Ingress实现虚拟主机和Https代理访问
虚拟主机,也叫“网站空间”,就是把一台运行在互联网上的物理服务器划分成多个“虚拟”服务器。虚拟主机技术极大的促进了网络技术的应用和普及。同时虚拟主机的租用服务也成了网络时代的一种新型经济形式
1、首先确定要运行Ingress-nginx-controller服务
[root@master ~]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-5954d475b6-ktpf9 1/1 Running 1 43h2、将Ingress-nginx-controller暴露为一个service资源对象
[root@master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.100.97.246 <none> 80:32007/TCP,443:30741/TCP 43h3、创建一个Deployment资源和一个Service资源,并相互关联
[root@master ~]# vim deploy1.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy1
spec:
replicas: 2
template:
metadata:
labels:
app: nginx1
spec:
containers:
- name: nginx1
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-1
spec:
selector:
app: nginx1
ports:
- port: 80
targetPort: 80
[root@master ~]# kubectl apply -f deploy1.yaml
deployment.extensions/deploy1 created
service/svc-1 created
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
deploy1-7df6778547-v6ww9 1/1 Running 0 2m33s
deploy1-7df6778547-vkvwf 1/1 Running 0 2m33s
[root@master ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 52d
svc-1 ClusterIP 10.109.213.247 <none> 80/TCP 3m17s4、创建另外“一对”服务(delpoy2.yaml和svc-2)
[root@master ~]# vim deploy2.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy2
spec:
replicas: 2
template:
metadata:
labels:
app: nginx2
spec:
containers:
- name: nginx2
image: nginx #这里没有更换镜像,使用相同的nginx镜像
---
apiVersion: v1
kind: Service
metadata:
name: svc-2
spec:
selector:
app: nginx2
ports:
- port: 80
targetPort: 80
[root@master ~]# kubectl apply -f deploy2.yaml
deployment.extensions/deploy2 created
service/svc-2 created[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
deploy2-7b6786d8bf-6xnjs 1/1 Running 0 19s
deploy2-7b6786d8bf-dvjqt 1/1 Running 0 19s
[root@master ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 52d
svc-2 ClusterIP 10.106.67.155 <none> 80/TCP 24s4、创建Ingress规则
[root@master ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-1
spec:
rules:
- host: www1.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-2
spec:
rules:
- host: www2.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
[root@master ~]# kubectl apply -f ingress.yaml
ingress.extensions/ingress-1 created
ingress.extensions/ingress-2 created[root@master ~]# kubectl describe ingresses. ingress-1
Rules:
Host Path Backends
---- ---- --------
www1.bdqn.com
/ svc-1:80 (10.244.1.4:80,10.244.2.4:80)
[root@master ~]# kubectl describe ingresses. ingress-1
Rules:
Host Path Backends
---- ---- --------
www2.bdqn.com
/ svc-2:80 (10.244.1.5:80,10.244.2.5:80)
[root@master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.100.97.246 <none> 80:32007/TCP,443:30741/TCP 43h5、由于实验环境限制(这个域名是假的),所以自己用来模拟一个域名
在windows上添加域名解析:C:\Windows\System32\drivers\etc
192.168.1.70 www1.bdqn.com
192.168.1.70 www2.bdqn.com
Ingress资源实现https代理访问
在上面的操作中,实现了使用ingress-nginx为后端所有pod提供一个统一的入口,那么,有一个非常严肃的问题需要考虑,就是如何为我们的pod配置CA证书来实现HTTPS访问?在pod中直接配置CA么?那需要进行多少重复性的操作?而且,pod是随时可能被kubelet杀死再创建的。当然这些问题有很多解决方法,比如直接将CA配置到镜像中,但是这样又需要很多个CA证书。
这里有更简便的一种方法,就拿上面的情况来说,后端有多个pod,pod与service进行关联,service又被ingress规则发现并动态写入到ingress-nginx-controller容器中,然后又为ingress-nginx-controller创建了一个Service映射到群集节点上的端口,来供client来访问。
在上面的一系列流程中,关键的点就在于Ingress规则,我们只需要在Ingress的yaml文件中,为域名配置CA证书即可,只要可以通过HTTPS访问到域名,至于这个域名是怎么关联到后端提供服务的pod,这就是属于k8s群集内部的通信了,即便是使用http来通信,也无伤大雅
1、生成一个证书:
[root@master ~]# mkdir https
[root@master ~]# cd https
[root@master https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=testsvc /0=testsvc"
Generating a 2048 bit RSA private key
......................................................................................+++
............+++
writing new private key to 'tls.key'
-----
Subject Attribute 0 has no known NID, skipped
[root@master https]# ls
tls.crt tls.key2、创建secret资源,保存证书:
[root@master https]# kubectl create secret tls tls-secret --key=tls.key --cert tls.crt
secret/tls-secret created3、创建一个Deployment资源对象,用来模拟web服务
[root@master https]# vim deploy3.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy3
spec:
replicas: 2
template:
metadata:
labels:
app: nginx3
spec:
containers:
- name: nginx3
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-3
spec:
selector:
app: nginx3
ports:
- port: 80
targetPort: 80
[root@master https]# kubectl apply -f deploy3.yaml
deployment.extensions/deploy3 created
service/svc-3 created[root@master https]# kubectl get pod
NAME READY STATUS RESTARTS AGE
deploy3-5c545fcc5f-4n9bw 1/1 Running 0 17s
deploy3-5c545fcc5f-7b4g2 1/1 Running 0 17s
[root@master https]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 52d
svc-3 ClusterIP 10.97.212.56 <none> 80/TCP 22m
[root@master https]# curl -I 10.97.212.56
HTTP/1.1 200 OK4、创建对应的Ingress规则
[root@master https]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-3
spec:
tls: #引用CA证书
- hosts:
- www3.bdqn.com
secretName: tls-secret
rules:
- host: www3.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-3
servicePort: 80
[root@master https]# kubectl apply -f ingress.yaml
ingress.extensions/ingress-3 created
//同样,添加域名解析
192.168.1.70 www3.bdqn.com5、查找对应service-NodePort的443端口映射的端口,直接用浏览器访问即可
[root@master https]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.100.97.246 <none> 80:32007/TCP,443:30741/TCP 44h通过浏览器访问:https://www3.bdqn.com:30741