1.先创建需要访问的后端及控制器service
vim myapp.yaml #实际被访问的容器
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
selector:
app: myapp
ports:
- name: http
port: 80
targetPort: 80
#创建一个service,
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
#创建一个控制器
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
#创建3个容器
2.下载ingress得所需得文件
for i in configmap.yaml namespace.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml;do wget https://github.com/kubernetes/ingress-nginx/tree/master/deploy/static/$i ;done
#有个文件无法下载,4个文件能正常完成实验
3.创建前端容器
vim service-nodeport.yaml #前端反代容器,里面有规则自动动态调度后端容器
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
#放在新的名称空间里
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
#固定宿主的端口
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
kubectl apply -f namespace.yaml #先应用名称空间资源
kubectl apply -f . #在应用所有资源
#运行查看命令能看到 ingress的容器和service资源已正常运行了
ngress Controller 部署部署好了,现在要写ingress的规则,注入到ingress-nginx pod的配置文件中
4.创建前端容器规则
vim ingress-myapp.yaml #前段反代容器的规则资源
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
kubernetes.io/ingress.class: "nginx"
#这里是说明ingress的类型使用的nginx,一定要说明这点,否则ingress Controller 不知道是配置成那种类型的配置文件
spec:
rules:
- host: www.yang.com
#使用虚拟主机来访问
http:
paths:
- path:
backend:
serviceName: myapp
#代理的后端的pod的service,通过这个service来生成nginx的upstrm
servicePort: 80
kubectl apply -f ingress-myapp.yaml #应用一下规则资源
5.访问
#修改主机的host 文件,把虚拟主机域名绑定到集群的任何一个node节点上
#分配到了112主机上了,正常访问
6.https 访问
生成证书
[root@cs25 ingress]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
...................+++
e is 65537 (0x10001)
[root@cs25 ingress]# openssl req -new -x509 -key tls.key -out tls.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:nj
Locality Name (eg, city) [Default City]:nj
Organization Name (eg, company) [Default Company Ltd]:cs
Organizational Unit Name (eg, section) []:cs
Common Name (eg, your name or your server's hostname) []:www.yang.com
Email Address []:
[root@cs25 ingress]# ls
configmap.yaml ingress-myapp.yaml myapp.yaml namespace.yaml rbac.yaml service-nodeport.yaml tls.crt tls.key with-rbac.yaml
kubectl create secret tls myapp-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secrets
cp ingress-myapp.yaml ingress-myapp-https.yaml #备份一下容器文件
vim ingress-myapp-https.yaml #修改一下前段规则,加入证书
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
kubernetes.io/ingress.class: "nginx"
#这里是说明ingress的类型使用的nginx,一定要说明这点,否则ingress Controller 不知道是配置成那种类型的配置文件
spec:
tls:
#加入证书字段
- hosts:
- www.yang.com
#认证的域名
secretName: myapp-ingress-secret
#证书name
rules:
- host: www.yang.com
http:
paths:
- path:
backend:
serviceName: myapp
kubectl apply -f ingress-myapp-https.yaml #应用一下修改过后的规则
#输入https://www.yang.com:30443 访问