ingress 策略调用后台接口

转载

网络锐评 2024-09-12 18:01:18

文章标签 ingress 策略调用后台接口 ingress k8s kubernetes nginx 文章分类 云原生云计算

一、Ingress逻辑

二、Ingress搭建

2.1、部署github包及目录规划

2.2、创建一个命名空间，放置ingress相关配置。

2.3、默认域名配置

2.4、configmap 存放tcp udp 虚拟主机的配置

2.5、创建rbac授权

2.6、创建deployment

2.7、节点部署完成

三、Ingress-http配置

3.1、创建nginx和httpd的deployment和pod

3.2、创建service

3.3、修改httpd和nginx容器首页信息方便测试比对

3.4、在node节点curl测试一下能否访问

3.5、创建Ingress匹配serviceName(http访问)

3.6、修改电脑host文件，把域名和IP对应，然后浏览器访问

四、Ingress-https配置

4.1、需要创建证书授权

4.2、创建Ingress匹配serviceName(https访问)

4.3、修改hosts文件，浏览器访问

一、Ingress逻辑

ingress 策略调用后台接口_ingress 策略调用后台接口

一个ingress可以配置用于提供外部可访问的服务url、负载均衡流量、SSL终端和提供虚拟主机名配置。ingress controller负责实现（通常使用负载均衡器(loadbalancer)）入口（ingress）。但是它也可以配置你的边缘路由器或额外的前端来帮助处理流量。

ingress不暴露任何端口或协议。将HTTP和HTTPS之外的服务公开到因特网通常使用类型是NodePort或loadbalance的service。

Ingress工具在每个节点上创建一个负载均衡用来代理所有pod，当客户发起请求时，会直接请求ingress contraller  ，再根据关联的server配置，由其转发至具体pod。

二、Ingress搭建

2.1、部署github包及目录规划

[root@manage01 ~]# mkdir /opt/kubernetes/ingress
[root@manage01 ~]# cd /opt/kubernetes/ingress
[root@manage01 ~]# https://github.com/kubernetes/ingress-nginx/tree/nginx-0.18.0/deploy
[root@manage01 ~]# http://zhoudaxiaa.gitee.io/downgit/#/home  #github下载工具

[root@manage01 ingress-install]# ls
configmap.yaml        deployment.yaml  namespace.yaml  tcp-services-configmap.yaml
default-backend.yaml  mandatory.yaml   rbac.yaml       udp-services-configmap.yaml

2.2、创建一个命名空间，放置ingress相关配置。

[root@manage01 ingress-install]# cat namespace.yaml 
---

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx

[root@manage01 ingress-install]# kubectl create -f namespace.yaml

2.3、默认域名配置

该配置用来创建default-backend的depolyment和service
如果外界访问的域名不存在的话，则会默认转发到defalut-http-backend这个service，会直接返回404

[root@manage01 ingress-install]# cat default-backend.yaml 
---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: default-http-backend
  labels:
    app: default-http-backend
  namespace: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: default-http-backend
  template:
    metadata:
      labels:
        app: default-http-backend
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        # Any image is permissible as long as:
        # 1. It serves a 404 page at /
        # 2. It serves 200 on a /healthz endpoint
        image: registry.cn-hangzhou.aliyuncs.com/google_containers/defaultbackend:1.4
#        image: gcr.io/google_containers/defaultbackend:1.4
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi
---

apiVersion: v1
kind: Service
metadata:
  name: default-http-backend
  namespace: ingress-nginx
  labels:
    app: default-http-backend
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: default-http-backend

[root@manage01 ingress-install]# kubectl create -f default-backend.yaml

2.4、configmap 存放tcp udp 虚拟主机的配置

[root@manage01 ingress-install]# cat tcp-services-configmap.yaml 
---

kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
[root@manage01 ingress-install]# cat udp-services-configmap.yaml 
---

kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx

[root@manage01 ingress-install]# kubectl create -f tcp-services-configmap.yaml ^C
[root@manage01 ingress-install]# kubectl create -f udp-services-configmap.yaml

2.5、创建rbac授权

这个yaml文件主要是角色的创建和绑定，负责Ingress的RBAC授权的控制，其创建了Ingress用到的ServiceAccount、ClusterRole、Role、RoleBinding、ClusterRoleBinding

[root@manage01 ingress-install]# cat rbac.yaml 
---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

2.6、创建deployment

mv with-rbac.yaml deployment.yaml && vim deployment.yaml
这个文件创建nginx-ingress-controller这个deployment，副本数选择两个，一个node一个。Ingress-controller的作用是将新加入的Ingress进行转化为Nginx的配置。

Ingress Contronler 通过与 Kubernetes API 交互，能够动态的获取cluster中Ingress rules的变化，生成一段 Nginx 配置，再写到 Nginx-ingress-control的 Pod 里，reload pod 使规则生效。从而实现注册的service及其对应域名/IP/Port的动态添加和解析。

[root@manage01 ingress-install]# cat deployment.yaml 
---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx 
spec:
  replicas: 2
  selector:
    matchLabels:
      app: ingress-nginx
  template:
    metadata:
      labels:
        app: ingress-nginx
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
##########增加hostNetwork：true这一行，这是直接定义Pod网络的方式。定义后，Ingress-controller的IP就与宿主机上一样，并且端口也是宿主机上的端口。这样就可以通过宿主机直接访问到Ingress-controller，然后Ingress-controller则会转发我们的请求到响应后端。
##########
      hostNetwork: true
      containers:
        - name: nginx-ingress-controller
##########使用国内镜像##########
          image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.18.0
#          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.18.0
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
##########部分安全选项配置，如果不熟建议注释，否则启动报错##########
#          securityContext:
#            capabilities:
#                drop:
#                - ALL
#                add:
#                - NET_BIND_SERVICE
            # www-data -> 33
#            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
          - name: http
            containerPort: 80
          - name: https
            containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1

[root@manage01 ingress-install]# kubectl create -f deployment.yaml

2.7、节点部署完成

[root@manage01 ingress]# kubectl get pods -n ingress-nginx -o wide
NAME                                        READY   STATUS    RESTARTS   AGE   IP                NODE              NOMINATED NODE   READINESS GATES
default-http-backend-7765847556-lrs4w       1/1     Running   3          82m   172.18.20.7       192.168.192.130   <none>           <none>
nginx-ingress-controller-75d499dd56-scw28   1/1     Running   0          82m   192.168.192.129   192.168.192.129   <none>           <none>
nginx-ingress-controller-75d499dd56-vvpbd   1/1     Running   1          88m   192.168.192.130   192.168.192.130   <none>           <none>

三、Ingress-http配置

思路：首先创建deployment，和它所拥有的pod；然后创建service，和deployment关联；
最后创建Ingress，和service关联。

3.1、创建nginx和httpd的deployment和pod

[root@manage01 ingress]# kubectl run --image=nginx nginx
deployment.apps/nginx created

[root@manage01 ingress]# kubectl run --image=httpd httpd
deployment.apps/httpd created

[root@manage01 ingress]# kubectl get pods
NAME                    READY   STATUS    RESTARTS   AGE
httpd-7db5849b8-bxpcg   1/1     Running   0          2m51s
nginx-dbddb74b8-wtr7v   1/1     Running   0          3m2s

3.2、创建service

[root@manage01 ingress]# kubectl expose deployment nginx --port=80 --target-port=80
service/nginx exposed
[root@manage01 ingress]# kubectl expose deployment httpd --port=80 --target-port=80
service/httpd exposed

[root@manage01 ingress]# kubectl get svc -o wide
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)               AGE     SELECTOR
httpd        ClusterIP   10.10.10.221   <none>        80/TCP                3h18m   run=httpd
kubernetes   ClusterIP   10.10.10.1     <none>        443/TCP               11d     <none>
my-service   ClusterIP   10.10.10.242   <none>        10080/TCP,10443/TCP   3d3h    app=nginx
nginx        ClusterIP   10.10.10.109   <none>        80/TCP                80m     run=nginx

3.3、修改httpd和nginx容器首页信息方便测试比对

[root@manage01 ingress]# kubectl exec -it httpd-7db5849b8-bxpcg bash
root@httpd-7db5849b8-bxpcg:/usr/local/apache2# cd htdocs/
root@httpd-7db5849b8-bxpcg:/usr/local/apache2/htdocs# echo "hello httpd!" > index.html   root@httpd-7db5849b8-bxpcg:/usr/local/apache2/htdocs# exit

[root@manage01 ingress]# kubectl exec -it nginx-dbddb74b8-wtr7v bash
root@nginx-dbddb74b8-wtr7v:/# cd /usr/share/nginx/html/
root@nginx-dbddb74b8-wtr7v:/usr/share/nginx/html# echo "hello nginx!" > index.html
root@nginx-dbddb74b8-wtr7v:/usr/share/nginx/html# exit

3.4、在node节点curl测试一下能否访问

[root@manage01 ingress]#curl 10.10.10.221
hello httpd!
[root@manage01 ingress]#curl 10.10.10.109
hello nginx!

3.5、创建Ingress匹配serviceName(http访问)

[root@manage01 ingress-xieyi]# cat ingress-nginx-http.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: httpd-test
spec:
  rules:
  - host: haha.httpd.com
    http:
      paths:
      - backend:
          serviceName: httpd
          servicePort: 80
  - host: haha.nginx.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

[root@manage01 ingress-xieyi]# kubectl create -f  ingress-nginx-http.yaml

[root@manage01 ingress-xieyi]# kubectl get ingress
NAME         HOSTS                           ADDRESS   PORTS     AGE
httpd-test   haha.httpd.com,haha.nginx.com             80        82m

3.6、修改电脑host文件，把域名和IP对应，然后浏览器访问

#C:\Windows\System32\drivers\etc\hosts
192.168.192.129 haha.httpd.com
192.168.192.130 haha.nginx.com

四、Ingress-https配置

4.1、需要创建证书授权

cfssl print-defaults csr > ca-csr.json #证书颁发机构
vim ca-csr.json
[root@k8s-master-101 https]# cat ca-csr.json 
{
    "CN": "amusitelangpao",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}


cfssl print-defaults config >ca-config.json
vim ca-config.json

[root@k8s-master-101 https]# cat ca-config.json 
{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

cfssl gencert --initca ca-csr.json | cfssljson -bare ca –

cfssl print-defaults csr >server-csr.json
vim server-csr.json

[root@k8s-master-101 https]# cat server-csr.json 
{
    "CN": "www.amusitelangpao.com",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=www server-csr.json | cfssljson -bare server

kubectl create secret tls wangxiaoyu-https --key server-key.pem --cert server.pem

[root@manage01 ingress-xieyi]#  kubectl get secret
NAME                   TYPE                                  DATA   AGE
amusitelangpao-https   kubernetes.io/tls                     2      87m
default-token-zdl48    kubernetes.io/service-account-token   3      11d

4.2、创建Ingress匹配serviceName(https访问)

[root@manage01 ingress-xieyi]# cat ingress-nginx-https.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: https-test
spec:
  tls:
  - hosts:
    - www.amusitelangpao.com
    secretName: amusitelangpao-https
  rules:
  - host: www.amusitelangpao.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

[root@manage01 ingress-xieyi]# kubectl create -f ingress-nginx-https.yaml

4.3、修改hosts文件，浏览器访问

#C:\Windows\System32\drivers\etc\hosts
192.168.192.129 www.amusitelangpao.com
192.168.192.130 www.amusitelangpao.com

ingress 策略调用后台接口_nginx_02

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。

上一篇：容器数据平面

下一篇：mysql 服务数据库已锁定

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯