1.先創建需要訪問的後端及控制器service
vim myapp.yaml #實際被訪問的容器
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
selector:
app: myapp
ports:
- name: http
port: 80
targetPort: 80
#創建一個service,
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
#創建一個控制器
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
#創建3個容器2.下載ingress得所需得文件
for i in configmap.yaml namespace.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml;do wget https://github.com/kubernetes/ingress-nginx/tree/master/deploy/static/$i ;done
#有個文件無法下載,4個文件能正常完成實驗
3.創建前端容器
vim service-nodeport.yaml #前端反代容器,裏面有規則自動動態調度後端容器
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
#放在新的名稱空間裏
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
#固定宿主的端口
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginxkubectl apply -f namespace.yaml #先應用名稱空間資源
kubectl apply -f . #在應用所有資源
#運行查看命令能看到 ingress的容器和service資源已正常運行了
ngress Controller 部署部署好了,現在要寫ingress的規則,注入到ingress-nginx pod的配置文件中
4.創建前端容器規則
vim ingress-myapp.yaml #前段反代容器的規則資源
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
kubernetes.io/ingress.class: "nginx"
#這裏是說明ingress的類型使用的nginx,一定要說明這點,否則ingress Controller 不知道是配置成那種類型的配置文件
spec:
rules:
- host: www.yang.com
#使用虛擬主機來訪問
http:
paths:
- path:
backend:
serviceName: myapp
#代理的後端的pod的service,通過這個service來生成nginx的upstrm
servicePort: 80kubectl apply -f ingress-myapp.yaml #應用一下規則資源
5.訪問
#修改主機的host 文件,把虛擬主機域名綁定到集羣的任何一個node節點上
#分配到了112主機上了,正常訪問
6.https 訪問
生成證書
[root@cs25 ingress]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
...................+++
e is 65537 (0x10001)
[root@cs25 ingress]# openssl req -new -x509 -key tls.key -out tls.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:nj
Locality Name (eg, city) [Default City]:nj
Organization Name (eg, company) [Default Company Ltd]:cs
Organizational Unit Name (eg, section) []:cs
Common Name (eg, your name or your server's hostname) []:www.yang.com
Email Address []:
[root@cs25 ingress]# ls
configmap.yaml ingress-myapp.yaml myapp.yaml namespace.yaml rbac.yaml service-nodeport.yaml tls.crt tls.key with-rbac.yamlkubectl create secret tls myapp-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secrets
cp ingress-myapp.yaml ingress-myapp-https.yaml #備份一下容器文件
vim ingress-myapp-https.yaml #修改一下前段規則,加入證書
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
kubernetes.io/ingress.class: "nginx"
#這裏是說明ingress的類型使用的nginx,一定要說明這點,否則ingress Controller 不知道是配置成那種類型的配置文件
spec:
tls:
#加入證書字段
- hosts:
- www.yang.com
#認證的域名
secretName: myapp-ingress-secret
#證書name
rules:
- host: www.yang.com
http:
paths:
- path:
backend:
serviceName: myappkubectl apply -f ingress-myapp-https.yaml #應用一下修改過後的規則
#輸入https://www.yang.com:30443 訪問