guan000 2019-12-24
vim myapp.yaml #实际被访问的容器
apiVersion: v1 kind: Service metadata: name: myapp spec: selector: app: myapp ports: - name: http port: 80 targetPort: 80 #创建一个service, --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp #创建一个控制器 spec: replicas: 3 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: ikubernetes/myapp:v2 #创建3个容器
for i in configmap.yaml namespace.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml;do wget https://github.com/kubernetes/ingress-nginx/tree/master/deploy/static/$i ;done
#有个文件无法下载,4个文件能正常完成实验
vim service-nodeport.yaml #前端反代容器,里面有规则自动动态调度后端容器
apiVersion: v1 kind: Service metadata: name: ingress-nginx namespace: ingress-nginx #放在新的名称空间里 labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: type: NodePort ports: - name: http port: 80 targetPort: 80 protocol: TCP nodePort: 30080 #固定宿主的端口 - name: https port: 443 targetPort: 443 protocol: TCP nodePort: 30443 selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx
kubectl apply -f namespace.yaml #先应用名称空间资源
kubectl apply -f . #在应用所有资源
#运行查看命令能看到 ingress的容器和service资源已正常运行了
ngress Controller 部署部署好了,现在要写ingress的规则,注入到ingress-nginx pod的配置文件中
vim ingress-myapp.yaml #前段反代容器的规则资源
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-myapp annotations: kubernetes.io/ingress.class: "nginx" #这里是说明ingress的类型使用的nginx,一定要说明这点,否则ingress Controller 不知道是配置成那种类型的配置文件 spec: rules: - host: www.yang.com #使用虚拟主机来访问 http: paths: - path: backend: serviceName: myapp #代理的后端的pod的service,通过这个service来生成nginx的upstrm servicePort: 80
kubectl apply -f ingress-myapp.yaml #应用一下规则资源
#修改主机的host 文件,把虚拟主机域名绑定到集群的任何一个node节点上
#分配到了112主机上了,正常访问
生成证书
[ ingress]# openssl genrsa -out tls.key 2048 Generating RSA private key, 2048 bit long modulus ......................................+++ ...................+++ e is 65537 (0x10001) [ ingress]# openssl req -new -x509 -key tls.key -out tls.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:nj Locality Name (eg, city) [Default City]:nj Organization Name (eg, company) [Default Company Ltd]:cs Organizational Unit Name (eg, section) []:cs Common Name (eg, your name or your server‘s hostname) []:www.yang.com Email Address []: [ ingress]# ls configmap.yaml ingress-myapp.yaml myapp.yaml namespace.yaml rbac.yaml service-nodeport.yaml tls.crt tls.key with-rbac.yaml
kubectl create secret tls myapp-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secrets
cp ingress-myapp.yaml ingress-myapp-https.yaml #备份一下容器文件
vim ingress-myapp-https.yaml #修改一下前段规则,加入证书
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-myapp annotations: kubernetes.io/ingress.class: "nginx" #这里是说明ingress的类型使用的nginx,一定要说明这点,否则ingress Controller 不知道是配置成那种类型的配置文件 spec: tls: #加入证书字段 - hosts: - www.yang.com #认证的域名 secretName: myapp-ingress-secret #证书name rules: - host: www.yang.com http: paths: - path: backend: serviceName: myapp
kubectl apply -f ingress-myapp-https.yaml #应用一下修改过后的规则
#输入https://www.yang.com:30443 访问