由转发。

模式缺点

复杂度大为提升。

理解Ingress 实现

Ingress 的实现分为两个部分 Ingress Controller 和 Ingress。
Ingress Controller 是流量的入口,是一个实体软件, 一般是Nginx 和 Haproxy(较少使用)。
Ingress 描述具体的路由规则。
Ingress Controller 会监听 api server上的 /ingresses 资源 并实时生效。
Ingerss 描述了一个或者多个 域名的路由规则,以 ingress 资源的形式存在。
简单说: Ingress 描述路由规则, Ingress Controller 实时实现规则。

示例:

结构图:

结构图

完成k8s集群环境搭建

创建后端测试app及service,本例使用ikubernetes/myapp:v2镜像。

more deploy-demo.yaml

apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp
    release: canary
  ports:
  - name: http
    targetPort: 80
    port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deploy
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v2
        ports:
        - name: http
          containerPort: 80

创建Ingress及Ingress Controller环境。

下载并部署:

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

default-http-backend默认镜像使用:gcr.io/google_containers/defaultbackend:1.4
因被墙的原因,改为:registry.cn-hangzhou.aliyuncs.com/google_containers/defaultbackend:1.4

kubectl apply -f mandatory.yaml

检测:

kubectl get pods -n ingress-nginx
NAME                                       READY     STATUS    RESTARTS   AGE
default-http-backend-5ccf4689c5-tc4mr      1/1       Running   0          19m
nginx-ingress-controller-5b6864749-5kcc9   1/1       Running   0          19m

创建service-nodeport

下载并部署:

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

修改yaml文件,增加nodePort设置,将随机端口固定。
more service-nodeport.yaml

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
    nodePort: 30080
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
    nodePort: 30443
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

配置Ingress,将服务暴露,完成示例目标。

more ingress-myapp.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: www.ok.com
    http:
      paths:
      - path:
        backend:
          serviceName: myapp
          servicePort: 80 

测试:
修改本机hosts,访问截图如下:
访问截图

配置https:

生成证书:

openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.ok.com

转格式:

kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secret
kubectl describe secret tomcat-ingress-secret

more tomcat-demo.yaml

apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetPort: 8080
    port: 8080
  - name: ajp
    targetPort: 8009
    port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:latest
        ports:
        - name: http
          containerPort: 8080
        - name: ajp
          containerPort: 8009

more ingress-tomcat-tls.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.ok.com
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.ok.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080 

测试:
截图
后续可在其前端增加四层或七层负载,完成高可用。

参考链接:

https://github.com/kubernetes/ingress-nginx/tree/master/deploy
https://kubernetes.github.io/ingress-nginx/deploy/
https://www.jianshu.com/p/189fab1845c5